+--------------------------------------------------------------------------
| OpenBSD Package Security Advisory OPSA 20060114-0
+--------------------------------------------------------------------------
Short description
-----------------
clamav -- heap overflow in the UPX code
Affected packages linked to affected branches
---------------------------------------------
clamav < 0.88 ----------> HEAD (OpenBSD -current)
clamav < 0.88 ----------> OPENBSD_3_8 (OpenBSD 3.8)
clamav < 0.88 ----------> OPENBSD_3_7 (OpenBSD 3.7)
Detailed description
--------------------
A vulnerability has been reported in ClamAV,
which potentially can be exploited by malicious
people with an unknown impact.
The vulnerability is caused due to an unspecified
boundary error in "libclamav/upx.c".
This can potentially be exploited to cause a heap-based
buffer overflow via a specially-crafted UPX packed file.
References
----------
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0162http://secunia.com/advisories/18379Solution
--------
a) You can update your ports tree via CVS described at
http://www.openbsd.org/ports.html#stable
Then you can recompile the port and reinstall it.
(Please be careful to use the correct CVS branch)
b) You can install the fixed package from our FTP servers
$ pkg_add -r ftp://ftp.openbsd.org/\
pub/OpenBSD/3.8/packages/i386/clamav-0.88.tgz
(Please be careful to use the correct release.)
(Note: We only provide fixed packages for i386.
You will need to recompile from the ports tree
if you use a different architecture.)
+---------------------------------------------------------------------------
| If you have any problem, feel free to write to the OpenBSD ports mailing
| list. Please visit
http://www.openbsd.org/mail.html for more information
| about our mailing lists.
+---------------------------------------------------------------------------
