Security Advisories
ClamAV LZH unpacking segmentation fault
Synopsis
Clamav uses an external unpacker, which can be deterministically crashed,
when processing corrupted LZH files.
Affected Software
ClamAV 0.93.3 and prior
Non Affected Software
ClamAV 0.94 and newer
Impact
Remote DoS, possibly remote code execution.
Vendor Response
"Support for external unpackers has been dropped in 0.94 for security issues"
Credits
This vulnerability was discovered by Security Researcher
Jonathan Brossard from iViZ Techno Solutions Pvt. Ltd.
Disclosure Timeline
First private disclosure to vendor on October 14th 2008
First vendor reply on October 15th 2008 : issue fixed.
|
