Fedora has issued an advisory on March 6:
The issues are fixed upstream in 0.99.4.
Mageia 5 and Mageia 6 are also affected.
Ubuntu has issued an advisory for this on March 8:
Fixed upstream in 0.99.4
Clamav has been updated to fix 2 security issues and also contains a lot of bugfixes.
Out-of-bounds access in the PDF parser (CVE-2018-0202)
Out-of-bounds heap read in XAR parser (CVE-2018-1000085)
Uploaded to core/updates_testing:
Mageia 6 :: x86_64
Installed the packages before updating and also installed clamtk, the gui frontend.
This reported that the database needed to be updated.
That contacted clamav.net, failed on the incremental update and downloaded the daily.cvd
There is a PoC for CVE-2018-1000085 in the form of a bsae64 encoded file. It is not
clear how to use it. Decoded it, hopefully:
$ base64 -d poc.base64 > poc
Selected 'file' and pointed clamav at poc.
Scanned and reported "no threats found". ??
Either the file was not properly decoded or it needs to be tested in a different way.
Note that the upstream analysis depended on ASAN.
Updated the packages:
Ran up clamtk and changed the settings. Unchecked all but 'Scan directories
Scanned user Downloads directory - 735 files - no threats found.
Checked the poc as well and as expected - no threats found.
This update looks OK.
In VirtualBox, M6, Mate, 32-bit
Package(s) under test:
clamav clamav-db libclamav7
install clamav clamav-db & libclamav7 from updates_testing
[root@localhost wilcal]# urpmi clamav
Package clamav-0.99.4-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.99.4-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi libclamav7
Package libclamav7-0.99.4-1.mga6.i586 is already installed
[wilcal@localhost ~]$ ls -al /var/lib/clamav
drwxrwxr-x 3 clamav clamav 4096 Mar 13 10:20 ./
drwxr-xr-x 47 root root 4096 Mar 13 10:18 ../
-rw-r--r-- 1 clamav clamav 153228 Mar 13 10:20 bytecode.cvd
-rw-r--r-- 1 clamav clamav 45117128 Mar 13 10:20 daily.cvd
-rw-r--r-- 1 clamav clamav 117892267 Jan 31 03:52 main.cvd
-rw------- 1 clamav clamav 156 Mar 13 10:20 mirrors.dat
drwxr-xr-x 2 clamav clamav 4096 Mar 11 18:09 tmp/
[wilcal@localhost ~]$ clamscan -r -i /var
----------- SCAN SUMMARY -----------
Known viruses: 6436406
Engine version: 0.99.4
Scanned directories: 182
Scanned files: 232
Infected files: 0
Total errors: 64
Data scanned: 358.32 MB
Data read: 597.75 MB (ratio 0.60:1)
Time: 58.034 sec (0 m 58 s)
Good to go.
An update for this issue has been pushed to the Mageia Updates repository.
Test ok. Could be pushed on core/updates ?
It already was over two months ago.
Sorry, it's for the RPM "clamtk" which is still in the /core/testing folder and its bug link is here :
clamtk comes from its own SRPM. It's not a part of this package. The clamtk in updates_testing is for Bug 14505.
Perhaps, you can change the "bug link" in the database (14505 instead of 22737)
No, that's automatically generated because Len mentioned it in comment 3.