tag:old.nabble.com,2006:forum-12607Nabble - openbsd user - ports-security2006-01-13T15:35:03ZSecurity announcements for ports and packages. This low volume list receives OpenBSD security advisories concerning the ports tree and packages with more information about the vulnerabilities and patches.tag:old.nabble.com,2006:post-2372210OPSA_20060114: clamav -- heap overflow in the UPX code2006-01-13T15:35:03Z2006-01-13T15:35:03ZRobert Nagy+--------------------------------------------------------------------------
<br>| OpenBSD Package Security Advisory OPSA 20060114-0
<br>+--------------------------------------------------------------------------
<br><br>Short description
<br>-----------------
<br>clamav -- heap overflow in the UPX code
<br><br>Affected packages linked to affected branches
<br>---------------------------------------------
<br>clamav < 0.88 ----------> HEAD (OpenBSD -current)
<br>clamav < 0.88 ----------> OPENBSD_3_8 (OpenBSD 3.8)
<br>clamav < 0.88 ----------> OPENBSD_3_7 (OpenBSD 3.7)
<br><br>Detailed description
<br>--------------------
<br>A vulnerability has been reported in ClamAV,
<br>which potentially can be exploited by malicious
<br>people with an unknown impact.
<br>The vulnerability is caused due to an unspecified
<br>boundary error in "libclamav/upx.c".
<br>This can potentially be exploited to cause a heap-based
<br>buffer overflow via a specially-crafted UPX packed file.
<br><br>References
<br>----------
<br><a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0162" target="_top" rel="nofollow">http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0162</a><br><a href="http://secunia.com/advisories/18379" target="_top" rel="nofollow">http://secunia.com/advisories/18379</a><br><br>Solution
<br>--------
<br><br> a) You can update your ports tree via CVS described at
<br> <a href="http://www.openbsd.org/ports.html#stable" target="_top" rel="nofollow">http://www.openbsd.org/ports.html#stable</a><br>
<br> Then you can recompile the port and reinstall it.
<br>
<br> (Please be careful to use the correct CVS branch)
<br>
<br> b) You can install the fixed package from our FTP servers
<br>
<br> $ pkg_add -r ftp://ftp.openbsd.org/\
<br> pub/OpenBSD/3.8/packages/i386/clamav-0.88.tgz
<br>
<br> (Please be careful to use the correct release.)
<br> (Note: We only provide fixed packages for i386.
<br> You will need to recompile from the ports tree
<br> if you use a different architecture.)
<br><br>+---------------------------------------------------------------------------
<br>| If you have any problem, feel free to write to the OpenBSD ports mailing
<br>| list. Please visit <a href="http://www.openbsd.org/mail.html" target="_top" rel="nofollow">http://www.openbsd.org/mail.html</a> for more information
<br>| about our mailing lists.
<br>+---------------------------------------------------------------------------
<br><br>