Ubuntu has issued an advisory on October 11: https://usn.ubuntu.com/3789-1/ The issue is fixed upstream in 0.100.2. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, guillomovitch, marja11, nicolas.salguero, smelror, tmb
Suggested advisory: ======================== The updated packages fix a security vulnerability: Vulnerability in ClamAV's MEW unpacking feature that could allow an unauthenticated, remote attacker to cause a denial-of-service (DoS) condition on an affected device. (CVE-2018-15378) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15378 https://usn.ubuntu.com/3789-1/ ======================== Updated packages in core/updates_testing: ======================== clamav-0.100.2-1.mga6 clamd-0.100.2-1.mga6 clamav-milter-0.100.2-1.mga6 clamav-db-0.100.2-1.mga6 lib(64)clamav7-0.100.2-1.mga6 lib(64)clamav-devel-0.100.2-1.mga6 from SRPMS: clamav-0.100.2-1.mga6.src.rpm
Status: NEW => ASSIGNEDCVE: (none) => CVE-2018-15378Version: Cauldron => 6Assignee: pkg-bugs => qa-bugsWhiteboard: MGA6TOO => (none)Source RPM: clamav-0.100.1-3.mga7.src.rpm => clamav-0.100.1-1.mga6.src.rpm
Fedora has issued an advisory for this on October 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2J2QOUQ6ZB3M6OGTBQRV6TJALQTF4JGD/
In VirtualBox, M6, Mate, 64-bit Package(s) under test: clamav clamav-db libclamav7 install clamav clamav-db & libclamav7 The following 3 packages are going to be installed: - clamav-0.100.1-1.mga6.x86_64 - clamav-db-0.100.1-1.mga6.noarch - lib64clamav7-0.100.1-1.mga6.x86_64 run freshclam in an su terminal [root@localhost wilcal]# urpmi clamav Package clamav-0.100.1-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi clamav-db Package clamav-db-0.100.1-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi libclamav7 Package libclamav7-0.100.1-1.mga6.i586 is already installed [root@localhost wilcal]# ls -al /var/lib/clamav total 165596 drwxrwxr-x 3 clamav clamav 4096 Oct 18 10:39 ./ drwxr-xr-x 47 root root 4096 Oct 18 10:38 ../ -rw-r--r-- 1 clamav clamav 187426 Oct 18 10:39 bytecode.cvd -rw-r--r-- 1 clamav clamav 51464298 Oct 18 10:39 daily.cvd -rw-r--r-- 1 clamav clamav 117892267 Jan 31 2018 main.cvd -rw------- 1 clamav clamav 312 Oct 18 10:39 mirrors.dat drwxr-xr-x 2 clamav clamav 4096 Jul 19 03:25 tmp/ scan /var [root@localhost wilcal]# clamscan -r -i /var ----------- SCAN SUMMARY ----------- Known viruses: 6685418 Engine version: 0.100.1 Scanned directories: 260 Scanned files: 475 Infected files: 0 Data scanned: 1172.91 MB Data read: 938.30 MB (ratio 1.25:1) Time: 168.759 sec (2 m 48 s) clamscan successful install clamav clamav-db & libclamav7 from updates_testing [root@localhost wilcal]# urpmi clamav Package clamav-0.100.2-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi clamav-db Package clamav-db-0.100.2-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi libclamav7 Package libclamav7-0.100.2-1.mga6.i586 is already installed scan /etc [root@localhost wilcal]# clamscan -r -i /etc ----------- SCAN SUMMARY ----------- Known viruses: 6685418 Engine version: 0.100.2 Scanned directories: 467 Scanned files: 1777 Infected files: 0 Data scanned: 43.63 MB Data read: 23.10 MB (ratio 1.89:1) Time: 30.885 sec (0 m 30 s) clamscan successful
CC: (none) => wilcal.int
In VirtualBox, M6, Mate, 32-bit Package(s) under test: clamav clamav-db libclamav7 install clamav clamav-db & libclamav7 The following 3 packages are going to be installed: - clamav-0.100.1-1.mga6.i586 - clamav-db-0.100.1-1.mga6.noarch - libclamav7-0.100.1-1.mga6.i586 run freshclam in an su terminal [root@localhost wilcal]# urpmi clamav Package clamav-0.100.1-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi clamav-db Package clamav-db-0.100.1-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi libclamav7 Package libclamav7-0.100.1-1.mga6.i586 is already installed [root@localhost wilcal]# ls -al /var/lib/clamav total 165596 drwxrwxr-x 3 clamav clamav 4096 Oct 18 11:17 ./ drwxr-xr-x 47 root root 4096 Oct 18 11:14 ../ -rw-r--r-- 1 clamav clamav 187426 Oct 18 11:17 bytecode.cvd -rw-r--r-- 1 clamav clamav 51464298 Oct 18 11:16 daily.cvd -rw-r--r-- 1 clamav clamav 117892267 Jan 31 2018 main.cvd -rw------- 1 clamav clamav 312 Oct 18 11:17 mirrors.dat drwxr-xr-x 2 clamav clamav 4096 Jul 19 03:25 tmp/ scan /var [root@localhost wilcal]# clamscan -r -i /var ----------- SCAN SUMMARY ----------- Known viruses: 6685418 Engine version: 0.100.1 Scanned directories: 258 Scanned files: 361 Infected files: 0 Data scanned: 1078.70 MB Data read: 895.61 MB (ratio 1.20:1) Time: 211.807 sec (3 m 31 s) clamscan successful install clamav clamav-db & libclamav7 from updates_testing The following 3 packages are going to be installed: - clamav-0.100.2-1.mga6.i586 - clamav-db-0.100.2-1.mga6.noarch - libclamav7-0.100.2-1.mga6.i586 [root@localhost wilcal]# urpmi clamav Package clamav-0.100.2-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi clamav-db Package clamav-db-0.100.2-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi libclamav7 Package libclamav7-0.100.2-1.mga6.i586 is already installed scan /etc [root@localhost wilcal]# clamscan -r -i /etc ----------- SCAN SUMMARY ----------- Known viruses: 6685418 Engine version: 0.100.2 Scanned directories: 467 Scanned files: 1774 Infected files: 0 Data scanned: 43.60 MB Data read: 23.08 MB (ratio 1.89:1) Time: 28.690 sec (0 m 28 s) clamscan successful
Whiteboard: (none) => MGA6-32-OK MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0406.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED