Bug 23322

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11, nicolas.salguero

Suggested advisory:
========================

The updated packages fix security issues:

ClamAV before 0.100.1 has an HWP integer overflow with a resultant infinite loop via a crafted Hangul Word Processor file. This is in parsehwp3_paragraph() in libclamav/hwp.c. (CVE-2018-0360)

ClamAV before 0.100.1 lacks a PDF object length check, resulting in an unreasonably long time to parse a relatively small file. (CVE-2018-0361)

References:
========================
https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.101/NEWS.md
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0360
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0361

Updated packages in core/updates_testing:
========================
clamav-0.100.1-1.mga6
clamd-0.100.1-1.mga6
clamav-milter-0.100.1-1.mga6
clamav-db-0.100.1-1.mga6
lib(64)clamav7-0.100.1-1.mga6
lib(64)clamav-devel-0.100.1-1.mga6

from SRPMS:
clamav-0.100.1-1.mga6.src.rpm

Version: Cauldron => 6
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2018-0360, CVE-2018-0361
Whiteboard: MGA6TOO => (none)
Status: NEW => ASSIGNED

In VirtualBox, M6, Mate, 64-bit

Package(s) under test:
clamav clamav-db libclamav7

install clamav clamav-db & libclamav7 from updates_testing

[root@localhost wilcal]# urpmi clamav
Package clamav-0.100.1-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.100.1-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi libclamav7
Package libclamav7-0.100.1-1.mga6.i586 is already installed

[root@localhost wilcal]# ls -al /var/lib/clamav
total 256564
drwxrwxr-x  3 clamav clamav      4096 Jul 19 15:54 ./
drwxr-xr-x 47 root   root        4096 Jul 19 15:50 ../
-rw-r--r--  1 clamav clamav    187098 Jul 19 15:54 bytecode.cvd
-rw-r--r--  1 clamav clamav 144614400 Jul 19 15:54 daily.cld
-rw-r--r--  1 clamav clamav 117892267 Jan 31 03:52 main.cvd
-rw-------  1 clamav clamav        52 Jul 19 15:54 mirrors.dat
drwxr-xr-x  2 clamav clamav      4096 Jul 19 03:25 tmp/

scan /var

[wilcal@localhost ~]$ clamscan -r -i /var

----------- SCAN SUMMARY -----------
Known viruses: 6579091
Engine version: 0.100.1
Scanned directories: 207
Scanned files: 296
Infected files: 0
Total errors: 130
Data scanned: 465.76 MB
Data read: 893.10 MB (ratio 0.52:1)
Time: 64.587 sec (1 m 4 s)

clamscan successful

CC: (none) => wilcal.int

In VirtualBox, M6, Mate, 32-bit

Package(s) under test:
clamav clamav-db libclamav7

install clamav clamav-db & libclamav7 from updates_testing

[root@localhost wilcal]# urpmi clamav
Package clamav-0.100.1-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.100.1-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi libclamav7
Package libclamav7-0.100.1-1.mga6.i586 is already installed

[wilcal@localhost ~]$ ls -al /var/lib/clamav
total 162616
drwxrwxr-x  3 clamav clamav      4096 Jul 19 16:27 ./
drwxr-xr-x 47 root   root        4096 Jul 19 16:27 ../
-rw-r--r--  1 clamav clamav  48604036 Jul 19 01:15 daily.cvd
-rw-r--r--  1 clamav clamav 117892267 Jan 31 03:52 main.cvd
drwxr-xr-x  2 clamav clamav      4096 Jul 19 03:25 tmp/

scan /var

[wilcal@localhost ~]$ clamscan -r -i /var

----------- SCAN SUMMARY -----------
Known viruses: 6578108
Engine version: 0.100.1
Scanned directories: 214
Scanned files: 264
Infected files: 0
Total errors: 70
Data scanned: 390.30 MB
Data read: 754.88 MB (ratio 0.52:1)
Time: 39.977 sec (0 m 39 s)

clamscan successful

Advisory uploaded.

Keywords: (none) => advisory

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0317.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED