iViZ Security

Security Advisories

Avast antivirus for Linux multiple vulnerabilities.

Synopsis

Multiple buffer overflows were discovered in the GNU/Linux version of Avast when analyzing corrupted ISO and RPM files.

Affected Software

Avast for Workstations v1.0.8 Trial versions, possibly others.

Impact

Remove DoS, possibly remote code execution.

Vendor Response

On September 24th 2008, the vendor stated : "With (the) mentioned version of avast4workstation 1.0.8_2, indeed, this bug existed. It was a stack-overflow, caused by cycling over intertwined directories on corrupted ISO files. All versions built since 22.1.2008 have this fixed. Thanks for your report."

Credits

This vulnerability was discovered by Security Researcher Jonathan Brossard from iViZ Techno Solutions Pvt. Ltd.

Disclosure Timeline

First private disclosure to vendor on September 18th 2008.
First vendor reply on September 19th 2008.
On September 23th 2008, the vendor claims to have fixed the problem : "my colleague identified the problem few minutes ago as a bug which was fixed 22. Jan 2008."
On October 15th 2008, the vulnerable trial version link hasn't been updated: http://download664.avast.com/files/linux/avast4workstation_1.0.8-2_i386.deb



Back to Security Advisories