iViZ Security

Security Advisories

ClamAV LZH unpacking segmentation fault

Synopsis

Clamav uses an external unpacker, which can be deterministically crashed, when processing corrupted LZH files.

Affected Software

ClamAV 0.93.3 and prior

Non Affected Software

ClamAV 0.94 and newer

Impact

Remote DoS, possibly remote code execution.

Vendor Response

"Support for external unpackers has been dropped in 0.94 for security issues"

Credits

This vulnerability was discovered by Security Researcher Jonathan Brossard from iViZ Techno Solutions Pvt. Ltd.

Disclosure Timeline

First private disclosure to vendor on October 14th 2008
First vendor reply on October 15th 2008 : issue fixed.



Back to Security Advisories