Bug 31562

Summary: clamav new security issues CVE-2023-20032 and CVE-2023-20052
Product: Mageia Reporter: psyca <linux>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: clamav-0.103.7-1.mga8.src.rpm CVE: CVE-2023-20032, CVE-2023-20052
Status comment:

Description psyca 2023-02-16 14:36:48 CET 
Description of problem:
Update for ClamAV 1.0.x - 1.0.1 - was released which fixes some CVE bugs. We have ClamAV 1.0

---

https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

ClamAV 1.0.1 is a critical patch release with the following fixes:

    CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

    CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

    Fix an allmatch detection issue with the preclass bytecode hook.

        GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/825

    Update the vendored libmspack library to version 0.11alpha.

        GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/828
psyca 2023-02-16 14:39:22 CET

Whiteboard: (none) => MGA8TOO
Summary: ClamAV 1.0.1 update (CVE bugfix)- MGA9 => ClamAV update (CVE bugfix) - MGA9 / MGA8

Comment 1 psyca 2023-02-16 14:40:50 CET 
For MGA8 - Update to 0.103.8
Comment 2 Lewis Smith 2023-02-16 20:30:04 CET 
Thank you for the helpful report.

ns80 did version 1.0.0, so assigning to you for this update.

Summary: ClamAV update (CVE bugfix) - MGA9 / MGA8 => ClamAV update (CVE-2023-20032, CVE-2023-20052 bugfix) - MGA9 / MGA8
Source RPM: (none) => clamav-1.0.0-1.mga9.src.rpm
Assignee: bugsquad => nicolas.salguero
CC: (none) => luigiwalser

David Walser 2023-02-16 20:31:00 CET

QA Contact: (none) => security
CC: luigiwalser => (none)
Component: RPM Packages => Security

David Walser 2023-02-16 20:59:02 CET

Status comment: (none) => Fixed upstream in 0.103.8 and 1.0.1
Summary: ClamAV update (CVE-2023-20032, CVE-2023-20052 bugfix) - MGA9 / MGA8 => clamav new security issues CVE-2023-20032 and CVE-2023-20052

Comment 3 Nicolas Salguero 2023-02-17 09:19:41 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A possible remote code execution vulnerability in the HFS+ file parser. (CVE-2023-20032)

A possible remote information leak vulnerability in the DMG file parser. (CVE-2023-20052)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20052
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
========================

Updated packages in core/updates_testing:
========================
clamav-0.103.8-1.mga8
clamav-db-0.103.8-1.mga8
clamav-milter-0.103.8-1.mga8
clamd-0.103.8-1.mga8
lib(64)clamav9-0.103.8-1.mga8
lib(64)clamav-devel-0.103.8-1.mga8

from SRPM:
clamav-0.103.8-1.mga8.src.rpm

Version: Cauldron => 8
Source RPM: clamav-1.0.0-1.mga9.src.rpm => clamav-0.103.7-1.mga8.src.rpm
Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
CVE: (none) => CVE-2023-20032, CVE-2023-20052
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Status comment: Fixed upstream in 0.103.8 and 1.0.1 => (none)

Comment 4 Herman Viaene 2023-02-21 15:38:11 CET 
MGA8-64 MATE on Acer Aspire 5253.
No installation issues.
Ref bug 29663 for tests
# freshclam
Current working dir is /var/lib/clamav/
Can't open freshclam.dat in /var/lib/clamav
It probably doesn't exist yet. That's ok.
Failed to load freshclam.dat; will create a new freshclam.dat
Creating new freshclam.dat
Saved freshclam.dat
ClamAV update process started at Tue Feb 21 15:25:00 2023
Current working dir is /var/lib/clamav/
Querying current.cvd.clamav.net
TTL: 1800
fc_dns_query_update_info: Software version from DNS: 0.103.8
Current working dir is /var/lib/clamav/
check_for_new_database_version: Local copy of daily found: daily.cvd.
query_remote_database_version: daily.cvd version from DNS: 26819
daily database available for update (local version: 26814, remote version: 26819)
Current database is 5 versions behind.
Downloading database patch # 26815...
and then a long list of retrieval actions.....
and at the end
Testing database: '/var/lib/clamav/tmp.38567d1b46/clamav-b7fae270c79844e83749178298cd0e5e.tmp-bytecode.cvd' ...
Loading signatures from /var/lib/clamav/tmp.38567d1b46/clamav-b7fae270c79844e83749178298cd0e5e.tmp-bytecode.cvd
Properly loaded 92 signatures from /var/lib/clamav/tmp.38567d1b46/clamav-b7fae270c79844e83749178298cd0e5e.tmp-bytecode.cvd
Database test passed.
bytecode.cvd updated (version: 333, sigs: 92, f-level: 63, builder: awillia2)
fc_update_database: bytecode.cvd updated.
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/lib/clamav/clamd.socket: No such file or directory
That's OK since I didn't start clamd yet.

$ clamscan
/home/tester8/.xsession-errors.old: OK
/home/tester8/.rubberband.wisdom.d: OK
/home/tester8/.bashrc: OK
/home/tester8/myfile.css: OK
/home/tester8/.Xauthority: OK
/home/tester8/.node_repl_history: OK
/home/tester8/.screenrc: OK
/home/tester8/.bash_history: OK
etc.... ending
----------- SCAN SUMMARY -----------
Known viruses: 8653276
Engine version: 0.103.8
Scanned directories: 1
Scanned files: 31
Infected files: 0
Data scanned: 0.75 MB
Data read: 0.43 MB (ratio 1.74:1)
Time: 127.201 sec (2 m 7 s)
Start Date: 2023:02:21 15:31:49
End Date:   2023:02:21 15:33:57

# systemctl -l status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
     Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
TriggeredBy: ● clamav-daemon.socket
       Docs: man:clamd(8)
             man:clamd.conf(5)
             https://docs.clamav.net/

Feb 21 15:35:55 mach7.hviaene.thuis systemd[1]: /usr/lib/systemd/system/clamav-daemon.service:13: Standard output type syslog is obsolet>
Feb 21 15:35:56 mach7.hviaene.thuis systemd[1]: /usr/lib/systemd/system/clamav-daemon.service:13: Standard output type syslog is obsolet>

# systemctl start clamav-daemon
# systemctl -l status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
     Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2023-02-21 15:36:27 CET; 2s ago
TriggeredBy: ● clamav-daemon.socket
       Docs: man:clamd(8)
             man:clamd.conf(5)
             https://docs.clamav.net/
   Main PID: 17190 (clamd)
      Tasks: 1 (limit: 4364)
     Memory: 47.8M
        CPU: 2.511s
     CGroup: /system.slice/clamav-daemon.service
             └─17190 /usr/sbin/clamd --foreground=true

Feb 21 15:36:27 mach7.hviaene.thuis systemd[1]: Started Clam AntiVirus userspace daemon.
All looks OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2023-02-21 16:56:32 CET 
Validating. Advisory in Comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-25 20:48:37 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 6 Mageia Robot 2023-02-27 21:29:14 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0068.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED