Bug 25231

Summary: clamav new DoS security issue
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: brtians1, geiger.david68210, mageia, marja11, nicolas.salguero, smelror, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
See Also: https://bugs.mageia.org/show_bug.cgi?id=25647
Whiteboard: MGA7-32-OK
Source RPM: clamav-0.100.3-1.mga7.src.rpm, c-icap-modules-extra-0.5.2-1.mga7.src.rpm, ecap-clamav-2.0.0-3.mga7.src.rpm CVE: CVE-2019-12900, CVE-2019-12625
Status comment:

Description David Walser 2019-08-06 13:09:56 CEST 
Upstream has released version 0.101.3 on August 5:
https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html

There are more details here:
https://www.openwall.com/lists/oss-security/2019/08/06/3

It sounds like the issue isn't really fixed yet, but we'll want to update this at some point.
Comment 1 Marja Van Waes 2019-08-06 19:01:16 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing three committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, marja11, nicolas.salguero, smelror

Comment 2 David Walser 2019-10-31 04:51:55 CET 
Upstream has released version 0.101.4 on August 21:
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html

It fixes CVE-2019-12625 and CVE-2019-12900 (the latter in bundled bzip2 code).

Severity: normal => major

Comment 3 David Walser 2019-10-31 04:52:22 CET 
Ubuntu has issued an advisory for the latter issues on October 2:
https://usn.ubuntu.com/4146-1/
David Walser 2019-11-01 14:19:40 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=25647

Comment 4 Nicolas Salguero 2019-11-08 13:04:06 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. (CVE-2019-12900)

ClamAV versions prior to 0.101.3 are susceptible to a zip bomb vulnerability where an unauthenticated attacker can cause a denial of service condition by sending crafted messages to an affected system. (CVE-2019-12625)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12625
https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html
https://www.openwall.com/lists/oss-security/2019/08/06/3
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
https://usn.ubuntu.com/4146-1/
========================

Updated packages in core/updates_testing:
========================
clamav-0.101.4-1.mga7
clamd-0.101.4-1.mga7
clamav-milter-0.101.4-1.mga7
clamav-db-0.101.4-1.mga7
lib(64)clamav9-0.101.4-1.mga7
lib(64)clamav-devel-0.101.4-1.mga7
c-icap-modules-extra-0.5.3-1.mga7
ecap-clamav-2.0.0-3.1.mga7

from SRPMS:
clamav-0.101.4-1.mga7.src.rpm
c-icap-modules-extra-0.5.3-1.mga7.src.rpm
ecap-clamav-2.0.0-3.1.mga7.src.rpm

Source RPM: clamav-0.100.3-1.mga7.src.rpm => clamav-0.100.3-1.mga7.src.rpm, c-icap-modules-extra-0.5.2-1.mga7.src.rpm, ecap-clamav-2.0.0-3.mga7.src.rpm
Assignee: pkg-bugs => qa-bugs
Status: NEW => ASSIGNED
CVE: (none) => CVE-2019-12900, CVE-2019-12625
Version: Cauldron => 7

Comment 5 Brian Rockwell 2019-11-10 01:16:28 CET 
$ uname -a
Linux localhost 5.3.7-desktop-4.mga7 #1 SMP Thu Oct 24 22:00:55 UTC 2019 i686 i686 i386 GNU/Linux



The following 18 packages are going to be installed:

- apache-2.4.39-1.mga7.i586
- c-icap-modules-0.5.5-1.mga7.i586
- c-icap-modules-extra-0.5.3-1.mga7.i586
- c-icap-server-0.5.5-1.mga7.i586
- clamav-0.101.4-1.mga7.i586
- clamav-db-0.101.4-1.mga7.noarch
- ecap-clamav-2.0.0-3.1.mga7.i586
- glibc-2.29-17.mga7.i586
- libapr-util1_0-1.6.1-3.mga7.i586
- libapr1_0-1.7.0-1.mga7.i586
- libbrotlienc1-1.0.7-2.mga7.i586
- libc-icap0-0.5.5-1.mga7.i586
- libclamav9-0.101.4-1.mga7.i586
- libecap3-1.0.1-3.mga7.i586
- perl-Crypt-OpenSSL-X509-1.812.0-1.mga7.i586
- perl-DBI-1.642.0-1.mga7.i586
- squid-4.8-1.1.mga7.i586
- webserver-base-2.0-12.mga7.noarch

---

$ clamscan -V
ClamAV 0.101.4/25626/Thu Nov  7 03:50:48 2019


performed freshclam as root.
performed a recursive scan.

All worked.

CC: (none) => brtians1
Whiteboard: (none) => MGA7-32-OK

Comment 6 Nicolas Salguero 2019-11-13 13:22:25 CET 
When clamav 0.100.3 was already installed, there was a file conflict (see https://ml.mageia.org/l/arc/qa-discuss/2019-11/msg00010.html):
"""
Installation failed:    file /usr/lib64/libclammspack.so.0.1.0 from install of lib64clamav9-0.101.4-1.mga7.x86_64 conflicts with file from package lib64clamav7-0.100.3-1.mga7.x86_64
"""
clamav-0.101.4-1.1.mga7 solves that issue.

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. (CVE-2019-12900)

ClamAV versions prior to 0.101.3 are susceptible to a zip bomb vulnerability where an unauthenticated attacker can cause a denial of service condition by sending crafted messages to an affected system. (CVE-2019-12625)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12625
https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html
https://www.openwall.com/lists/oss-security/2019/08/06/3
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
https://usn.ubuntu.com/4146-1/
========================

Updated packages in core/updates_testing:
========================
clamav-0.101.4-1.1.mga7
clamd-0.101.4-1.1.mga7
clamav-milter-0.101.4-1.1.mga7
clamav-db-0.101.4-1.1.mga7
lib(64)clamav9-0.101.4-1.1.mga7
lib(64)clamav-devel-0.101.4-1.1.mga7
c-icap-modules-extra-0.5.3-1.mga7
ecap-clamav-2.0.0-3.1.mga7

from SRPMS:
clamav-0.101.4-1.1.mga7.src.rpm
c-icap-modules-extra-0.5.3-1.mga7.src.rpm
ecap-clamav-2.0.0-3.1.mga7.src.rpm
Comment 7 PC LX 2019-11-15 16:55:49 CET 
Installed and tested but does NOT seem OK to me.


System: Mageia 7, x86_64, Intel CPU.


I have installed clamav on a x86_64 system, update the malware signatures database by running freshclam as root, and run a clamscan on a user's home directory. The update took a few minutes but finished without any warnings or errors messages. The scan is now approaching 5 hours of CPU time. During much of that time one CPU core has been at 100%. It has read 16 GiB of data of a total of 45 GiB, mostly steam games. It is also using a bit more than 800 MiB of RAM.

I have no idea why is it taking so long or why does it need so much CPU time and RAM. I don't usually have clamav installed so I can't compare to previous behaviour. Still I have tested it in the past and I don't remember this behaviour. Seem abnormal to me.



$ uname -a
Linux marte 5.3.11-desktop-1.mga7 #1 SMP Tue Nov 12 21:10:01 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ time clamscan --infected --bell --recursive . 
^C

real    305m32,723s
user    294m25,160s
sys     5m12,474s

CC: (none) => mageia

Thomas Backlund 2019-11-19 19:28:05 CET

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 8 Mageia Robot 2019-11-19 22:18:46 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0328.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED