http://blog.clamav.net/2015/01/clamav-0986-has-been-released.html

FEDORA-2015-1437

FEDORA-2015-1461

openSUSE-SU-2015:0285

SUSE-SU-2015:0298

openSUSE-SU-2015:0906

62536

62757

1031672

72372

USN-2488-2

GLSA-201512-08

The remote host is affected by the vulnerability described in GLSA-201512-08 (ClamAV: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in ClamAV. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could cause ClamAV to scan a specially crafted file,       possibly resulting in a Denial of Service condition or other unspecified       impact.
  Workaround :

    There is no known workaround at this time.

Versions of ClamAV earlier than 0.98.6 are potentially affected by the following vulnerabilities : 

 - An out-of-bounds access flaw exists in the 'unupack()' function that is triggered when parsing a specially crafted Upack packer file. A remote attacker can exploit this to crash the application, resulting in a denial of service condition. (CVE-2014-9328)
 - An out-of-bounds access flaw exists that is triggered when parsing maliciously crafted Yoda Crypter and MEWpacker files. A remote attacker can exploit this to crash the application, resulting in a denial of service condition. (CVE-2015-1461)
 - An out-of-bounds access flaw exists that is triggered when parsing a specially crafted UPX packer file. A remote attacker can exploit this to crash the application, resulting in a denial of service condition. (CVE-2015-1462)
 - A signedness flaw exists in the 'petite_inflate2x_1to9()' function in 'libclamav/petite.c' that allows a remote attacker with a specially crafted petite packer file to cause a denial of service. (CVE-2015-1463)
 - An integer overflow condition exists in 'upx.c' due to improper validation of user-supplied input when scanning EXE files. An attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code.

Upstream published version 0.98.7. This update updates sqeeze-lts to the latest upstream release in line with the approach used for other Debian releases.

The changes are not strictly required for operation, but users of the previous version in Squeeze may not be able to make use of all current virus signatures and might get warnings.

The bug fixes that are part of this release include security fixes related to packed or crypted files (CVE-2014-9328, CVE-2015-1461, CVE-2015-1462, CVE-2015-1463, CVE-2015-2170, CVE-2015-2221, CVE-2015-2222, and CVE-2015-2668) and several fixes to the embedded libmspack library, including a potential infinite loop in the Quantum decoder (CVE-2014-9556).

If you use clamav, we strongly recommend that you upgrade to this version.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated clamav packages fix security vulnerabilities :

ClamAV 0.98.6 is a maintenance release to fix some bugs, some of them being security bugs :

Certain JavaScript files causes ClamAV to segfault when scanned with the -a (list archived files) (CVE-2013-6497).

A heap buffer overflow was reported in ClamAV when scanning a specially crafted y0da Crypter obfuscated PE file (CVE-2014-9050).

Fix a heap out of bounds condition with crafted Yoda's crypter files.
This issue was discovered by Felix Groebert of the Google Security Team.

Fix a heap out of bounds condition with crafted mew packer files. This issue was discovered by Felix Groebert of the Google Security Team.

Fix a heap out of bounds condition with crafted upx packer files. This issue was discovered by Kevin Szkudlapski of Quarkslab.

Fix a heap out of bounds condition with crafted upack packer files.
This issue was discovered by Sebastian Andrzej Siewior (CVE-2014-9328).

Compensate a crash due to incorrect compiler optimization when handling crafted petite packer files. This issue was discovered by Sebastian Andrzej Siewior.

ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted upack packer file, related to a 'heap out of bounds condition.'

clamav was updated to version 0.98.6 to fix four security issues.

These security issues have been fixed :

  - ClamAV allowed remote attackers to have unspecified     impact via a crafted upx packer file, related to a heap     out of bounds condition. (bnc#916214). (CVE-2015-1462)

  - ClamAV allowed remote attackers to cause a denial of     service (crash) via a crafted petite packer file,     related to an incorrect compiler optimization.
    (bnc#916215). (CVE-2015-1463)

  - ClamAV allowed remote attackers to have unspecified     impact via a crafted upack packer file, related to a     heap out of bounds condition. (bnc#915512).
    (CVE-2014-9328)

  - ClamAV allowed remote attackers to have unspecified     impact via a crafted (1) Yoda's crypter or (2) mew     packer file, related to a heap out of bounds condition.
    (bnc#916217). (CVE-2015-1461)

clamav was updated to version 0.98.6 that fixes bugs and several security issues :

  - bsc#916217, CVE-2015-1461: Remote attackers can have     unspecified impact via Yoda's crypter or mew packer     files.

  - bsc#916214, CVE-2015-1462: Unspecified impact via     acrafted upx packer file.

  - bsc#916215, CVE-2015-1463: Remote attackers can cause a     denial of service via a crafted petite packer file.

  - bsc#915512, CVE-2014-9328: heap out of bounds condition     with crafted upack packer files.

USN-2488-1 fixed a vulnerability in ClamAV for Ubuntu 14.10, Ubuntu 14.04 LTS, and Ubuntu 12.04 LTS. This update provides the corresponding update for Ubuntu 10.04 LTS.

Sebastian Andrzej Siewior discovered that ClamAV incorrectly handled certain upack packer files. An attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service, or possibly execute arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated clamav packages fix security vulnerabilities :

ClamAV 0.98.6 is a maintenance release to fix some bugs, some of them being security bugs :

Fix a heap out of bounds condition with crafted Yoda's crypter files.
This issue was discovered by Felix Groebert of the Google Security Team.

Fix a heap out of bounds condition with crafted mew packer files. This issue was discovered by Felix Groebert of the Google Security Team.

Fix a heap out of bounds condition with crafted upx packer files. This issue was discovered by Kevin Szkudlapski of Quarkslab.

Fix a heap out of bounds condition with crafted upack packer files.
This issue was discovered by Sebastian Andrzej Siewior (CVE-2014-9328).

Compensate a crash due to incorrect compiler optimization when handling crafted petite packer files. This issue was discovered by Sebastian Andrzej Siewior.

According to its version, the ClamAV clamd antivirus daemon on the remote host is prior to 0.98.6. It is, therefore, affected by the following vulnerabilities :

  - An out-of-bounds access flaw exists in the unupack()     function that is triggered when parsing a specially     crafted Upack packer file. A remote attacker can exploit     this to crash the application, resulting in a denial of     service condition. (CVE-2014-9328)

  - An out-of-bounds access flaw exists that is triggered     when parsing maliciously crafted Yoda Crypter and MEW     packer files. A remote attacker can exploit this to     crash the application, resulting in a denial of service     condition. (CVE-2015-1461)  
  - An out-of-bounds access flaw exists that is triggered     when parsing a specially crafted UPX packer file. A     remote attacker can exploit this to crash the     application, resulting in a denial of service condition.
    (CVE-2015-1462)

  - A signedness flaw exists in the petite_inflate2x_1to9()     function in 'libclamav/petite.c' that allows a remote     attacker with a specially crafted petite packer file     to cause a denial of service. (CVE-2015-1463)

  - An integer overflow condition exists in upx.c due to     improper validation of user-supplied input when scanning     EXE files. An attacker can exploit this to cause a     heap-based buffer overflow, resulting in a denial of     service condition or the execution of arbitrary code.

Sebastian Andrzej Siewior discovered that ClamAV incorrectly handled certain upack packer files. An attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service, or possibly execute arbitrary code.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ClamAV 0.98.6 =============

ClamAV 0.98.6 is a bug fix release correcting the following :

  - library shared object revisions.

    - installation issues on some Mac OS X and FreeBSD       platforms.

    - includes a patch from Sebastian Andrzej Siewior making       ClamAV pid files compatible with systemd.

    - Fix a heap out of bounds condition with crafted Yoda's       crypter files. This issue was discovered by Felix       Groebert of the Google Security Team.

    - Fix a heap out of bounds condition with crafted mew       packer files. This issue was discovered by Felix       Groebert of the Google Security Team.

    - Fix a heap out of bounds condition with crafted upx       packer files. This issue was discovered by Kevin       Szkudlapski of Quarkslab.

    - Fix a heap out of bounds condition with crafted upack       packer files. This issue was discovered by Sebastian       Andrzej Siewior. CVE-2014-9328.

    - Compensate a crash due to incorrect compiler       optimization when handling crafted petite packer       files. This issue was discovered by Sebastian Andrzej       Siewior.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
87708	GLSA-201512-08 : ClamAV: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
8826	ClamAV < 0.98.6 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
83888	Debian DLA-233-1 : clamav security and upstream version update	Nessus	Debian Local Security Checks	high
82419	Mandriva Linux Security Advisory : clamav (MDVSA-2015:166)	Nessus	Mandriva Local Security Checks	high
81674	Amazon Linux AMI : clamav (ALAS-2015-486)	Nessus	Amazon Linux Local Security Checks	high
81389	SuSE 11.3 Security Update : clamav (SAT Patch Number 10283)	Nessus	SuSE Local Security Checks	high
81372	openSUSE Security Update : clamav (openSUSE-2015-147)	Nessus	SuSE Local Security Checks	high
81341	Ubuntu 10.04 LTS : clamav vulnerability (USN-2488-2)	Nessus	Ubuntu Local Security Checks	high
81283	Mandriva Linux Security Advisory : clamav (MDVSA-2015:042)	Nessus	Mandriva Local Security Checks	high
81147	ClamAV < 0.98.6 Multiple Vulnerabilities	Nessus	Misc.	high
81144	Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : clamav vulnerability (USN-2488-1)	Nessus	Ubuntu Local Security Checks	high
81115	Fedora 21 : clamav-0.98.6-1.fc21 (2015-1461)	Nessus	Fedora Local Security Checks	high
81114	Fedora 20 : clamav-0.98.6-1.fc20 (2015-1437)	Nessus	Fedora Local Security Checks	high

CVE-2014-9328

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins