OPSA_20060114: clamav -- heap overflow in the UPX code

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

OPSA_20060114: clamav -- heap overflow in the UPX code

Robert Nagy
| OpenBSD Package Security Advisory                         OPSA 20060114-0

Short description
clamav -- heap overflow in the UPX code

Affected packages linked to affected branches
clamav < 0.88 ----------> HEAD (OpenBSD -current)
clamav < 0.88 ----------> OPENBSD_3_8 (OpenBSD 3.8)
clamav < 0.88 ----------> OPENBSD_3_7 (OpenBSD 3.7)

Detailed description
A vulnerability has been reported in ClamAV,
which potentially can be exploited by malicious
people with an unknown impact.
The vulnerability is caused due to an unspecified
boundary error in "libclamav/upx.c".
This can potentially be exploited to cause a heap-based
buffer overflow via a specially-crafted UPX packed file.



   a) You can update your ports tree via CVS described at
      Then you can recompile the port and reinstall it.
      (Please be careful to use the correct CVS branch)
   b) You can install the fixed package from our FTP servers
      $ pkg_add -r ftp://ftp.openbsd.org/\
      (Please be careful to use the correct release.)
      (Note: We only provide fixed packages for i386.
       You will need to recompile from the ports tree
       if you use a different architecture.)

| If you have any problem, feel free to write to the OpenBSD ports mailing
| list. Please visit http://www.openbsd.org/mail.html for more information
| about our mailing lists.