Bug 23683

Summary: clamav new security issue CVE-2018-15378
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: geiger.david68210, guillomovitch, marja11, nicolas.salguero, smelror, sysadmin-bugs, tmb, wilcal.int
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: clamav-0.100.1-1.mga6.src.rpm CVE: CVE-2018-15378
Status comment:

Description David Walser 2018-10-13 00:49:22 CEST 
Ubuntu has issued an advisory on October 11:
https://usn.ubuntu.com/3789-1/

The issue is fixed upstream in 0.100.2.

Mageia 6 is also affected.
David Walser 2018-10-13 00:49:29 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-10-13 08:44:00 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, guillomovitch, marja11, nicolas.salguero, smelror, tmb

Comment 2 Nicolas Salguero 2018-10-15 11:39:52 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Vulnerability in ClamAV's MEW unpacking feature that could allow an unauthenticated, remote attacker to cause a denial-of-service (DoS) condition on an affected device. (CVE-2018-15378)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15378
https://usn.ubuntu.com/3789-1/
========================

Updated packages in core/updates_testing:
========================
clamav-0.100.2-1.mga6
clamd-0.100.2-1.mga6
clamav-milter-0.100.2-1.mga6
clamav-db-0.100.2-1.mga6
lib(64)clamav7-0.100.2-1.mga6
lib(64)clamav-devel-0.100.2-1.mga6

from SRPMS:
clamav-0.100.2-1.mga6.src.rpm

Status: NEW => ASSIGNED
CVE: (none) => CVE-2018-15378
Version: Cauldron => 6
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA6TOO => (none)
Source RPM: clamav-0.100.1-3.mga7.src.rpm => clamav-0.100.1-1.mga6.src.rpm

Comment 3 David Walser 2018-10-16 00:30:57 CEST 
Fedora has issued an advisory for this on October 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2J2QOUQ6ZB3M6OGTBQRV6TJALQTF4JGD/
Comment 4 William Kenney 2018-10-18 20:10:34 CEST 
In VirtualBox, M6, Mate, 64-bit

Package(s) under test:
clamav clamav-db libclamav7

install clamav clamav-db & libclamav7

The following 3 packages are going to be installed:

- clamav-0.100.1-1.mga6.x86_64
- clamav-db-0.100.1-1.mga6.noarch
- lib64clamav7-0.100.1-1.mga6.x86_64

run freshclam in an su terminal

[root@localhost wilcal]# urpmi clamav
Package clamav-0.100.1-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.100.1-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi libclamav7
Package libclamav7-0.100.1-1.mga6.i586 is already installed

[root@localhost wilcal]# ls -al /var/lib/clamav
total 165596
drwxrwxr-x  3 clamav clamav      4096 Oct 18 10:39 ./
drwxr-xr-x 47 root   root        4096 Oct 18 10:38 ../
-rw-r--r--  1 clamav clamav    187426 Oct 18 10:39 bytecode.cvd
-rw-r--r--  1 clamav clamav  51464298 Oct 18 10:39 daily.cvd
-rw-r--r--  1 clamav clamav 117892267 Jan 31  2018 main.cvd
-rw-------  1 clamav clamav       312 Oct 18 10:39 mirrors.dat
drwxr-xr-x  2 clamav clamav      4096 Jul 19 03:25 tmp/

scan /var

[root@localhost wilcal]# clamscan -r -i /var

----------- SCAN SUMMARY -----------
Known viruses: 6685418
Engine version: 0.100.1
Scanned directories: 260
Scanned files: 475
Infected files: 0
Data scanned: 1172.91 MB
Data read: 938.30 MB (ratio 1.25:1)
Time: 168.759 sec (2 m 48 s)

clamscan successful

install clamav clamav-db & libclamav7 from updates_testing

[root@localhost wilcal]# urpmi clamav
Package clamav-0.100.2-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.100.2-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi libclamav7
Package libclamav7-0.100.2-1.mga6.i586 is already installed

scan /etc

[root@localhost wilcal]# clamscan -r -i /etc

----------- SCAN SUMMARY -----------
Known viruses: 6685418
Engine version: 0.100.2
Scanned directories: 467
Scanned files: 1777
Infected files: 0
Data scanned: 43.63 MB
Data read: 23.10 MB (ratio 1.89:1)
Time: 30.885 sec (0 m 30 s)

clamscan successful

CC: (none) => wilcal.int

Comment 5 William Kenney 2018-10-18 20:36:10 CEST 
In VirtualBox, M6, Mate, 32-bit

Package(s) under test:
clamav clamav-db libclamav7

install clamav clamav-db & libclamav7

The following 3 packages are going to be installed:

- clamav-0.100.1-1.mga6.i586
- clamav-db-0.100.1-1.mga6.noarch
- libclamav7-0.100.1-1.mga6.i586

run freshclam in an su terminal

[root@localhost wilcal]# urpmi clamav
Package clamav-0.100.1-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.100.1-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi libclamav7
Package libclamav7-0.100.1-1.mga6.i586 is already installed

[root@localhost wilcal]# ls -al /var/lib/clamav
total 165596
drwxrwxr-x  3 clamav clamav      4096 Oct 18 11:17 ./
drwxr-xr-x 47 root   root        4096 Oct 18 11:14 ../
-rw-r--r--  1 clamav clamav    187426 Oct 18 11:17 bytecode.cvd
-rw-r--r--  1 clamav clamav  51464298 Oct 18 11:16 daily.cvd
-rw-r--r--  1 clamav clamav 117892267 Jan 31  2018 main.cvd
-rw-------  1 clamav clamav       312 Oct 18 11:17 mirrors.dat
drwxr-xr-x  2 clamav clamav      4096 Jul 19 03:25 tmp/

scan /var

[root@localhost wilcal]# clamscan -r -i /var

----------- SCAN SUMMARY -----------
Known viruses: 6685418
Engine version: 0.100.1
Scanned directories: 258
Scanned files: 361
Infected files: 0
Data scanned: 1078.70 MB
Data read: 895.61 MB (ratio 1.20:1)
Time: 211.807 sec (3 m 31 s)

clamscan successful

install clamav clamav-db & libclamav7 from updates_testing

The following 3 packages are going to be installed:

- clamav-0.100.2-1.mga6.i586
- clamav-db-0.100.2-1.mga6.noarch
- libclamav7-0.100.2-1.mga6.i586

[root@localhost wilcal]# urpmi clamav
Package clamav-0.100.2-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.100.2-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi libclamav7
Package libclamav7-0.100.2-1.mga6.i586 is already installed

scan /etc

[root@localhost wilcal]# clamscan -r -i /etc

----------- SCAN SUMMARY -----------
Known viruses: 6685418
Engine version: 0.100.2
Scanned directories: 467
Scanned files: 1774
Infected files: 0
Data scanned: 43.60 MB
Data read: 23.08 MB (ratio 1.89:1)
Time: 28.690 sec (0 m 28 s)

clamscan successful
William Kenney 2018-10-18 20:36:34 CEST

Whiteboard: (none) => MGA6-32-OK MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Thomas Backlund 2018-10-19 18:23:58 CEST

Keywords: (none) => advisory

Comment 6 Mageia Robot 2018-10-19 20:02:12 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0406.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED