SB2018030635 - Out-of-bounds read in clamav (Alpine package)
Published: March 6, 2018
Security Bulletin ID
SB2018030635
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Out-of-bounds read (CVE-ID: CVE-2018-1000085)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.The weakness exists in the xar_hash_check() function due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted XAR file, trick the victim into opening it, trigger out-of-bounds heap memory read and cause the service to crash.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=271f0c5a69090b247eb2e7dcf3297272c5e557d6
- https://git.alpinelinux.org/aports/commit/?id=46ab307937563eeb8acb82c3fa85fc67c712ec7f
- https://git.alpinelinux.org/aports/commit/?id=b4b20e148bb4cc6d70c787ff565bbc1dc3c33b95
- https://git.alpinelinux.org/aports/commit/?id=daeca7a60515632355e7380ea79af439a01e2bb1
- https://git.alpinelinux.org/aports/commit/?id=39811d78329ec562d9254e27716bacc363c40d72