Hi, The vulnerability also affects unrar (3.70 beta 3 freeware by Alexander Roshal), as it tries to read a negative location from a pointer reference in the SET_VALUE(false,Data,Addr-Offset) function (found in rarvm.cpp). The values of Addr is 1666528 while Offset is 4546004 which of course results in -2879476 being accessed, or "even better" the value of 4292087820 as it is casted to an unsigned value without checking. On Wednesday 11 July 2007 18:13:03 Metaeye SG wrote: > Vendor > ------ > Clam Antivirus (http://www.clamav.net) > > Product > ------- > Clamav (libclamav) > > Versions Affected > ----------------- > All before 0.91 > > Severity > -------- > Moderate > > Issue > ----- > Clamav crashes due to processing of standard filters in RAR VM, while > processing a corrupted RAR file. Processing the corrupted file results in a > null pointer deference. > > Impact > ------ > Processing the corrupted file will result in crashing of clamscan > application and clamd daemon. > > Fix > --- > Upgrade to version 0.91. > > PoC > --- > http://www.metaeye.org/codes/corrupted.rar > > Vendor Status > ------------- > Reported: 25/06/2007 > Fixed: 11/07/2007 > > > References > ---------- > https://wwws.clamav.net/bugzilla/show_bug.cgi?id=555 > http://www.metaeye.org/advisories/54 > > > > Metaeye SG // http://www.metaeye.org -- Noam Rathaus CTO 1616 Anderson Rd. McLean, VA 22102 Tel: 703.286.7725 extension 105 Fax: 888.667.7740 noamr@xxxxxxxxxxxxxxxxxx http://www.beyondsecurity.com
