Bug 21555

Summary: clamav new security issues CVE-2017-6418, CVE-2017-6420
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: cjw, geiger.david68210, lewyssmith, luis.daniel.lucio, mageia, marja11, olav, pterjan, sysadmin-bugs, wilcal.int
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA5TOO advisory MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK
Source RPM: clamav-0.99.2-2.mga6.src.rpm CVE:
Status comment:
Bug Depends on: 21556    
Bug Blocks:    

Description David Walser 2017-08-17 22:47:45 CEST 
Ubuntu has issued an advisory today (August 17):
https://usn.ubuntu.com/usn/usn-3393-1/

To fix CVE-2017-6419, libmspack should be unbundled and it should use the system one.  I thought we had taken care of that already in Bug 15155, but apparently not.

Mageia 5 and Mageia 6 are also affected.
David Walser 2017-08-17 22:47:55 CEST

Whiteboard: (none) => MGA6TOO, MGA5TOO

Comment 1 David Walser 2017-08-17 22:51:25 CEST 
It looks like we're also affected by CVE-2017-11423:
https://usn.ubuntu.com/usn/usn-3394-1/
David Walser 2017-08-18 02:15:52 CEST

Depends on: (none) => 21556

Comment 2 Marja Van Waes 2017-08-18 16:10:20 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing some committers.

CC: (none) => cjw, geiger.david68210, luis.daniel.lucio, mageia, marja11, olav, pterjan
Assignee: bugsquad => pkg-bugs

Comment 3 Nicolas Lécureuil 2017-08-19 21:41:51 CEST 
CVE-2017-6418 is now fixed on svn
Comment 4 Nicolas Lécureuil 2017-08-19 21:47:28 CEST 
we don't bundle libmspack so we are not affected by CVE-2017-6419

Summary: clamav new security issues CVE-2017-6418, CVE-2017-6419, CVE-2017-6420 => clamav new security issues CVE-2017-6418, CVE-2017-6420

Comment 5 Nicolas Lécureuil 2017-08-19 22:03:51 CEST 
this is now fixed and pushed in updates_testing
src.rpm:
        clamav-0.99.2-2.2.mga6
        clamav-0.99.2-1.1.mga5
Comment 6 David Walser 2017-08-19 22:13:31 CEST 
Here's an advisory for whenever we can get this to build.

Advisory:
========================

Updated clamav packages fix security vulnerabilities:

It was discovered that ClamAV incorrectly handled parsing certain e-mail
messages. A remote attacker could possibly use this issue to cause ClamAV
to crash, resulting in a denial of service (CVE-2017-6418).

It was discovered that ClamAV incorrectly handled parsing certain PE files
with WWPack compression. A remote attacker could possibly use this issue to
cause ClamAV to crash, resulting in a denial of service (CVE-2017-6420).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6420
https://usn.ubuntu.com/usn/usn-3393-1/
Comment 7 David Walser 2017-08-19 23:04:39 CEST 
Advisory on Comment 6.

Updated packages in core/updates_testing:
========================
clamav-0.99.2-1.1.mga5
clamd-0.99.2-1.1.mga5
clamav-milter-0.99.2-1.1.mga5
clamav-db-0.99.2-1.1.mga5
libclamav7-0.99.2-1.1.mga5
libclamav-devel-0.99.2-1.1.mga5
clamav-0.99.2-2.2.mga6
clamd-0.99.2-2.2.mga6
clamav-milter-0.99.2-2.2.mga6
clamav-db-0.99.2-2.2.mga6
libclamav7-0.99.2-2.2.mga6
libclamav-devel-0.99.2-2.2.mga6

from SRPMS:
clamav-0.99.2-1.1.mga5.src.rpm
clamav-0.99.2-2.2.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6
Assignee: pkg-bugs => qa-bugs

Comment 8 Lewis Smith 2017-08-20 10:48:47 CEST 
Advisoried from comments 6 & 7.

Whiteboard: MGA5TOO => MGA5TOO advisory
CC: (none) => lewyssmith

Comment 9 William Kenney 2017-08-20 20:31:30 CEST 
In VirtualBox, M5.1, KDE, 32-bit

Package(s) under test:
clamav clamav-db libclamav7

install clamav clamav-db & libclamav6

[root@localhost wilcal]# urpmi clamav
Package clamav-0.99.2-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.99.2-1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi libclamav7
Package libclamav7-0.99.2-1.mga5.i586 is already installed

Update with freshclam ( takes awhile )
[root@localhost wilcal]# freshclam

check clamav files:

[root@localhost wilcal]# ls -al /var/lib/clamav
total 156228
drwxrwxr-x  3 clamav clamav      4096 Aug 20 11:07 ./
drwxr-xr-x 44 root   root        4096 Aug 20 10:55 ../
-rw-r--r--  1 clamav clamav    146041 Aug 20 11:04 bytecode.cvd
-rw-r--r--  1 clamav clamav  41910918 Aug 20 11:04 daily.cvd
-rw-r--r--  1 clamav clamav 117892267 Aug 20 10:58 main.cvd
-rw-------  1 clamav clamav       468 Aug 20 11:07 mirrors.dat
drwxr-xr-x  2 clamav clamav      4096 Nov 18  2016 tmp/

scan /etc

[root@localhost wilcal]# clamscan -r -i /etc

----------- SCAN SUMMARY -----------
Known viruses: 6303059
Engine version: 0.99.2
Scanned directories: 464
Scanned files: 1810
Infected files: 0
Data scanned: 41.74 MB
Data read: 22.18 MB (ratio 1.88:1)
Time: 24.222 sec (0 m 24 s)

clamscan successful

install clamav clamav-db & libclamav6 from updates_testing

[root@localhost wilcal]# urpmi clamav
Package clamav-0.99.2-1.1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.99.2-1.1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi libclamav7
Package libclamav7-0.99.2-1.1.mga5.i586 is already installed

No need to update ( freshclam ) clamav db

scan /var

[root@localhost wilcal]# clamscan -r -i /var

----------- SCAN SUMMARY -----------
Known viruses: 6303059
Engine version: 0.99.2
Scanned directories: 274
Scanned files: 347
Infected files: 0
Data scanned: 361.39 MB
Data read: 516.86 MB (ratio 0.70:1)
Time: 66.266 sec (1 m 6 s)

clamscan successful

Whiteboard: MGA5TOO advisory => MGA5TOO advisory MGA5-32-OK
CC: (none) => wilcal.int

Comment 10 William Kenney 2017-08-20 21:10:54 CEST 
In VirtualBox, M5.1, KDE, 64-bit

Package(s) under test:
clamav clamav-db lib64clamav7

install clamav clamav-db & lib64clamav7

[root@localhost wilcal]# urpmi clamav
Package clamav-0.99.2-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.99.2-1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi lib64clamav7
Package lib64clamav7-0.99.2-1.mga5.x86_64 is already installed

Update with freshclam ( takes awhile )
[root@localhost wilcal]# freshclam

check clamav files:

[root@localhost wilcal]# ls -al /var/lib/clamav
total 156224
drwxrwxr-x  3 clamav clamav      4096 Aug 20 12:00 ./
drwxr-xr-x 44 root   root        4096 Aug 20 11:38 ../
-rw-r--r--  1 clamav clamav    146041 Aug 20 12:00 bytecode.cvd
-rw-r--r--  1 clamav clamav  41910918 Aug 20 12:00 daily.cvd
-rw-r--r--  1 clamav clamav 117892267 Aug 20 11:54 main.cvd
-rw-------  1 clamav clamav       312 Aug 20 12:00 mirrors.dat
drwxr-xr-x  2 clamav clamav      4096 Nov 18  2016 tmp/

scan /etc

[root@localhost wilcal]# clamscan -r -i /etc

----------- SCAN SUMMARY -----------
Known viruses: 6303059
Engine version: 0.99.2
Scanned directories: 464
Scanned files: 1810
Infected files: 0
Data scanned: 41.75 MB
Data read: 22.18 MB (ratio 1.88:1)
Time: 19.250 sec (0 m 19 s)

clamscan successful

install clamav clamav-db & lib64clamav7 from updates_testing

[root@localhost wilcal]# urpmi clamav
Package clamav-0.99.2-1.1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.99.2-1.1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi lib64clamav7
Package lib64clamav7-0.99.2-1.1.mga5.x86_64 is already installed

No need to update ( freshclam ) clamav db

scan /var

[root@localhost wilcal]# clamscan -r -i /var

----------- SCAN SUMMARY -----------
Known viruses: 6303059
Engine version: 0.99.2
Scanned directories: 269
Scanned files: 341
Infected files: 0
Data scanned: 340.98 MB
Data read: 495.95 MB (ratio 0.69:1)
Time: 48.299 sec (0 m 48 s)

clamscan successful

Whiteboard: MGA5TOO advisory MGA5-32-OK => MGA5TOO advisory MGA5-32-OK MGA5-64-OK

Comment 11 William Kenney 2017-08-20 23:19:27 CEST 
In VirtualBox, M6, Plasma, 32-bit

Package(s) under test:
clamav clamav-db libclamav7

install clamav clamav-db & libclamav6 from updates_testing

[root@localhost wilcal]# urpmi clamav
Package clamav-0.99.2-2.2.mga6.i586 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.99.2-2.2.mga6.noarch is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.99.2-2.2.mga6.noarch is already installed

Update with freshclam ( takes awhile )
[root@localhost wilcal]# freshclam

[root@localhost wilcal]# ls -al /var/lib/clamav
Total 341388
drwxrwxr-x  3 clamav clamav      4096 Aug 20 14:05 ./
drwxr-xr-x 49 root   root        4096 Aug 20 14:13 ../
-rw-r--r--  1 clamav clamav    146041 Aug 20 14:03 bytecode.cvd
-rw-r--r--  1 clamav clamav  41910919 Aug 20 14:03 daily.cvd
-rw-r--r--  1 clamav clamav 307499008 Aug 20 14:01 main.cld
-rw-------  1 clamav clamav       468 Aug 20 14:05 mirrors.dat
drwxr-xr-x  2 clamav clamav      4096 Aug 19 13:05 tmp/

[root@localhost wilcal]# clamscan -r -i /etc

----------- SCAN SUMMARY -----------
Known viruses: 6303059
Engine version: 0.99.2
Scanned directories: 482
Scanned files: 1950
Infected files: 0
Data scanned: 45.22 MB
Data read: 23.95 MB (ratio 1.89:1)
Time: 19.962 sec (0 m 19 s)

[root@localhost wilcal]# clamscan -r -i /var

----------- SCAN SUMMARY -----------
Known viruses: 6303059
Engine version: 0.99.2
Scanned directories: 224
Scanned files: 302
Infected files: 0
Data scanned: 335.44 MB
Data read: 816.19 MB (ratio 0.41:1)
Time: 47.277 sec (0 m 47 s)

clamscan successful

I had a problem getting getting clamav-0.99.2-2.2
to recognize a previously installed database.
Simply installing from the updates_testing to start
with worked fine.
William Kenney 2017-08-20 23:19:48 CEST

Whiteboard: MGA5TOO advisory MGA5-32-OK MGA5-64-OK => MGA5TOO advisory MGA5-32-OK MGA5-64-OK MGA6-32-OK

Comment 12 William Kenney 2017-08-20 23:54:12 CEST 
In VirtualBox, M6, KDE, 64-bit

Package(s) under test:
clamav clamav-db lib64clamav7

install clamav clamav-db & lib64clamav7 from updates_testing

[root@localhost wilcal]# urpmi clamav
Package clamav-0.99.2-2.2.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.99.2-2.2.mga6.noarch is already installed
[root@localhost wilcal]# urpmi lib64clamav7
Package lib64clamav7-0.99.2-2.2.mga6.x86_64 is already installed

Update with freshclam ( takes awhile )
[root@localhost wilcal]# freshclam

[root@localhost wilcal]# freshclam
ClamAV update process started at Sun Aug 20 14:48:02 2017
main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cvd is up to date (version: 23688, sigs: 1742430, f-level: 63, builder: neo)
bytecode.cvd is up to date (version: 309, sigs: 69, f-level: 63, builder: bbaker)

check clamav files:

[root@localhost wilcal]# ls -al /var/lib/clamav
total 341384
drwxrwxr-x  3 clamav clamav      4096 Aug 20 14:48 ./
drwxr-xr-x 51 root   root        4096 Aug 20 14:32 ../
-rw-r--r--  1 clamav clamav    146041 Aug 20 14:36 bytecode.cvd
-rw-r--r--  1 clamav clamav  41910919 Aug 20 14:36 daily.cvd
-rw-r--r--  1 clamav clamav 307499008 Aug 20 14:34 main.cld
-rw-------  1 clamav clamav       260 Aug 20 14:48 mirrors.dat
drwxr-xr-x  2 clamav clamav      4096 Aug 19 13:05 tmp/

scan /etc

[root@localhost wilcal]# clamscan -r -i /etc

----------- SCAN SUMMARY -----------
Known viruses: 6303059
Engine version: 0.99.2
Scanned directories: 488
Scanned files: 2024
Infected files: 0
Data scanned: 50.72 MB
Data read: 27.49 MB (ratio 1.85:1)
Time: 23.321 sec (0 m 23 s)

clamscan successful

scan /var

[root@localhost wilcal]# clamscan -r -i /var

----------- SCAN SUMMARY -----------
Known viruses: 6303059
Engine version: 0.99.2
Scanned directories: 242
Scanned files: 348
Infected files: 0
Data scanned: 426.21 MB
Data read: 712.45 MB (ratio 0.60:1)
Time: 49.692 sec (0 m 49 s)

clamscan successful
William Kenney 2017-08-20 23:55:07 CEST

Whiteboard: MGA5TOO advisory MGA5-32-OK MGA5-64-OK MGA6-32-OK => MGA5TOO advisory MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK

Comment 13 William Kenney 2017-08-20 23:56:35 CEST 
I'm going to validate this in 24-hours unless
someone finds something.
Lewis Smith 2017-08-21 20:04:49 CEST

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 14 Mageia Robot 2017-08-21 22:01:23 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0291.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED