CVE-2018-0360 — Integer Overflow or Wraparound in Clamav

CWE-190 — Integer Overflow or Wraparound13 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

1.2%

top 20.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Clamav Debian Clamav Canonical Ubuntu Linux +1 more

Timeline

PublishedJul 16

Latest updateMay 14

Description

ClamAV before 0.100.1 has an HWP integer overflow with a resultant infinite loop via a crafted Hangul Word Processor file. This is in parsehwp3_paragraph() in libclamav/hwp.c.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages4 packages

▶NVDclamav/clamav< 0.100.1

▶debiandebian/clamav< clamav 0.100.1+dfsg-1 (bookworm)

▶Debianclamav/clamav< 0.100.1+dfsg-1+3

▶Ubuntuclamav/clamav< 0.100.1+dfsg-1ubuntu0.14.04.4+8

Also affects: Debian Linux 8.0, Ubuntu Linux 12.04, 14.04, 16.04, 18.04

🔴Vulnerability Details

GHSA

GHSA-59c3-hhq4-m878: ClamAV before 0↗2022-05-14

▶

OSV

clamav regression↗2018-09-18

▶

OSV

clamav regression↗2018-07-26

▶

OSV

clamav vulnerabilities↗2018-07-24

▶

OSV

CVE-2018-0360: ClamAV before 0↗2018-07-16

▶

📋Vendor Advisories

Ubuntu

ClamAV vulnerabilities↗2018-09-18

▶

Ubuntu

ClamAV regression↗2018-09-18

▶

Ubuntu

ClamAV regression↗2018-07-26

▶

Ubuntu

ClamAV vulnerabilities↗2018-07-25

▶

Ubuntu

ClamAV vulnerabilities↗2018-07-24

▶

💬Community

Bugzilla

CVE-2018-0360 clamav: integer-overflow in function parsehwp3_paragraph() in libclamav/hwp.c↗2019-04-11

▶