CVE-2007-6337 Unknown impact remote attack

Bug #181830 reported by Leonel Nunez on 2008-01-10
254
Affects Status Importance Assigned to Milestone
Feisty Backports
Undecided
Unassigned
clamav (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Edgy
Undecided
Unassigned
Feisty
Undecided
Unassigned
Gutsy
Undecided
Kees Cook

Bug Description

Unspecified vulnerability in the bzip2 decompression algorithm in nsis/bzip_private.h in Clamav Before 0.92 has unknown impact and remote attack vectors.

CVE References

Leonel Nunez (leonelnunez) wrote :

This debdiff is for gutsy

Packages build , installs fine checked with bzip2 files all worked fine.

Scott Kitterman (kitterman) wrote :

Already fixed in 0.92 in Hardy.

Changed in clamav:
status: New → Fix Released
status: New → Won't Fix
status: New → Won't Fix
assignee: nobody → leonelnunez
status: New → In Progress
status: New → Triaged
Kees Cook (kees) wrote :

Thanks for getting this prepared! The debdiff needed some tweaking:
 - fuller description of the security issue itself
 - list of patches added
 - "Reference" section
 - "-security" pocket
 - add reference to this LP bug

I've updated it, and will be upload it shortly. Thanks!

Kees Cook (kees) on 2008-01-10
Changed in clamav:
assignee: nobody → keescook
status: Triaged → Fix Committed
Leonel Nunez (leonelnunez) wrote :

Last time it happens .. sorry ..

Changed in clamav:
status: Won't Fix → Invalid
status: Won't Fix → Invalid
assignee: leonelnunez → nobody
status: In Progress → Invalid
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.91.2-3ubuntu2.2

---------------
clamav (0.91.2-3ubuntu2.2) gutsy-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via bzip header overflow.
  * Add 28_bzlib_private.h-CVE-2007-6337.dpatch: upstream fixes for
    vulnerability in the bzip2 decompression algorithm (LP: #181830).
  * References
    CVE-2007-6337

 -- Leonel Nunez <email address hidden> Thu, 10 Jan 2008 10:36:03 -0700

Changed in clamav:
status: Fix Committed → Fix Released
Scott Kitterman (kitterman) wrote :

Attached debdiff build and tested for Feisty for feisty-backports.

Changed in feisty-backports:
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.91.2-3ubuntu2.2~feisty1

---------------
clamav (0.91.2-3ubuntu2.2~feisty1) feisty-backports; urgency=low

  * Source backport to remove unneeded build-dep not available in Feisty
    (LP: #181830)
    - Remove build-dep on libcurl4-gnutls-dev and dependency on libcurl3-gnutls

 -- Scott Kitterman <email address hidden> Fri, 11 Jan 2008 00:17:01 -0500

Changed in clamav:
status: Invalid → Fix Released
Changed in feisty-backports:
status: Confirmed → Fix Released
Changed in clamav:
status: Fix Released → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers