Vulnerabilities > CVE-2009-1372 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Clamav

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
clamav
CWE-119
critical
nessus

Summary

Stack-based buffer overflow in the cli_url_canon function in libclamav/phishcheck.c in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted URL.

Vulnerable Configurations

Part Description Count
Application
Clamav
99

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-097.NASL
    descriptionMultiple vulnerabilities has been found and corrected in clamav : Unspecified vulnerability in ClamAV before 0.95 allows remote attackers to bypass detection of malware via a modified RAR archive (CVE-2009-1241). libclamav/pe.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error (CVE-2008-6680). libclamav/untar.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (infinite loop) via a crafted file that causes (1) clamd and (2) clamscan to hang (CVE-2009-1270). The CLI_ISCONTAINED macro in libclamav/others.h in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) via a malformed file with UPack encoding (CVE-2009-1371). Stack-based buffer overflow in the cli_url_canon function in libclamav/phishcheck.c in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted URL (CVE-2009-1372). Important notice about this upgrade: clamav-0.95+ bundles support for RAR v3 in libclamav which is a license violation as the RAR v3 license and the GPL license is not compatible. As a consequence to this Mandriva has been forced to remove the RAR v3 code. This update provides clamav 0.95.1, which is not vulnerable to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id38165
    published2009-04-27
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38165
    titleMandriva Linux Security Advisory : clamav (MDVSA-2009:097)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2009:097. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(38165);
      script_version ("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:51");
    
      script_cve_id("CVE-2008-6680", "CVE-2009-1241", "CVE-2009-1270", "CVE-2009-1371", "CVE-2009-1372");
      script_bugtraq_id(34344);
      script_xref(name:"MDVSA", value:"2009:097");
    
      script_name(english:"Mandriva Linux Security Advisory : clamav (MDVSA-2009:097)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities has been found and corrected in clamav :
    
    Unspecified vulnerability in ClamAV before 0.95 allows remote
    attackers to bypass detection of malware via a modified RAR archive
    (CVE-2009-1241).
    
    libclamav/pe.c in ClamAV before 0.95 allows remote attackers to cause
    a denial of service (crash) via a crafted EXE file that triggers a
    divide-by-zero error (CVE-2008-6680).
    
    libclamav/untar.c in ClamAV before 0.95 allows remote attackers to
    cause a denial of service (infinite loop) via a crafted file that
    causes (1) clamd and (2) clamscan to hang (CVE-2009-1270).
    
    The CLI_ISCONTAINED macro in libclamav/others.h in ClamAV before
    0.95.1 allows remote attackers to cause a denial of service
    (application crash) via a malformed file with UPack encoding
    (CVE-2009-1371).
    
    Stack-based buffer overflow in the cli_url_canon function in
    libclamav/phishcheck.c in ClamAV before 0.95.1 allows remote attackers
    to cause a denial of service (application crash) and possibly execute
    arbitrary code via a crafted URL (CVE-2009-1372).
    
    Important notice about this upgrade: clamav-0.95+ bundles support for
    RAR v3 in libclamav which is a license violation as the RAR v3 license
    and the GPL license is not compatible. As a consequence to this
    Mandriva has been forced to remove the RAR v3 code.
    
    This update provides clamav 0.95.1, which is not vulnerable to these
    issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 94, 119, 189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav-db");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav-milter");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64clamav-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64clamav6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libclamav-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libclamav6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2009.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/04/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2008.1", reference:"clamav-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"clamav-db-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"clamav-milter-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", reference:"clamd-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", cpu:"x86_64", reference:"lib64clamav-devel-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", cpu:"x86_64", reference:"lib64clamav6-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", cpu:"i386", reference:"libclamav-devel-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.1", cpu:"i386", reference:"libclamav6-0.95.1-2.1mdv2008.1", yank:"mdv")) flag++;
    
    if (rpm_check(release:"MDK2009.0", reference:"clamav-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"clamav-db-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"clamav-milter-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", reference:"clamd-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64clamav-devel-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", cpu:"x86_64", reference:"lib64clamav6-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libclamav-devel-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2009.0", cpu:"i386", reference:"libclamav6-0.95.1-2.1mdv2009.0", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_CLAMAV-6201.NASL
    descriptionThis clamav version upgrade to 0.95.1 fixes a buffer overflow error in the cli_url_canon() function (CVE-2009-1372) and a denial of service condition occuring while parsing malformed UPack archives (CVE-2009-1371).
    last seen2020-06-01
    modified2020-06-02
    plugin id38180
    published2009-04-27
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/38180
    titleopenSUSE 10 Security Update : clamav (clamav-6201)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update clamav-6201.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(38180);
      script_version ("1.9");
      script_cvs_date("Date: 2019/10/25 13:36:36");
    
      script_cve_id("CVE-2009-1371", "CVE-2009-1372");
    
      script_name(english:"openSUSE 10 Security Update : clamav (clamav-6201)");
      script_summary(english:"Check for the clamav-6201 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This clamav version upgrade to 0.95.1 fixes a buffer overflow error in
    the cli_url_canon() function (CVE-2009-1372) and a denial of service
    condition occuring while parsing malformed UPack archives
    (CVE-2009-1371)."
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected clamav packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:clamav");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:clamav-db");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/04/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE10.3", reference:"clamav-0.95.1-0.1") ) flag++;
    if ( rpm_check(release:"SUSE10.3", reference:"clamav-db-0.95.1-0.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "clamav");
    }
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2009-005.NASL
    descriptionThe remote host is running a version of Mac OS X 10.5 or 10.4 that does not have Security Update 2009-005 applied. This security update contains fixes for the following products : - Alias Manager - CarbonCore - ClamAV - ColorSync - CoreGraphics - CUPS - Flash Player plug-in - ImageIO - Launch Services - MySQL - PHP - SMB - Wiki Server
    last seen2020-06-01
    modified2020-06-02
    plugin id40945
    published2009-09-11
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40945
    titleMac OS X Multiple Vulnerabilities (Security Update 2009-005)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    if (!defined_func("bn_random")) exit(0);
    if (NASL_LEVEL < 3004) exit(0);
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(40945);
      script_version("1.21");
      script_cvs_date("Date: 2018/07/14  1:59:35");
    
      script_cve_id("CVE-2008-2079", "CVE-2008-5498", "CVE-2008-6680", "CVE-2009-0590", "CVE-2009-0591",
                    "CVE-2009-0789", "CVE-2009-0949", "CVE-2009-1241", "CVE-2009-1270", "CVE-2009-1271",
                    "CVE-2009-1272", "CVE-2009-1371", "CVE-2009-1372", "CVE-2009-1862", "CVE-2009-1863",
                    "CVE-2009-1864", "CVE-2009-1865", "CVE-2009-1866", "CVE-2009-1867", "CVE-2009-1868",
                    "CVE-2009-1869", "CVE-2009-1870", "CVE-2009-2468", "CVE-2009-2800", "CVE-2009-2803",
                    "CVE-2009-2804", "CVE-2009-2805", "CVE-2009-2807", "CVE-2009-2809", "CVE-2009-2811",
                    "CVE-2009-2812", "CVE-2009-2813", "CVE-2009-2814");
      script_bugtraq_id(
        29106,
        33002,
        34256,
        34357,
        35759,
        36350,
        36354,
        36355,
        36357,
        36358,
        36359,
        36360,
        36361,
        36363,
        36364
      );
    
      script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2009-005)");
      script_summary(english:"Check for the presence of Security Update 2009-005");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote host is missing a Mac OS X update that fixes various
    security issues."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is running a version of Mac OS X 10.5 or 10.4 that
    does not have Security Update 2009-005 applied.
    
    This security update contains fixes for the following products :
    
      - Alias Manager
      - CarbonCore
      - ClamAV
      - ColorSync
      - CoreGraphics
      - CUPS
      - Flash Player plug-in
      - ImageIO
      - Launch Services
      - MySQL
      - PHP
      - SMB
      - Wiki Server"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://support.apple.com/kb/HT3865"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://lists.apple.com/archives/security-announce/2009/Sep/msg00004.html"
      );
      script_set_attribute(
        attribute:"see_also", 
        value:"http://www.securityfocus.com/advisories/17867"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install Security Update 2009-005 or later."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(20, 59, 79, 94, 119, 189, 200, 264, 287, 399);
      script_set_attribute(attribute:"patch_publication_date", value:"2009/09/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/11");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/MacOSX/packages", "Host/uname");
      exit(0);
    }
    
    #
    
    uname = get_kb_item("Host/uname");
    if (!uname) exit(1, "The 'Host/uname' KB item is missing.");
    
    if (egrep(pattern:"Darwin.* (8\.[0-9]\.|8\.1[01]\.)", string:uname))
    {
      packages = get_kb_item("Host/MacOSX/packages");
      if (!packages) exit(1, "The 'Host/MacOSX/packages' KB item is missing.");
    
      if (egrep(pattern:"^SecUpd(Srvr)?(2009-00[5-9]|20[1-9][0-9]-)", string:packages))
        exit(0, "The host has Security Update 2009-005 or later installed and therefore is not affected.");
      else
        security_hole(0);
    }
    else if (egrep(pattern:"Darwin.* (9\.[0-8]\.)", string:uname))
    {
      packages = get_kb_item("Host/MacOSX/packages/boms");
      if (!packages) exit(1, "The 'Host/MacOSX/packages/boms' KB item is missing.");
    
      if (egrep(pattern:"^com\.apple\.pkg\.update\.security\.(2009\.00[5-9]|20[1-9][0-9]\.[0-9]+)\.bom", string:packages))
        exit(0, "The host has Security Update 2009-005 or later installed and therefore is not affected.");
      else
        security_hole(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_CLAMAV-090416.NASL
    descriptionThis clamav version upgrade to 0.95.1 fixes a buffer overflow error in the cli_url_canon() function (CVE-2009-1372) and a denial of service condition occuring while parsing malformed UPack archives (CVE-2009-1371).
    last seen2020-06-01
    modified2020-06-02
    plugin id40200
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40200
    titleopenSUSE Security Update : clamav (clamav-809)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update clamav-809.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(40200);
      script_version("1.12");
      script_cvs_date("Date: 2019/10/25 13:36:34");
    
      script_cve_id("CVE-2009-1371", "CVE-2009-1372");
    
      script_name(english:"openSUSE Security Update : clamav (clamav-809)");
      script_summary(english:"Check for the clamav-809 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This clamav version upgrade to 0.95.1 fixes a buffer overflow error in
    the cli_url_canon() function (CVE-2009-1372) and a denial of service
    condition occuring while parsing malformed UPack archives
    (CVE-2009-1371)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=493562"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected clamav packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:clamav");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:clamav-db");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/04/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.1", reference:"clamav-0.95.1-0.1.1") ) flag++;
    if ( rpm_check(release:"SUSE11.1", reference:"clamav-db-0.95.1-0.1.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "clamav");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200909-04.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200909-04 (Clam AntiVirus: Multiple vulnerabilities) Multiple vulnerabilities have been found in ClamAV: The vendor reported a Divide-by-zero error in the PE (
    last seen2020-06-01
    modified2020-06-02
    plugin id40912
    published2009-09-10
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/40912
    titleGLSA-200909-04 : Clam AntiVirus: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200909-04.
    #
    # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(40912);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:45");
    
      script_cve_id("CVE-2008-6680", "CVE-2009-1270", "CVE-2009-1371", "CVE-2009-1372");
      script_xref(name:"GLSA", value:"200909-04");
    
      script_name(english:"GLSA-200909-04 : Clam AntiVirus: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200909-04
    (Clam AntiVirus: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been found in ClamAV:
        The
        vendor reported a Divide-by-zero error in the PE ('Portable
        Executable'; Windows .exe) file handling of ClamAV
        (CVE-2008-6680).
        Jeffrey Thomas Peckham found a flaw in
        libclamav/untar.c, possibly resulting in an infinite loop when
        processing TAR archives in clamd and clamscan (CVE-2009-1270).
        Martin Olsen reported a vulnerability in the CLI_ISCONTAINED macro
        in libclamav/others.h, when processing UPack archives
        (CVE-2009-1371).
        Nigel disclosed a stack-based buffer overflow
        in the 'cli_url_canon()' function in libclamav/phishcheck.c when
        processing URLs (CVE-2009-1372).
      
    Impact :
    
        A remote attacker could entice a user or automated system to process a
        specially crafted UPack archive or a file containing a specially
        crafted URL, possibly resulting in the remote execution of arbitrary
        code with the privileges of the user running the application, or a
        Denial of Service. Furthermore, a remote attacker could cause a Denial
        of Service by supplying a specially crafted TAR archive or PE
        executable to a Clam AntiVirus instance.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200909-04"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Clam AntiVirus users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=app-antivirus/clamav-0.95.2'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 94, 119, 189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:clamav");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/09/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"app-antivirus/clamav", unaffected:make_list("ge 0.95.2"), vulnerable:make_list("lt 0.95.2"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Clam AntiVirus");
    }
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2009-327.NASL
    descriptionMultiple vulnerabilities has been found and corrected in clamav : Unspecified vulnerability in ClamAV before 0.95 allows remote attackers to bypass detection of malware via a modified RAR archive (CVE-2009-1241). libclamav/pe.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (crash) via a crafted EXE file that triggers a divide-by-zero error (CVE-2008-6680). libclamav/untar.c in ClamAV before 0.95 allows remote attackers to cause a denial of service (infinite loop) via a crafted file that causes (1) clamd and (2) clamscan to hang (CVE-2009-1270). The CLI_ISCONTAINED macro in libclamav/others.h in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) via a malformed file with UPack encoding (CVE-2009-1371). Stack-based buffer overflow in the cli_url_canon function in libclamav/phishcheck.c in ClamAV before 0.95.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted URL (CVE-2009-1372). Important notice about this upgrade: clamav-0.95+ bundles support for RAR v3 in libclamav which is a license violation as the RAR v3 license and the GPL license is not compatible. As a consequence to this Mandriva has been forced to remove the RAR v3 code. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers This update provides clamav 0.95.2, which is not vulnerable to these issues. Additionally klamav-0.46 is being provided that has support for clamav-0.95+.
    last seen2020-06-01
    modified2020-06-02
    plugin id43076
    published2009-12-09
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/43076
    titleMandriva Linux Security Advisory : clamav (MDVSA-2009:327)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Mandriva Linux Security Advisory MDVSA-2009:327. 
    # The text itself is copyright (C) Mandriva S.A.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(43076);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:52");
    
      script_cve_id("CVE-2008-6680", "CVE-2009-1241", "CVE-2009-1270", "CVE-2009-1371", "CVE-2009-1372");
      script_bugtraq_id(34344);
      script_xref(name:"MDVSA", value:"2009:327");
    
      script_name(english:"Mandriva Linux Security Advisory : clamav (MDVSA-2009:327)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Mandriva Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities has been found and corrected in clamav :
    
    Unspecified vulnerability in ClamAV before 0.95 allows remote
    attackers to bypass detection of malware via a modified RAR archive
    (CVE-2009-1241).
    
    libclamav/pe.c in ClamAV before 0.95 allows remote attackers to cause
    a denial of service (crash) via a crafted EXE file that triggers a
    divide-by-zero error (CVE-2008-6680).
    
    libclamav/untar.c in ClamAV before 0.95 allows remote attackers to
    cause a denial of service (infinite loop) via a crafted file that
    causes (1) clamd and (2) clamscan to hang (CVE-2009-1270).
    
    The CLI_ISCONTAINED macro in libclamav/others.h in ClamAV before
    0.95.1 allows remote attackers to cause a denial of service
    (application crash) via a malformed file with UPack encoding
    (CVE-2009-1371).
    
    Stack-based buffer overflow in the cli_url_canon function in
    libclamav/phishcheck.c in ClamAV before 0.95.1 allows remote attackers
    to cause a denial of service (application crash) and possibly execute
    arbitrary code via a crafted URL (CVE-2009-1372).
    
    Important notice about this upgrade: clamav-0.95+ bundles support for
    RAR v3 in libclamav which is a license violation as the RAR v3 license
    and the GPL license is not compatible. As a consequence to this
    Mandriva has been forced to remove the RAR v3 code.
    
    Packages for 2008.0 are provided for Corporate Desktop 2008.0
    customers
    
    This update provides clamav 0.95.2, which is not vulnerable to these
    issues. Additionally klamav-0.46 is being provided that has support
    for clamav-0.95+."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 94, 119, 189);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav-db");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamav-milter");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:clamd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:klamav");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64clamav-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64clamav6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libclamav-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libclamav6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/12/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/09");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"Mandriva Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux");
    if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"MDK2008.0", reference:"clamav-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"clamav-db-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"clamav-milter-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"clamd-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", reference:"klamav-0.46-0.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64clamav-devel-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"x86_64", reference:"lib64clamav6-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libclamav-devel-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++;
    if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libclamav6-0.95.2-0.1mdv2008.0", yank:"mdv")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMisc.
    NASL idCLAMAV_0_95_1.NASL
    descriptionAccording to its version, the clamd antivirus daemon on the remote host is earlier than 0.95.1. Such versions are affected by multiple vulnerabilities : - ClamAV might crash while scanning certain malicious files packed with UPack. (Bug #1552) - ClamAV might crash while using
    last seen2020-06-01
    modified2020-06-02
    plugin id36131
    published2009-04-10
    reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/36131
    titleClamAV < 0.95.1 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(36131);
      script_version("1.16");
      script_cvs_date("Date: 2018/07/06 11:26:07");
    
      script_cve_id("CVE-2009-1371", "CVE-2009-1372");
      script_bugtraq_id(34446);
    
      script_name(english:"ClamAV < 0.95.1 Multiple Vulnerabilities");
      script_summary(english:"Sends a VERSION command to clamd");
    
      script_set_attribute(attribute:"synopsis", value:"The remote antivirus service is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its version, the clamd antivirus daemon on the remote
    host is earlier than 0.95.1. Such versions are affected by multiple
    vulnerabilities :
    
      - ClamAV might crash while scanning certain malicious
        files packed with UPack. (Bug #1552)
    
      - ClamAV might crash while using 'cli_url_canon'. (Bug
        #1553)");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.clamav.net/show_bug.cgi?id=1552");
      script_set_attribute(attribute:"see_also", value:"https://bugzilla.clamav.net/show_bug.cgi?id=1553" );
      script_set_attribute(attribute:"solution", value:"Upgrade to ClamAV 0.95.1 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(20, 119);
    
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/10");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:clamav:clamav");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");
    
      script_dependencies("find_service2.nasl");
      script_require_keys("Settings/ParanoidReport");
      script_require_ports("Services/clamd", 3310);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    
    
    # nb: banner checks of open source software are prone to false-
    #     positives so only run the check if reporting is paranoid.
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    
    port = get_kb_item("Services/clamd");
    if (!port) port = 3310;
    if (!get_port_state(port)) exit(0);
    
    
    # Establish a connection.
    soc = open_sock_tcp(port);
    if (!soc) exit(0);
    
    
    # Send a VERSION command.
    req = "VERSION";
    send(socket:soc, data:req+'\r\n');
    
    res = recv_line(socket:soc, length:128);
    if (!strlen(res) || "ClamAV " >!< res) exit(0);
    
    
    # Check the version.
    version = strstr(res, "ClamAV ") - "ClamAV ";
    if ("/" >< version) version = version - strstr(version, "/");
    
    if (version =~ "^0\.(([0-9]|[0-8][0-9]|9[0-4])($|[^0-9])|95($|[^0-9.]))")
    {
      if (report_verbosity > 0)
      {
        report = string(
          "\n",
          "ClamAV version ", version, " appears to be running on the remote host based on\n",
          "the following response to a 'VERSION' command :\n",
          "\n",
          "  ", res, "\n"
        );
        security_warning(port:port, extra:report);
      }
      else security_warning(port);
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE9_12402.NASL
    descriptionThis clamav version upgrade to 0.95.1 fixes a buffer overflow error in the cli_url_canon() function (CVE-2009-1372) and a denial of service condition occuring while parsing malformed UPack archives. (CVE-2009-1371)
    last seen2020-06-01
    modified2020-06-02
    plugin id41295
    published2009-09-24
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/41295
    titleSuSE9 Security Update : ClamAV (YOU Patch Number 12402)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text description of this plugin is (C) Novell, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(41295);
      script_version("1.9");
      script_cvs_date("Date: 2019/10/25 13:36:33");
    
      script_cve_id("CVE-2009-1371", "CVE-2009-1372");
    
      script_name(english:"SuSE9 Security Update : ClamAV (YOU Patch Number 12402)");
      script_summary(english:"Checks rpm output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SuSE 9 host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This clamav version upgrade to 0.95.1 fixes a buffer overflow error in
    the cli_url_canon() function (CVE-2009-1372) and a denial of service
    condition occuring while parsing malformed UPack archives.
    (CVE-2009-1371)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2009-1371/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2009-1372/"
      );
      script_set_attribute(attribute:"solution", value:"Apply YOU patch number 12402.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_cwe_id(20, 119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/04/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/09/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE.");
    if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages.");
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) exit(1, "Failed to determine the architecture type.");
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 9 on the '"+cpu+"' architecture have not been implemented.");
    
    
    flag = 0;
    if (rpm_check(release:"SUSE9", reference:"clamav-0.95.1-0.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else exit(0, "The host is not affected.");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_CLAMAV-090417.NASL
    descriptionThis clamav version upgrade to 0.95.1 fixes a buffer overflow error in the cli_url_canon() function (CVE-2009-1372) and a denial of service condition occuring while parsing malformed UPack archives (CVE-2009-1371).
    last seen2020-06-01
    modified2020-06-02
    plugin id39935
    published2009-07-21
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/39935
    titleopenSUSE Security Update : clamav (clamav-809)

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 34446 CVE(CAN) ID: CVE-2009-1371,CVE-2009-1372 Clam AntiVirus是Unix的GPL杀毒工具包,很多邮件网关产品都在使用。 ClamAV的libclamav/phishcheck.c文件中的cli_url_canon函数存在栈溢出漏洞,远程攻击者可以通过提交恶意的URL来触发这个溢出,导致执行任意代码。 如果用户使用ClamAV扫描到了UPack编码的畸形文件的话,libclamav/others.h文件的CLI_ISCONTAINED宏中的安全漏洞可能导致应用程序崩溃。 ClamAV &lt; 0.95.1 ClamAV ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://freshmeat.net/urls/c9bfa0aa2a4b8f3dc21e37debf0b05e5 target=_blank rel=external nofollow>http://freshmeat.net/urls/c9bfa0aa2a4b8f3dc21e37debf0b05e5</a>
idSSV:5106
last seen2017-11-19
modified2009-04-25
published2009-04-25
reporterRoot
titleClamAV UPack拒绝服务和cli_url_canon()栈溢出漏洞