Hi, The vulnerability also affects unrar (3.70 beta 3 freeware by Alexander=20 Roshal), as it tries to read a negative location from a pointer reference i= n=20 the SET_VALUE(false,Data,Addr-Offset) function (found in rarvm.cpp). The values of Addr is 1666528 while Offset is 4546004 which of course resul= ts=20 in -2879476 being accessed, or "even better" the value of 4292087820 as it = is=20 casted to an unsigned value without checking. On Wednesday 11 July 2007 18:13:03 Metaeye SG wrote: > Vendor > ------ > Clam Antivirus (http://www.clamav.net) > > Product > ------- > Clamav (libclamav) > > Versions Affected > ----------------- > All before 0.91 > > Severity > -------- > Moderate > > Issue > ----- > Clamav crashes due to processing of standard filters in RAR VM, while > processing a corrupted RAR file. Processing the corrupted file results in= a > null pointer deference. > > Impact > ------ > Processing the corrupted file will result in crashing of clamscan > application and clamd daemon. > > Fix > --- > Upgrade to version 0.91. > > PoC > --- > http://www.metaeye.org/codes/corrupted.rar > > Vendor Status > ------------- > Reported: 25/06/2007 > Fixed: 11/07/2007 > > > References > ---------- > https://wwws.clamav.net/bugzilla/show_bug.cgi?id=3D555 > http://www.metaeye.org/advisories/54 > > > > Metaeye SG // http://www.metaeye.org =2D-=20 =A0 Noam Rathaus =A0 CTO =A0 1616 Anderson Rd. =A0 McLean, VA 22102 =A0 Tel: 703.286.7725 extension 105 =A0 Fax: 888.667.7740 =A0 noamr@beyondsecurity.com =A0 http://www.beyondsecurity.com