Use After Free in clamav-db | CVE-2017-12374

Q: How to fix?

Upgrade Amazon-Linux:2018.03 clamav-db to version 0:0.99.3-1.28.amzn1 or higher. This issue was patched in ALAS-2018-958 .

Threat Intelligence

0.91% (84^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Use After Free vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-AMZN201803-CLAMAVDB-1710488
published27 Sept 2021
disclosed26 Jan 2018

Report a new vulnerability Found a mistake?

Introduced: 26 Jan 2018

CVE-2017-12374 (opens in a new tab) CWE-416 (opens in a new tab) First added by Snyk

How to fix?

Upgrade Amazon-Linux:2018.03 clamav-db to version 0:0.99.3-1.28.amzn1 or higher.
This issue was patched in ALAS-2018-958.

NVD Description

Note: Versions mentioned in the description apply only to the upstream clamav-db package and not the clamav-db package as distributed by Amazon-Linux. See How to fix? for Amazon-Linux:2018.03 relevant fixed versions and status.

The ClamAV AntiVirus software versions 0.99.2 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of input validation checking mechanisms during certain mail parsing operations (mbox.c operations on bounce messages). If successfully exploited, the ClamAV software could allow a variable pointing to the mail body which could cause a used after being free (use-after-free) instance which may lead to a disruption of services on an affected device to include a denial of service condition.

Use After Free Affecting clamav-db package, versions <0:0.99.3-1.28.amzn1

Severity