Bug 25754

Summary: clamav new security issue CVE-2019-15961
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: clamav-0.101.4-1.2.mga7 CVE: CVE-2019-15961
Status comment:

Description Nicolas Salguero 2019-11-26 17:01:28 CET 
Upstream has released version 0.101.5 on November 20:
https://blog.clamav.net/2019/11/clamav-01021-and-01015-patches-have.html
Nicolas Salguero 2019-11-26 17:01:44 CET

Source RPM: (none) => clamav-0.101.4-1.2.mga7
Assignee: bugsquad => nicolas.salguero
CVE: (none) => CVE-2019-15961

Nicolas Salguero 2019-11-26 17:02:00 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Salguero 2019-11-26 17:24:14 CET 
Suggested advisory:
========================

The updated packages fix a problem in the configuration of clamav-daemon.socket that leads to freshclam and amavis complaining about not being able to access clamd socket and also fix a security vulnerability:

A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. (CVE-2019-15961)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15961
https://blog.clamav.net/2019/11/clamav-01021-and-01015-patches-have.html
https://bugs.mageia.org/show_bug.cgi?id=25096
========================

Updated packages in core/updates_testing:
========================
clamav-0.101.5-1.mga7
clamd-0.101.5-1.mga7
clamav-milter-0.101.5-1.mga7
clamav-db-0.101.5-1.mga7
lib(64)clamav9-0.101.5-1.mga7
lib(64)clamav-devel-0.101.5-1.mga7

from SRPMS:
clamav-0.101.5-1.mga7.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 7
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 2 Brian Rockwell 2019-11-26 22:09:17 CET 
The following 7 packages are going to be installed:

- clamav-0.101.5-1.mga7.x86_64
- clamav-db-0.101.5-1.mga7.noarch
- clamav-milter-0.101.5-1.mga7.x86_64
- clamd-0.101.5-1.mga7.x86_64
- lib64clamav9-0.101.5-1.mga7.x86_64
- lib64milter1.0-8.15.2-7.mga7.x86_64
- lib64mspack0-0.10.1-0.alpha.1.mga7.x86_64


-----

ran 
#freshclam

it performed updates

# clamscan -vr

----------- SCAN SUMMARY -----------
Known viruses: 6565044
Engine version: 0.101.5
Scanned directories: 6
Scanned files: 42
Infected files: 0
Data scanned: 77.80 MB
Data read: 2293.21 MB (ratio 0.03:1)
Time: 42.517 sec (0 m 42 s)
[root@linux sf_vmshared]#

CC: (none) => brtians1
Whiteboard: (none) => MGA7-64-OK

Comment 3 Nicolas Salguero 2019-11-27 09:12:16 CET 
There are still some packaging issues (in the spec file, the systemd units have a bad name, for instance)

Assignee: qa-bugs => nicolas.salguero
Whiteboard: MGA7-64-OK => (none)

Comment 4 Nicolas Salguero 2019-11-27 10:14:44 CET 
Suggested advisory:
========================

The updated packages fix two packaging problems and a security vulnerability:

The first packaging issue, in the configuration of clamav-daemon.socket, leads to freshclam and amavis complaining about not being able to access clamd socket.

The second packaging issue, in the names of systemd services, leads to warnigs at the installation/update of clamav and clamd.

A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. (CVE-2019-15961)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15961
https://blog.clamav.net/2019/11/clamav-01021-and-01015-patches-have.html
https://bugs.mageia.org/show_bug.cgi?id=25096
========================

Updated packages in core/updates_testing:
========================
clamav-0.101.5-1.1.mga7
clamd-0.101.5-1.1.mga7
clamav-milter-0.101.5-1.1.mga7
clamav-db-0.101.5-1.1.mga7
lib(64)clamav9-0.101.5-1.1.mga7
lib(64)clamav-devel-0.101.5-1.1.mga7

from SRPMS:
clamav-0.101.5-1.1.mga7.src.rpm

Assignee: nicolas.salguero => qa-bugs

Comment 5 Thomas Andrews 2019-12-05 23:34:10 CET 
Installed current clamav, clamav-milter, and dependencies, then used the qarepo tool to get the updates:

The following 5 packages are going to be installed:

- clamav-0.101.5-1.1.mga7.x86_64
- clamav-db-0.101.5-1.1.mga7.noarch
- clamav-milter-0.101.5-1.1.mga7.x86_64
- clamd-0.101.5-1.1.mga7.x86_64
- lib64clamav9-0.101.5-1.1.mga7.x86_64

All packages installed cleanly.

Repeating Brian's test with the newer packages:

#freshclam

Clamav updated the database, telling me that this version is outdated, and recommending version 0.102.1.

# clamscan -vr

----------- SCAN SUMMARY -----------
Known viruses: 6584683
Engine version: 0.101.5
Scanned directories: 40
Scanned files: 54
Infected files: 0
Data scanned: 13.29 MB
Data read: 4.71 MB (ratio 2.82:1)
Time: 10.374 sec (0 m 10 s)

Seems to work. Restoring the OK and validating. Advisory in Comment 4.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-12-06 14:12:39 CET

Keywords: (none) => advisory
CC: (none) => tmb

Comment 6 Mageia Robot 2019-12-06 15:17:21 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0361.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED