Feisty Backports

CVE-2007-6337 Unknown impact remote attack

Bug #181830 reported by Leonel Nunez on 2008-01-10

254

	Status	Importance	Assigned to
Feisty Backports	Fix Released	Undecided	Unassigned
clamav (Ubuntu)	Fix Released	Undecided	Unassigned
Dapper	Invalid	Undecided	Unassigned
Edgy	Invalid	Undecided	Unassigned
Feisty	Invalid	Undecided	Unassigned
Gutsy	Fix Released	Undecided	Kees Cook

Bug Description

Unspecified vulnerability in the bzip2 decompression algorithm in nsis/bzip_private.h in Clamav Before 0.92 has unknown impact and remote attack vectors.

Related branches

lp://staging/ubuntu/feisty-backports/clamav

CVE References

2007-6337

Revision history for this message

Leonel Nunez (leonelnunez) wrote on 2008-01-10:

Gutsy Debdiff Edit (2.0 KiB, text/plain)

This debdiff is for gutsy

Packages build , installs fine checked with bzip2 files all worked fine.

Revision history for this message

Scott Kitterman (kitterman) wrote on 2008-01-10:

Already fixed in 0.92 in Hardy.

Changed in clamav:
status:	New → Fix Released
status:	New → Won't Fix
status:	New → Won't Fix
assignee:	nobody → leonelnunez
status:	New → In Progress
status:	New → Triaged

Revision history for this message

Kees Cook (kees) wrote on 2008-01-10:

Thanks for getting this prepared! The debdiff needed some tweaking:
- fuller description of the security issue itself
- list of patches added
- "Reference" section
- "-security" pocket
- add reference to this LP bug

I've updated it, and will be upload it shortly. Thanks!

Kees Cook (kees) on 2008-01-10

Changed in clamav:
assignee:	nobody → keescook
status:	Triaged → Fix Committed

Revision history for this message

Leonel Nunez (leonelnunez) wrote on 2008-01-10:

Last time it happens .. sorry ..

Scott Kitterman (kitterman) on 2008-01-10

Changed in clamav:
status:	Won't Fix → Invalid
status:	Won't Fix → Invalid
assignee:	leonelnunez → nobody
status:	In Progress → Invalid

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-01-11:

This bug was fixed in the package clamav - 0.91.2-3ubuntu2.2

---------------
clamav (0.91.2-3ubuntu2.2) gutsy-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via bzip header overflow.
  * Add 28_bzlib_private.h-CVE-2007-6337.dpatch: upstream fixes for
    vulnerability in the bzip2 decompression algorithm (LP: #181830).
  * References
    CVE-2007-6337

-- Leonel Nunez <email address hidden> Thu, 10 Jan 2008 10:36:03 -0700

Changed in clamav:
status:	Fix Committed → Fix Released

Revision history for this message

Scott Kitterman (kitterman) wrote on 2008-01-11:

Debdiff for feisty-backports Edit (3.2 KiB, text/plain)

Attached debdiff build and tested for Feisty for feisty-backports.

Changed in feisty-backports:
status:	New → Confirmed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2008-01-11:

This bug was fixed in the package clamav - 0.91.2-3ubuntu2.2~feisty1

---------------
clamav (0.91.2-3ubuntu2.2~feisty1) feisty-backports; urgency=low

  * Source backport to remove unneeded build-dep not available in Feisty
    (LP: #181830)
    - Remove build-dep on libcurl4-gnutls-dev and dependency on libcurl3-gnutls

-- Scott Kitterman <email address hidden> Fri, 11 Jan 2008 00:17:01 -0500

Changed in clamav:
status:	Invalid → Fix Released

Scott Kitterman (kitterman) on 2008-01-11

Changed in feisty-backports:
status:	Confirmed → Fix Released
Changed in clamav:
status:	Fix Released → Invalid

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.