Vulnerability Note VU#363713

Clam AntiVirus contains a buffer overflow vulnerability

Original Release date: 21 Oct 2005 | Last revised: 03 Nov 2005


A buffer overflow in Clam AntiVirus (ClamAV) may allow a remote attacker to execute arbitrary code.


Clam AntiVirus is a UNIX-based, anti-virus toolkit often deployed with mail servers to detect malicious attachments. A signedness error in ClamAV (libclamav/upx.c) may allow a buffer overflow to occur. If a remote attacker sends a specially crafted UPX-packed executable to a vulnerable ClamAV installation, that attacker may be able to trigger the buffer overflow.


A remote attacker may be able to execute arbitrary code with the privileges of the application linked to the ClamAV process. In addition, this vulnerability may prevent ClamAV from detecting malicious UPX-packed executables.



This issue was corrected in ClamAV 0.87.

Do not access UPX-packed executables from untrusted sources

Exploitation occurs by via specially crafted UPX-packed executables. By only accessing UPX-packed executables from trusted or known sources, the chances of exploitation are reduced.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Clam AntiVirusAffected-20 Oct 2005
Debian LinuxAffected27 Sep 200503 Nov 2005
FreeBSD, Inc.Affected21 Oct 200524 Oct 2005
Mandriva, Inc.Affected27 Sep 200528 Sep 2005
UbuntuAffected27 Sep 200528 Sep 2005
F5 Networks, Inc.Not Affected21 Oct 200524 Oct 2005
HitachiNot Affected21 Oct 200524 Oct 2005
Microsoft CorporationNot Affected21 Oct 200521 Oct 2005
Openwall GNU/*/LinuxNot Affected27 Sep 200527 Sep 2005
Red Hat, Inc.Not Affected27 Sep 200529 Sep 2005
Slackware Linux Inc.Not Affected27 Sep 200524 Oct 2005
Sun Microsystems, Inc.Not Affected27 Sep 200527 Sep 2005
Apple Computer, Inc.Unknown27 Sep 200527 Sep 2005
Conectiva Inc.Unknown21 Oct 200521 Oct 2005
Cray Inc.Unknown21 Oct 200521 Oct 2005
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was reported by Thierry Carrez.

This document was written by Jeff Gennari.

Other Information

  • CVE IDs: CAN-2005-2920
  • Date Public: 19 Sep 2005
  • Date First Published: 21 Oct 2005
  • Date Last Updated: 03 Nov 2005
  • Severity Metric: 6.75
  • Document Revision: 45


If you have feedback, comments, or additional information about this vulnerability, please send us email.