Bug 9853

Summary: Multiple vulnerabilities in clamav
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: cmrisolde, luigiwalser, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/548896/
Whiteboard: mga2-32-OK mga2-64-OK
Source RPM: clamav-0.97.7-1.mga2.src.rpm CVE:
Status comment:

Description Oden Eriksson 2013-04-24 14:12:42 CEST 
Date: Wed, 24 Apr 2013 07:59:04 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: Felix Groebert <groebert@...gle.com>
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        oss-security@...ts.openwall.com
Subject: Multiple potential security issues fixed in ClamAV 0.97.8 - any
 further details?

Hello Felix,

  this is due the ClamAV 0.97.8 release:
  [1] http://blog.clamav.net/2013/04/clamav-0978-has-been-released.html
  [2] https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog
  [3] https://bugzilla.redhat.com/show_bug.cgi?id=956176
  [4] https://bugzilla.novell.com/show_bug.cgi?id=816865

Could you clarify how many and what kind of possible security issues
has been corrected within this release? (so we would know how many
CVE identifiers should be allocated to these)

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-04-24 15:04:05 CEST 
http://freecode.com/projects/clamav/releases/354139

CC: (none) => luigiwalser
Version: 2 => Cauldron
Assignee: bugsquad => thomas
Whiteboard: (none) => MGA2TOO

Thomas Spuhler 2013-04-24 18:45:20 CEST

Status: NEW => ASSIGNED

Comment 2 Thomas Spuhler 2013-04-24 20:11:56 CEST 
This update is now in mga2/updates/testing
it fixes (from upstream) 
âClamAV 0.97.8 addresses several reported potential security bugs. Thanks to
Felix Groebert of the Google Security Team for finding and reporting these issues.â
(The upgrade request has also been submitted to Cauldron)

Assignee: thomas => qa-bugs

Comment 3 David Walser 2013-04-24 21:48:07 CEST 
Fixed in Cauldron in clamav-0.97.8-1.mga3.  Thanks Thomas.

Version: Cauldron => 2
Whiteboard: MGA2TOO => (none)

Comment 4 Carolyn Rowse 2013-04-26 20:35:18 CEST 
Tested i586 in VM using clamtk - no regressions noticed after update.

Carolyn

CC: (none) => isolde
Whiteboard: (none) => mga2-32-OK

Comment 5 Carolyn Rowse 2013-04-28 20:36:29 CEST 
Tested x86_64 on real hw using clamtk - no regressions noticed after update.

Update validated.

See comment 2 for advisory.

SRPM: clamav-0.97.8-1.mga2.src.prm

Could sysadmin please push from core/updates_testing to core/updates.

Thanks.

Carolyn

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: mga2-32-OK => mga2-32-OK mga2-64-OK

Comment 6 Oden Eriksson 2013-04-30 07:37:27 CEST 
From oss-security:

CVE-2013-2020:
https://bugzilla.clamav.net/show_bug.cgi?id=7055
heap corruption, potentially exploitable.

CVE-2013-2021:
https://bugzilla.clamav.net/show_bug.cgi?id=7053
overflow due to PDF key length computation. Potentially exploitable.

CVE-2013-????:
https://bugzilla.clamav.net/show_bug.cgi?id=7054
NULL pointer dereference in sis parsing.
Comment 7 David Walser 2013-04-30 18:03:58 CEST 
Here's Mandriva's advisory with the CVE and upstream bug references:
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:159/
Comment 8 David Walser 2013-04-30 19:49:11 CEST 
Original bug URL:
http://www.openwall.com/lists/oss-security/2013/04/24/3

URL: http://www.openwall.com/lists/oss-security/2013/04/24/3 => http://lwn.net/Vulnerabilities/548896/

Comment 9 Thomas Backlund 2013-05-02 19:27:49 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0132

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED