Vulnerabilities > CVE-2007-3123 - Unspecified vulnerability in Clam Anti-Virus Clamav
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN clam-anti-virus
nessus
Summary
unrar.c in libclamav in ClamAV before 0.90.3 and 0.91 before 0.91rc1 allows remote attackers to cause a denial of service (core dump) via a crafted RAR file with a modified vm_codesize value, which triggers a heap-based buffer overflow.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1320.NASL description Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-2650 It was discovered that the OLE2 parser can be tricked into an infinite loop and memory exhaustion. - CVE-2007-3023 It was discovered that the NsPack decompression code performed insufficient sanitising on an internal length variable, resulting in a potential buffer overflow. - CVE-2007-3024 It was discovered that temporary files were created with insecure permissions, resulting in information disclosure. - CVE-2007-3122 It was discovered that the decompression code for RAR archives allows bypassing a scan of a RAR archive due to insufficient validity checks. - CVE-2007-3123 It was discovered that the decompression code for RAR archives performs insufficient validation of header values, resulting in a buffer overflow. last seen 2020-06-01 modified 2020-06-02 plugin id 25586 published 2007-06-27 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25586 title Debian DSA-1320-1 : clamav - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1320. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(25586); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2007-2650", "CVE-2007-3023", "CVE-2007-3024", "CVE-2007-3025", "CVE-2007-3122", "CVE-2007-3123"); script_xref(name:"DSA", value:"1320"); script_name(english:"Debian DSA-1320-1 : clamav - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several remote vulnerabilities have been discovered in the Clam anti-virus toolkit. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-2650 It was discovered that the OLE2 parser can be tricked into an infinite loop and memory exhaustion. - CVE-2007-3023 It was discovered that the NsPack decompression code performed insufficient sanitising on an internal length variable, resulting in a potential buffer overflow. - CVE-2007-3024 It was discovered that temporary files were created with insecure permissions, resulting in information disclosure. - CVE-2007-3122 It was discovered that the decompression code for RAR archives allows bypassing a scan of a RAR archive due to insufficient validity checks. - CVE-2007-3123 It was discovered that the decompression code for RAR archives performs insufficient validation of header values, resulting in a buffer overflow." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-2650" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-3023" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-3024" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-3122" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-3123" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-3024" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2007/dsa-1320" ); script_set_attribute( attribute:"solution", value: "Upgrade the clamav packages. An updated package for oldstable/powerpc is not yet available. It will be provided later. For the oldstable distribution (sarge) these problems have been fixed in version 0.84-2.sarge.17. Please note that the fix for CVE-2007-3024 hasn't been backported to oldstable. For the stable distribution (etch) these problems have been fixed in version 0.90.1-3etch1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:clamav"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2007/06/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/06/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"clamav", reference:"0.84-2.sarge.17")) flag++; if (deb_check(release:"3.1", prefix:"clamav-base", reference:"0.84-2.sarge.17")) flag++; if (deb_check(release:"3.1", prefix:"clamav-daemon", reference:"0.84-2.sarge.17")) flag++; if (deb_check(release:"3.1", prefix:"clamav-docs", reference:"0.84-2.sarge.17")) flag++; if (deb_check(release:"3.1", prefix:"clamav-freshclam", reference:"0.84-2.sarge.17")) flag++; if (deb_check(release:"3.1", prefix:"clamav-milter", reference:"0.84-2.sarge.17")) flag++; if (deb_check(release:"3.1", prefix:"clamav-testfiles", reference:"0.84-2.sarge.17")) flag++; if (deb_check(release:"3.1", prefix:"libclamav-dev", reference:"0.84-2.sarge.17")) flag++; if (deb_check(release:"3.1", prefix:"libclamav1", reference:"0.84-2.sarge.17")) flag++; if (deb_check(release:"4.0", prefix:"clamav", reference:"0.90.1-3etch3")) flag++; if (deb_check(release:"4.0", prefix:"clamav-base", reference:"0.90.1-3etch3")) flag++; if (deb_check(release:"4.0", prefix:"clamav-daemon", reference:"0.90.1-3etch3")) flag++; if (deb_check(release:"4.0", prefix:"clamav-dbg", reference:"0.90.1-3etch3")) flag++; if (deb_check(release:"4.0", prefix:"clamav-docs", reference:"0.90.1-3etch3")) flag++; if (deb_check(release:"4.0", prefix:"clamav-freshclam", reference:"0.90.1-3etch3")) flag++; if (deb_check(release:"4.0", prefix:"clamav-milter", reference:"0.90.1-3etch3")) flag++; if (deb_check(release:"4.0", prefix:"clamav-testfiles", reference:"0.90.1-3etch3")) flag++; if (deb_check(release:"4.0", prefix:"libclamav-dev", reference:"0.90.1-3etch3")) flag++; if (deb_check(release:"4.0", prefix:"libclamav2", reference:"0.90.1-3etch3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-115.NASL description A vulnerability in the OLE2 parser in ClamAV was found that could allow a remote attacker to cause a denial of service via resource consumption with a carefully crafted OLE2 file. Other vulnerabilities and bugs have also been corrected in 0.90.3 which is being provided with this update. last seen 2020-06-01 modified 2020-06-02 plugin id 25432 published 2007-06-05 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25432 title Mandrake Linux Security Advisory : clamav (MDKSA-2007:115) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200706-05.NASL description The remote host is affected by the vulnerability described in GLSA-200706-05 (ClamAV: Multiple Denials of Service) Several vulnerabilities were discovered in ClamAV by various researchers: Victor Stinner (INL) discovered that the OLE2 parser may enter in an infinite loop (CVE-2007-2650). A boundary error was also reported by an anonymous researcher in the file unsp.c, which might lead to a buffer overflow (CVE-2007-3023). The file unrar.c contains a heap-based buffer overflow via a modified vm_codesize value from a RAR file (CVE-2007-3123). The RAR parsing engine can be bypassed via a RAR file with a header flag value of 10 (CVE-2007-3122). The cli_gentempstream() function from clamdscan creates temporary files with insecure permissions (CVE-2007-3024). Impact : A remote attacker could send a specially crafted file to the scanner, possibly triggering one of the vulnerabilities. The two buffer overflows are reported to only cause Denial of Service. This would lead to a Denial of Service by CPU consumption or a crash of the scanner. The insecure temporary file creation vulnerability could be used by a local user to access sensitive data. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 25534 published 2007-06-18 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25534 title GLSA-200706-05 : ClamAV: Multiple Denials of Service NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_903654BD192711DCB8A002E0185F8D72.NASL description Clamav had been found vulnerable to multiple vulnerabilities : - Improper checking for the end of an buffer causing an unspecified attack vector. - Insecure temporary file handling, which could be exploited to read sensitive information. - A flaw in the parser engine which could allow a remote attacker to bypass the scanning of RAR files. - A flaw in libclamav/unrar.c which could cause a remote Denial of Service (DoS) by sending a specially crafted RAR file with a modified vm_codesize. - A flaw in the OLE2 parser which could cause a remote Denial of Service (DoS). last seen 2020-06-01 modified 2020-06-02 plugin id 25560 published 2007-06-21 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25560 title FreeBSD : clamav -- multiple vulnerabilities (903654bd-1927-11dc-b8a0-02e0185f8d72)
References
- http://lurker.clamav.net/message/20070530.224918.5c64abc4.en.html
- http://svn.clamav.net/svn/clamav-devel/trunk/ChangeLog
- https://wwws.clamav.net/bugzilla/show_bug.cgi?id=521
- http://kolab.org/security/kolab-vendor-notice-15.txt
- http://www.debian.org/security/2007/dsa-1320
- http://security.gentoo.org/glsa/glsa-200706-05.xml
- http://www.novell.com/linux/security/advisories/2007_33_clamav.html
- http://www.securityfocus.com/bid/24289
- http://secunia.com/advisories/25523
- http://secunia.com/advisories/25525
- http://secunia.com/advisories/25688
- http://secunia.com/advisories/25796
- http://osvdb.org/35522
- https://exchange.xforce.ibmcloud.com/vulnerabilities/34778