CVE: CVE-2006-1989
Status: Moderate risk
Vulnerable: ClamAV 0.80 – 0.88.1

Freshclam is a command line utility responsible for downloading and installing virus signature updates. One of its features is a HTTP client performing file downloads from web servers. A security vulnerability in the protocol code was discovered independently by Ulf Harnhammar and an anonymous researcher from Germany.

The problem exists due to a lack of proper check for the size of header data received from a web server:

int get_database(const char *dbfile, int socketfd, const char *file, const char *hostname, const char *proxy, const char *user, const char *pass) {
        char cmd [512], buffer [FILEBUFF], * ch;
[...]
   / * read all the http headers * / 
    ch = buffer;
    i = 0;
    while (1) {
        / * recv one byte at a time, until we reach \r\n\r\n * /
        if(recv(socketfd, buffer + i, 1, 0) == -1) {
[...]

The code assumes the size of all headers returned by the web server is smaller than 8 KB. A specially prepared HTTP server could be used by an attacker to exploit freshclam clients connecting to the database mirror. The bug was classified as moderate risk. The ClamAV project uses a big number of database mirrors gathered into round robin records. In most cases the system looks up the GeoIP database to redirect users to the closest pool of mirrors. Remote exploitation (Denial of Service) can be achieved by changing one of the mirrors configurations to run a special web server returning wrong header data or by pointing freshclam to a bogus mirror i.e. by means of DNS poisoning. Remote execution of arbitrary code is not easy due to diversity of client platforms and architectures.