Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
Summary: CVE-2007-2650: clamav OLE2 parser DoS Product: Fedora Extras Version: fc6 Platform: All OS/Version: Linux Status: NEW Severity: medium Priority: medium Component: clamav AssignedTo: enrico.scholz@informatik.tu-chemnitz.de ReportedBy: ville.skytta@iki.fi QAContact: extras-qa@fedoraproject.org CC: fedora-security-list@redhat.com
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2650
"The OLE2 parser in Clam AntiVirus (ClamAV) allows remote attackers to cause a denial of service (resource consumption) via an OLE2 file with (1) a large property size or (2) a loop in the FAT file block chain that triggers an infinite loop, as demonstrated via a crafted DOC file."
Affected versions unknown.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
james.teh@netboxblue.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |james.teh@netboxblue.com
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
bojan@rexursive.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bojan@rexursive.com
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
bugzilla@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Product|Fedora Extras |Fedora
------- Additional Comments From bojan@rexursive.com 2007-06-19 21:58 EST ------- This has been open for over a month now. Could someone please either:
- explain why this doesn't affect FC6/F7 and close - upgrade to secure version(s) and close
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
------- Additional Comments From kevin@tummy.com 2007-06-20 22:47 EST ------- First of all it looks like all versions before 0.90.3 are affected.
The upstream bug: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=466
Here's the commit that fixed it: http://svn.clamav.net/websvn/diff.php?repname=clamav-devel&path=%2Ftrunk...
I don't know if this applies ok to the old 0.88.x versions. All the other vendors I see have just shipped the 0.90.3 version.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
enrico.scholz@informatik.tu-chemnitz.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED
------- Additional Comments From enrico.scholz@informatik.tu-chemnitz.de 2007-06-21 02:54 EST ------- sorry; package with patches is ready and in CVS for several weeks. But my local FC6 build- and testsystem is broken and I could not test the changes.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
------- Additional Comments From Kevin@tigcc.ticalc.org 2007-06-21 17:54 EST ------- Then just push the changes without testing them, it's better than letting the security fixes stay unfixed.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
------- Additional Comments From kevin@tummy.com 2007-06-22 12:22 EST ------- I happen to use a fc6 box here for email processing. Would you like me to test? Just rebuild the one from FC-6 cvs and confirm it works? Or do you have example files that I can run on it?
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
------- Additional Comments From bojan@rexursive.com 2007-07-11 20:16 EST ------- What's the status of this? Do you need any help building stuff?
If your FC6 installation is broken, could you at least do it for F7? I see 0.90.3 is in Rawhide, so it should not be difficult to push the build.
If there is no way you can build this, could you at least ask one of the senior folks like Ville to expand the maintainers list for this package, so that others can do it?
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
------- Additional Comments From enrico.scholz@informatik.tu-chemnitz.de 2007-07-12 02:29 EST ------- FC7 was built some weeks ago. Dunno, in which queue it is stuck...
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
enrico.scholz@informatik.tu-chemnitz.de changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |CURRENTRELEASE Fixed In Version| |0.88.7-3
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
------- Additional Comments From bojan@rexursive.com 2007-07-12 03:37 EST ------- Did you go to https://admin.fedoraproject.org/updates/ to push it through?
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS Alias: CVE-2007-2650
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
ville.skytta@iki.fi changed:
What |Removed |Added ---------------------------------------------------------------------------- Version|fc6 |f7 Status|CLOSED |ASSIGNED Keywords| |Reopened Resolution|CURRENTRELEASE | Alias| |CVE-2007-2650
------- Additional Comments From ville.skytta@iki.fi 2007-07-12 15:11 EST ------- Reopening and adjusting release as there's no update for F7 yet. Searching for clamav in bodhi (URL in comment 8) produces no hits.
If you're not up to date with how to push updates for F7+, see http://fedoraproject.org/wiki/PackageMaintainers/UpdatingPackageHowTo
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS Alias: CVE-2007-2650
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
------- Additional Comments From enrico.scholz@informatik.tu-chemnitz.de 2007-07-12 15:40 EST ------- at comment #9: exactly... I do not have a clue how to use bodi; the "My updates" and to other lists are all empty and do not show http://koji.fedoraproject.org/koji/buildinfo?buildID=9624
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS Alias: CVE-2007-2650
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
------- Additional Comments From bojan@rexursive.com 2007-07-12 18:24 EST ------- When I go to New Updates and type in clamav, I get a list of packages, including clamav-0.90.3-1.fc7. Have you tried that?
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS Alias: CVE-2007-2650
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
------- Additional Comments From bojan@rexursive.com 2007-07-16 17:35 EST ------- Ping...
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS Alias: CVE-2007-2650
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
------- Additional Comments From bojan@rexursive.com 2007-07-18 17:26 EST ------- Just requested that this new package be pushed to stable updates of F7.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS Alias: CVE-2007-2650
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
------- Additional Comments From updates@fedoraproject.org 2007-07-19 12:45 EST ------- clamav-0.90.3-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS Alias: CVE-2007-2650
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
updates@fedoraproject.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |CLOSED Resolution| |ERRATA Fixed In Version|0.88.7-3 |0.90.3-1.fc7
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug report.
Summary: CVE-2007-2650: clamav OLE2 parser DoS Alias: CVE-2007-2650
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=240395
------- Additional Comments From ville.skytta@iki.fi 2007-07-19 14:03 EST ------- Thanks, Bojan. Could someone familiar with clamav also check whether this update fixes the bunch of issues in bug 245219 as well?
security@lists.fedoraproject.org
-
Red Hat Bugzilla