iDefense Security Advisory 02.12.08:
Remote exploitation of an integer overflow vulnerability
in Clam AntiVirus' ClamAV, as included in various vendors'
operating system distributions, allows attackers to execute
arbitrary code with the privileges of the affected process.
The vulnerability exists within the code responsible
for parsing and scanning PE files. While iterating through
all sections contained in the PE file, several attacker
controlled values are extracted from the file. On each iteration,
arithmetic operations are performed without taking into
consideration 32-bit integer wrap.
Since insufficient integer overflow checks are present,
an attacker can cause a heap overflow by causing a specially
crafted Petite packed PE binary to be scanned. This results
in an exploitable memory corruption condition.
Exploitation of this vulnerability results in the
execution of arbitrary code with the privileges of the process
using libclamav. In the case of the clamd program, this will
result in code execution with the privileges of the clamav user.
Unsuccessful exploitation results in the clamd process crashing.
Workaround
Disabling the scanning of PE files will prevent exploitation.
If using clamscan, this can be done by running clamscan with the
'--no-pe' option.
If using clamdscan, set the 'ScanPE' option in the clamd.conf
file to 'no'.