Discussion:
[clamav-users] Details on CVE-2010-4260 and CVE-2010-4479?
Garrett Van Dyk
7 years ago
Permalink
I'm trying to get specific details on these two CVEs: CVE-2010-4260 (
https://bugzilla.clamav.net/show_bug.cgi?id=2358 and
https://bugzilla.clamav.net/show_bug.cgi?id=2396) and CVE-2010-4479 (
https://bugzilla.clamav.net/show_bug.cgi?id=2380). I don't have permissions
to view these bugs in Bugzilla. The issues appear to have been fixed in
the same commit (
https://github.com/Cisco-Talos/clamav-devel/commit/019f1955194360600ecf0644959ceca6734c2d7b)
but this doesn't provide detail on which bug applies to which fix, or the
nature of the bugs themselves. Any help on differentiating these
vulnerabilities would be appreciated.
Matus UHLAR - fantomas
7 years ago
Permalink
...
those bugs are apparently security vulnerablities in clamav, and as such
they are kept private.

why are you trying to get detailt on them?

Yes, they might to be revealed, finally they are some 8 years old...
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Garrett Van Dyk
7 years ago
Permalink
I agree, they are quite old, I'm mostly curious for posterity's sake. It seems strange that two separate CVEs with very little detail. The fix commit is public, looks to be an out of bounds read, just wanted to know if these two CVEs should be considered as related to the same underlying vulnerability, and if not, what the distinguishing factors were.
...
those bugs are apparently security vulnerablities in clamav, and as such
they are kept private.

why are you trying to get detailt on them?

Yes, they might to be revealed, finally they are some 8 years old...
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901




_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.c
Micah Snyder (micasnyd)
7 years ago
Permalink
Hi Garrett,

Sorry about the delay, I've just marked each of the 3 requested bugzilla reports as publicly viewable so you find your answers.

Our general policy is to make vulnerability-type tickets public after a version is released. That said, we usually keep PoC's and in-depth details about vulnerabilities private so as to not make it too easy for people with malicious intentions.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Jul 11, 2018, at 10:28 AM, Garrett Van Dyk <***@vandykweb.com<mailto:***@vandykweb.com>> wrote:

I agree, they are quite old, I'm mostly curious for posterity's sake. It seems strange that two separate CVEs with very little detail. The fix commit is public, looks to be an out of bounds read, just wanted to know if these two CVEs should be considered as related to the same underlying vulnerability, and if not, what the distinguishing factors were.

On 7/7/18, 12:02 PM, "Matus UHLAR - fantomas" <***@fantomas.sk<mailto:***@fantomas.sk>> wrote:

On 06.07.18 15:48, Garrett Van Dyk wrote:
I'm trying to get specific details on these two CVEs: CVE-2010-4260 (
https://bugzilla.clamav.net/show_bug.cgi?id=2358 and
https://bugzilla.clamav.net/show_bug.cgi?id=2396) and CVE-2010-4479 (
https://bugzilla.clamav.net/show_bug.cgi?id=2380). I don't have permissions
to view these bugs in Bugzilla. The issues appear to have been fixed in
the same commit (
https://github.com/Cisco-Talos/clamav-devel/commit/019f1955194360600ecf0644959ceca6734c2d7b)
but this doesn't provide detail on which bug applies to which fix, or the
nature of the bugs themselves. Any help on differentiating these
vulnerabilities would be appreciated.

those bugs are apparently security vulnerablities in clamav, and as such
they are kept private.

why are you trying to get detailt on them?

Yes, they might to be revealed, finally they are some 8 years old...
--
Matus UHLAR - fantomas, ***@fantomas.sk<mailto:***@fantomas.sk> ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901




_______________________________________________
clamav-users mailing list
clamav-***@lists.clamav.net<mailto:clamav-***@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Continue reading on narkive:
Loading...