USN-1031-1: ClamAV vulnerabilities

10 December 2010

clamav vulnerabilities

Packages

  • clamav -

Details

Arkadiusz Miskiewicz and others discovered that the PDF processing
code in libclamav improperly validated input. This could allow a
remote attacker to craft a PDF document that could crash clamav or
possibly execute arbitrary code. (CVE-2010-4260, CVE-2010-4479)

It was discovered that an off-by-one error in the icon_cb function
in pe_icons.c in libclamav could allow an attacker to corrupt
memory, causing clamav to crash or possibly execute arbitrary code.
(CVE-2010-4261)

In the default installation, attackers would be isolated by the
clamav AppArmor profile.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 10.10
Ubuntu 10.04

In general, a standard system update will make all the necessary changes.