Fedora has issued an advisory on March 6: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EPSQEX2GLM7FKQQ3VZEP3KFBSK2QN43C/ The issues are fixed upstream in 0.99.4. Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Ubuntu has issued an advisory for this on March 8: https://usn.ubuntu.com/3592-1/
Status comment: (none) => Fixed upstream in 0.99.4
CC: (none) => smelrorAssignee: bugsquad => smelrorCVE: (none) => CVE-2018-0202 CVE-2018-1000085Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
Advisory ======== Clamav has been updated to fix 2 security issues and also contains a lot of bugfixes. Out-of-bounds access in the PDF parser (CVE-2018-0202) Out-of-bounds heap read in XAR parser (CVE-2018-1000085) References ========== https://security-tracker.debian.org/tracker/CVE-2018-0202 https://security-tracker.debian.org/tracker/CVE-2018-1000085 Files ===== Uploaded to core/updates_testing: clamav-0.99.4-1.mga6 clamav-db-0.99.4-1.mga6 lib64clamav-devel-0.99.4-1.mga6 lib64clamav7-0.99.4-1.mga6 clamd-0.99.4-1.mga6 clamav-milter-0.99.4-1.mga6 from clamav-0.99.4-1.mga6.src.rpm
Assignee: smelror => qa-bugs
Mageia 6 :: x86_64 Installed the packages before updating and also installed clamtk, the gui frontend. $ clamtk This reported that the database needed to be updated. $ freshclam That contacted clamav.net, failed on the incremental update and downloaded the daily.cvd file. There is a PoC for CVE-2018-1000085 in the form of a bsae64 encoded file. It is not clear how to use it. Decoded it, hopefully: $ base64 -d poc.base64 > poc $ clamtk Selected 'file' and pointed clamav at poc. Scanned and reported "no threats found". ?? Either the file was not properly decoded or it needs to be tested in a different way. Note that the upstream analysis depended on ASAN. Updated the packages: - clamav-0.99.4-1.mga6.x86_64 - clamav-db-0.99.4-1.mga6.noarch - clamav-milter-0.99.4-1.mga6.x86_64 - clamd-0.99.4-1.mga6.x86_64 - clamtk-5.20-3.1.mga6.noarch - lib64clamav-devel-0.99.4-1.mga6.x86_64 - lib64clamav7-0.99.4-1.mga6.x86_64 - lib64oxygen-gtk-1.4.6-3.mga6.x86_64 - oxygen-gtk-1.4.6-3.mga6.x86_64 Ran up clamtk and changed the settings. Unchecked all but 'Scan directories recursively'. Scanned user Downloads directory - 735 files - no threats found. Checked the poc as well and as expected - no threats found. This update looks OK.
CC: (none) => tarazed25Whiteboard: (none) => MGA6-64-OK
In VirtualBox, M6, Mate, 32-bit Package(s) under test: clamav clamav-db libclamav7 install clamav clamav-db & libclamav7 from updates_testing [root@localhost wilcal]# urpmi clamav Package clamav-0.99.4-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi clamav-db Package clamav-db-0.99.4-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi libclamav7 Package libclamav7-0.99.4-1.mga6.i586 is already installed [wilcal@localhost ~]$ ls -al /var/lib/clamav total 159360 drwxrwxr-x 3 clamav clamav 4096 Mar 13 10:20 ./ drwxr-xr-x 47 root root 4096 Mar 13 10:18 ../ -rw-r--r-- 1 clamav clamav 153228 Mar 13 10:20 bytecode.cvd -rw-r--r-- 1 clamav clamav 45117128 Mar 13 10:20 daily.cvd -rw-r--r-- 1 clamav clamav 117892267 Jan 31 03:52 main.cvd -rw------- 1 clamav clamav 156 Mar 13 10:20 mirrors.dat drwxr-xr-x 2 clamav clamav 4096 Mar 11 18:09 tmp/ scan /var [wilcal@localhost ~]$ clamscan -r -i /var ----------- SCAN SUMMARY ----------- Known viruses: 6436406 Engine version: 0.99.4 Scanned directories: 182 Scanned files: 232 Infected files: 0 Total errors: 64 Data scanned: 358.32 MB Data read: 597.75 MB (ratio 0.60:1) Time: 58.034 sec (0 m 58 s) clamscan successful
CC: (none) => wilcal.int
Whiteboard: MGA6-64-OK => MGA6-32-OK MGA6-64-OK
Good to go.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0169.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Test ok. Could be pushed on core/updates ?
CC: (none) => richard
It already was over two months ago.
Sorry, it's for the RPM "clamtk" which is still in the /core/testing folder and its bug link is here : http://madb.mageia.org/rpm/list/listtype/updates_testing/release/6/application/0/arch/x86_64/t_search/clamtk
clamtk comes from its own SRPM. It's not a part of this package. The clamtk in updates_testing is for Bug 14505.
Perhaps, you can change the "bug link" in the database (14505 instead of 22737) http://madb.mageia.org/rpm/list/listtype/updates_testing/release/6/application/0/arch/x86_64/t_search/clamtk
No, that's automatically generated because Len mentioned it in comment 3.