[Full-disclosure] clamav: Endless loop / hang with crafter arj, CVE-2008-1387



Advisory published at:
http://int21.de/cve/CVE-2008-1387-clamav.html

clamav: Endless loop / hang with crafter arj, CVE-2008-1387

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1387
http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog
http://www.cert.fi/haavoittuvuudet/joint-advisory-archive-formats.html

Description

CERT-FI published an advisory with a large number of samples of crafted
archives.
The file with the md5sum b6046d890e6bd304e3756c88b989559a (named
b6046d890e6bd304e3756c88b989559a.arj) hangs clamav with high load.

If you're running clamav on a mailserver, an attacker can DoS your Server
remotely by sending some mails with the archive attached.

Workaround/Fix

clamav 0.93 fixes this issue beside other security issues, if you're running
clamav you should upgrade as soon as possible.

Disclosure Timeline

2008-03-17 CERT-FI publishes advisory
2008-03-26 Vendor contacted
2008-03-27 Vendor approves issue
2008-04-14 Vendor releases 0.93
2008-04-16 Advisory published

CVE Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2008-1387 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org/), which standardizes names for security problems.

Credits and copyright

This vulnerability was discovered by Hanno Boeck of schokokeks.org webhosting.
It's licensed under the creative commons attribution license.

Hanno Boeck, 2008-04-16, http://www.hboeck.de
--
Hanno Böck Blog: http://www.hboeck.de/
GPG: 3DBD3B20 Jabber/Mail: hanno@xxxxxxxxx

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Thoughts about finding viruses in email inboxes
    ... I'm not having trouble with clamav telling me what FILE a virus is in. ... David, BitDefender for Unices, at least on POP3 mailbox files, will tell you the exact msg number, the subject of the email, and the time stamp on the emailwithin the file. ... I happen to know exactly what the trojan signatures were/are in the archived email file as they were emails that I had sent/received regarding that particular Iframe exploit, so there was no false positive. ... I accidentally lost the reply you added after this, but I read it in the archives. ...
    (Ubuntu)
  • clamav: Endless loop / hang with crafter arj, CVE-2008-1387
    ... archives. ... If you're running clamav on a mailserver, an attacker can DoS your Server ... 2008-03-27 Vendor approves issue ... CVE Information ...
    (Bugtraq)
  • Re: clean up virus from sendmail list file
    ... html pages from the archives and all viruses are extracted again. ... there a way to clean the archive? ... use formail to split the mail box in to individual messages out to StdOut and run that in to StdIn of ClamAV. ...
    (comp.mail.sendmail)
  • Re: clean up virus from sendmail list file
    ... html pages from the archives and all viruses are extracted again. ... there a way to clean the archive? ... I tried using clamav but the -- ... Concatenate the StdOut of ClamAV in to a new archive. ...
    (comp.mail.sendmail)
  • [Full-disclosure] clamav: Crash with crafted chm, CVE-2008-1389
    ... A fuzzing test showed weakness in the chm parser of clamav, ... CVE Information ...
    (Full-Disclosure)