Bug 22737 - clamav new security issues CVE-2018-0202 and CVE-2018-1000085
Summary: clamav new security issues CVE-2018-0202 and CVE-2018-1000085
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-03-11 14:51 CET by David Walser
Modified: 2018-05-29 00:24 CEST (History)
5 users (show)

See Also:
Source RPM: clamav-0.99.3-1.mga6.src.rpm
CVE: CVE-2018-0202 CVE-2018-1000085
Status comment: Fixed upstream in 0.99.4


Attachments

Description David Walser 2018-03-11 14:51:41 CET
Fedora has issued an advisory on March 6:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EPSQEX2GLM7FKQQ3VZEP3KFBSK2QN43C/

The issues are fixed upstream in 0.99.4.

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-03-11 14:51:49 CET

Whiteboard: (none) => MGA6TOO

Comment 1 David Walser 2018-03-11 15:05:46 CET
Ubuntu has issued an advisory for this on March 8:
https://usn.ubuntu.com/3592-1/
David Walser 2018-03-11 16:14:37 CET

Status comment: (none) => Fixed upstream in 0.99.4

Stig-Ørjan Smelror 2018-03-12 02:02:27 CET

CC: (none) => smelror
Assignee: bugsquad => smelror
CVE: (none) => CVE-2018-0202 CVE-2018-1000085
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

Comment 2 Stig-Ørjan Smelror 2018-03-12 02:14:28 CET
Advisory
========

Clamav has been updated to fix 2 security issues and also contains a lot of bugfixes.

Out-of-bounds access in the PDF parser (CVE-2018-0202)
Out-of-bounds heap read in XAR parser (CVE-2018-1000085)


References
==========
https://security-tracker.debian.org/tracker/CVE-2018-0202
https://security-tracker.debian.org/tracker/CVE-2018-1000085


Files
=====

Uploaded to core/updates_testing:

clamav-0.99.4-1.mga6
clamav-db-0.99.4-1.mga6
lib64clamav-devel-0.99.4-1.mga6
lib64clamav7-0.99.4-1.mga6
clamd-0.99.4-1.mga6
clamav-milter-0.99.4-1.mga6

from clamav-0.99.4-1.mga6.src.rpm

Assignee: smelror => qa-bugs

Comment 3 Len Lawrence 2018-03-13 08:35:57 CET
Mageia 6 :: x86_64

Installed the packages before updating and also installed clamtk, the gui frontend.
$ clamtk
This reported that the database needed to be updated.
$ freshclam
That contacted clamav.net, failed on the incremental update and downloaded the daily.cvd
file.

There is a PoC for CVE-2018-1000085 in the form of a bsae64 encoded file.  It is not
clear how to use it.  Decoded it, hopefully:
$ base64 -d poc.base64 > poc
$ clamtk
Selected 'file' and pointed clamav at poc.
Scanned and reported "no threats found".  ??
Either the file was not properly decoded or it needs to be tested in a different way.
Note that the upstream analysis depended on ASAN.

Updated the packages:
- clamav-0.99.4-1.mga6.x86_64
- clamav-db-0.99.4-1.mga6.noarch
- clamav-milter-0.99.4-1.mga6.x86_64
- clamd-0.99.4-1.mga6.x86_64
- clamtk-5.20-3.1.mga6.noarch
- lib64clamav-devel-0.99.4-1.mga6.x86_64
- lib64clamav7-0.99.4-1.mga6.x86_64
- lib64oxygen-gtk-1.4.6-3.mga6.x86_64
- oxygen-gtk-1.4.6-3.mga6.x86_64

Ran up clamtk and changed the settings.  Unchecked all but 'Scan directories
recursively'.
Scanned user Downloads directory - 735 files - no threats found.
Checked the poc as well and as expected - no threats found.  

This update looks OK.

CC: (none) => tarazed25
Whiteboard: (none) => MGA6-64-OK

Comment 4 William Kenney 2018-03-13 18:32:05 CET
In VirtualBox, M6, Mate, 32-bit

Package(s) under test:
clamav clamav-db libclamav7

install clamav clamav-db & libclamav7 from updates_testing

[root@localhost wilcal]# urpmi clamav
Package clamav-0.99.4-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi clamav-db
Package clamav-db-0.99.4-1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi libclamav7
Package libclamav7-0.99.4-1.mga6.i586 is already installed

[wilcal@localhost ~]$ ls -al /var/lib/clamav
total 159360
drwxrwxr-x  3 clamav clamav      4096 Mar 13 10:20 ./
drwxr-xr-x 47 root   root        4096 Mar 13 10:18 ../
-rw-r--r--  1 clamav clamav    153228 Mar 13 10:20 bytecode.cvd
-rw-r--r--  1 clamav clamav  45117128 Mar 13 10:20 daily.cvd
-rw-r--r--  1 clamav clamav 117892267 Jan 31 03:52 main.cvd
-rw-------  1 clamav clamav       156 Mar 13 10:20 mirrors.dat
drwxr-xr-x  2 clamav clamav      4096 Mar 11 18:09 tmp/

scan /var

[wilcal@localhost ~]$ clamscan -r -i /var

----------- SCAN SUMMARY -----------
Known viruses: 6436406
Engine version: 0.99.4
Scanned directories: 182
Scanned files: 232
Infected files: 0
Total errors: 64
Data scanned: 358.32 MB
Data read: 597.75 MB (ratio 0.60:1)
Time: 58.034 sec (0 m 58 s)

clamscan successful

CC: (none) => wilcal.int

William Kenney 2018-03-13 18:32:22 CET

Whiteboard: MGA6-64-OK => MGA6-32-OK MGA6-64-OK

Comment 5 William Kenney 2018-03-13 18:33:06 CET
Good to go.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 claire robinson 2018-03-14 17:24:49 CET
Advisory uploaded.

Keywords: (none) => advisory

Comment 7 Mageia Robot 2018-03-14 18:01:37 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0169.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 rexy 2018-05-28 12:23:30 CEST
Test ok. Could be pushed on core/updates ?

CC: (none) => richard

Comment 9 David Walser 2018-05-28 14:15:11 CEST
It already was over two months ago.
Comment 10 rexy 2018-05-29 00:01:54 CEST
Sorry, it's for the RPM "clamtk" which is still in the /core/testing folder and its bug link is here :
http://madb.mageia.org/rpm/list/listtype/updates_testing/release/6/application/0/arch/x86_64/t_search/clamtk
Comment 11 David Walser 2018-05-29 00:08:00 CEST
clamtk comes from its own SRPM.  It's not a part of this package.  The clamtk in updates_testing is for Bug 14505.
Comment 12 rexy 2018-05-29 00:15:02 CEST
Perhaps, you can change the "bug link" in the database (14505 instead of 22737)
http://madb.mageia.org/rpm/list/listtype/updates_testing/release/6/application/0/arch/x86_64/t_search/clamtk
Comment 13 David Walser 2018-05-29 00:24:25 CEST
No, that's automatically generated because Len mentioned it in comment 3.

Note You need to log in before you can comment on or make changes to this bug.