Security Advisories
Avast antivirus for Linux multiple vulnerabilities.
Synopsis
Multiple buffer overflows were discovered in the GNU/Linux
version of Avast when analyzing corrupted ISO and RPM files.
Affected Software
Avast for Workstations v1.0.8 Trial versions, possibly others.
Impact
Remove DoS, possibly remote code execution.
Vendor Response
On September 24th 2008, the vendor stated :
"With (the) mentioned version of avast4workstation 1.0.8_2, indeed,
this bug existed. It was a stack-overflow, caused by cycling over
intertwined directories on corrupted ISO files. All versions built
since 22.1.2008 have this fixed. Thanks for your report."
Credits
This vulnerability was discovered by Security Researcher
Jonathan Brossard from iViZ Techno Solutions Pvt. Ltd.
Disclosure Timeline
First private disclosure to vendor on September 18th 2008.
First vendor reply on September 19th 2008.
On September 23th 2008, the vendor claims to have fixed the problem :
"my colleague identified the problem few minutes ago as a bug which was
fixed 22. Jan 2008."
On October 15th 2008, the vulnerable trial version link hasn't been updated:
http://download664.avast.com/files/linux/avast4workstation_1.0.8-2_i386.deb
|
