Bug 32204

Summary: clamav new security issues CVE-2023-20197 and CVE-2023-20212
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, brtians1, davidwhodgins, guillaume.royer, nicolas.salguero, richard, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO MGA8-64-OK MGA9-64-OK
Source RPM: clamav-1.0.1-1.mga9.src.rpm CVE:
Status comment:

Description Nicolas Salguero 2023-08-29 16:43:30 CEST 
clamav 1.0.1 is affected by both CVEs.
clamav 0.103.8 is only affected by CVE-2023-20197.
Nicolas Salguero 2023-08-29 16:44:08 CEST

CC: (none) => nicolas.salguero
Assignee: bugsquad => nicolas.salguero
Whiteboard: (none) => MGA9TOO, MGA8TOO
Source RPM: (none) => clamav-1.0.1-1.mga9.src.rpm

Comment 1 Nicolas Salguero 2023-08-31 14:29:17 CEST 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for completion when a file is decompressed, which may result in a loop condition that could cause the affected software to stop responding. An attacker could exploit this vulnerability by submitting a crafted HFS+ filesystem image to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to stop responding, resulting in a DoS condition on the affected software and consuming available system resources. (CVE-2023-20197)

A vulnerability in the AutoIt module of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to a logic error in the memory management of an affected device. An attacker could exploit this vulnerability by submitting a crafted AutoIt file to be scanned by ClamAV on the affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to restart unexpectedly, resulting in a DoS condition. (CVE-2023-20212)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20212
========================

Updated packages in 8/core/updates_testing:
========================
clamav-0.103.10-1.mga8
clamav-db-0.103.10-1.mga8
clamav-milter-0.103.10-1.mga8
clamd-0.103.10-1.mga8
lib(64)clamav9-0.103.10-1.mga8
lib(64)clamav-devel-0.103.10-1.mga8

from SRPM:
clamav-0.103.10-1.mga8.src.rpm

Updated packages in 9/core/updates_testing:
========================
clamav-1.0.3-1.mga9
clamav-db-1.0.3-1.mga9
clamav-milter-1.0.3-1.mga9
clamd-1.0.3-1.mga9
lib(64)clamav11-1.0.3-1.mga9
lib(64)clamav-devel-1.0.3-1.mga9

from SRPM:
clamav-1.0.3-1.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 9
Whiteboard: MGA9TOO, MGA8TOO => MGA8TOO

Comment 2 Brian Rockwell 2023-09-02 22:29:00 CEST 
MGA8_64, Plasma

# uname -a
Linux localhost 5.15.120-desktop-2.mga8 #1 SMP Mon Jul 10 19:58:36 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

# urpmi clamav
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates Testing")
  clamav                         0.103.10     1.mga8        x86_64  
  clamav-db                      0.103.10     1.mga8        noarch  
  lib64clamav9                   0.103.10     1.mga8        x86_64
  
# freshclam   - worked
# clamscan -vr

----------- SCAN SUMMARY -----------
Known viruses: 8672060
Engine version: 0.103.10
Scanned directories: 7994
Scanned files: 70786
Infected files: 0
Data scanned: 21829.34 MB
Data read: 151654.97 MB (ratio 0.14:1)
Time: 1574.011 sec (26 m 14 s)
Start Date: 2023:09:02 14:57:22
End Date:   2023:09:02 15:23:36

working for me

CC: (none) => brtians1
Whiteboard: MGA8TOO => MGA8TOO MGA8-64-OK

Comment 3 Guillaume Royer 2023-09-09 16:39:58 CEST 
MGA9 Gnome 16Go ram, Intel Core I5 Apple Mac mini

Updated with QA repo and RPM:

clamav                         1.0.3        1.mga9        x86_64  
clamav-db                      1.0.3        1.mga9        noarch  
lib64clamav11                  1.0.3        1.mga9        x86_64 

# freshclam Ok
# clamscan --infected /home/xxx/

----------- SCAN SUMMARY -----------
Known viruses: 8672274
Engine version: 1.0.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 1.03 MB
Data read: 0.25 MB (ratio 4.17:1)
Time: 26.998 sec (0 m 26 s)
Start Date: 2023:09:09 16:35:56
End Date:   2023:09:09 16:36:23

Ok for me

CC: (none) => guillaume.royer

Guillaume Royer 2023-09-09 16:41:01 CEST

Whiteboard: MGA8TOO MGA8-64-OK => MGA8TOO MGA8-64-OK MGA9-64-OK

Comment 4 Thomas Andrews 2023-09-10 02:04:05 CEST 
Validating. Advisory in comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-09-11 02:17:11 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2023-09-11 15:09:45 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0257.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 6 rexy 2023-09-14 23:48:30 CEST 
After an automatic update, clamav has disappeared (and no longer works).
I couldn't reinstall it because of a dependency error :

urpmi clamav
The requested package cannot be installed:
clamav-0.103.10-1.mga8.x86_64 (because clamav-db[*] is unsatisfied)
Do you still want to continue? (Y/n) o
Some packages were installed but others failed.

Resolution: FIXED => (none)
Status: RESOLVED => UNCONFIRMED
Ever confirmed: 1 => 0
CC: (none) => richard

Comment 7 Dave Hodgins 2023-09-15 01:52:58 CEST 
Please do not reopen bugs that have been used to push an update. A new bug
should be opened.

That said, what's the output of "urpmq --list-media active" and
"urpmq ---list-url|head -n 10".
Comment 8 Dave Hodgins 2023-09-15 01:54:09 CEST 
On one of my m8 x86_64 systems ...
# urpmi clamav clamd
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Updates (distrib3)")
  clamav                         0.103.10     1.mga8        x86_64  
  clamav-db                      0.103.10     1.mga8        noarch  
  clamd                          0.103.10     1.mga8        x86_64  
  lib64clamav9                   0.103.10     1.mga8        x86_64  
250MB of additional disk space will be used.
226MB of packages will be retrieved.
Proceed with the installation of the 4 packages? (Y/n) 


    http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/updates/clamav-0.103.10-1.mga8.x86_64.rpm
    http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/updates/clamd-0.103.10-1.mga8.x86_64.rpm                                                                                             
    http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/updates/clamav-db-0.103.10-1.mga8.noarch.rpm                                                                                         
    http://mirror.math.princeton.edu/pub/mageia/distrib/8/x86_64/media/core/updates/lib64clamav9-0.103.10-1.mga8.x86_64.rpm                                                                                      
installing clamd-0.103.10-1.mga8.x86_64.rpm lib64clamav9-0.103.10-1.mga8.x86_64.rpm clamav-db-0.103.10-1.mga8.noarch.rpm clamav-0.103.10-1.mga8.x86_64.rpm from /var/cache/urpmi/rpms                            
Preparing...                     ###############################################################################################################################################################################
      1/4: lib64clamav9          ###############################################################################################################################################################################
      2/4: clamav-db             ###############################################################################################################################################################################
      3/4: clamav                ###############################################################################################################################################################################
      4/4: clamd                 ###############################################################################################################################################################################
----------------------------------------------------------------------
More information on package clamav-0.103.10-1.mga8.x86_64
clamav-0.95+ bundles support for RAR v3 in "libclamav" without permission,
from Eugene Roshal of RARlabs. There is also patent issues involved.

Therefore Mageia has been forced to remove the offending code.

----------------------------------------------------------------------
Comment 9 Dave Hodgins 2023-09-15 02:11:16 CEST 
Re-closing this bug report. You can still add comments that will go to
everyone in the cc list without re-opening the bug report.

Status: UNCONFIRMED => RESOLVED
Resolution: (none) => FIXED

Comment 10 rexy 2023-10-17 23:44:48 CEST 
Hello,

I've described the problem with this update (comment 6) in a new bug.
Thank you for your investigations
https://bugs.mageia.org/show_bug.cgi?id=32404