USN-1031-1: ClamAV vulnerabilities

10 December 2010

clamav vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 10.10
  • Ubuntu 10.04 LTS

Summary

Software Description

  • clamav

Details

Arkadiusz Miskiewicz and others discovered that the PDF processing code in libclamav improperly validated input. This could allow a remote attacker to craft a PDF document that could crash clamav or possibly execute arbitrary code. (CVE-2010-4260, CVE-2010-4479)

It was discovered that an off-by-one error in the icon_cb function in pe_icons.c in libclamav could allow an attacker to corrupt memory, causing clamav to crash or possibly execute arbitrary code. (CVE-2010-4261)

In the default installation, attackers would be isolated by the clamav AppArmor profile.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 10.10
libclamav6 - 0.96.3+dfsg-2ubuntu1.2
Ubuntu 10.04 LTS
libclamav6 - 0.96.3+dfsg-2ubuntu1.0.10.04.2

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References