Ubuntu has issued an advisory on April 8: https://usn.ubuntu.com/3940-1/ The issues are fixed upstream in 0.100.3 and 0.101.2. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Assigning to all packagers collectively, since there is no registered maintainer for this package. Also CC'ing some committers.
Assignee: bugsquad => pkg-bugsCC: (none) => geiger.david68210, guillomovitch, mageia, marja11, nicolas.salguero
Suggested advisory: ======================== The updated packages fix security vulnerabilities: A vulnerability in the Portable Document Format (PDF) scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of proper data handling mechanisms within the device buffer while indexing remaining file data on an affected device. An attacker could exploit this vulnerability by sending crafted PDF files to an affected device. A successful exploit could allow the attacker to cause a heap buffer out-of-bounds read condition, resulting in a crash that could result in a denial of service condition on an affected device. (CVE-2019-1787) A vulnerability in the Object Linking & Embedding (OLE2) file scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to a lack of proper input and validation checking mechanisms for OLE2 files sent an affected device. An attacker could exploit this vulnerability by sending malformed OLE2 files to the device running an affected version ClamAV Software. An exploit could allow the attacker to cause an out-of-bounds write condition, resulting in a crash that could result in a denial of service condition on an affected device. (CVE-2019-1788) An out-of-bounds heap read condition when scanning PE files. (CVE-2019-1789) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1787 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1788 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1789 https://usn.ubuntu.com/3940-1/ ======================== Updated packages in core/updates_testing: ======================== clamav-0.100.3-1.mga6 clamd-0.100.3-1.mga6 clamav-milter-0.100.3-1.mga6 clamav-db-0.100.3-1.mga6 lib(64)clamav7-0.100.3-1.mga6 lib(64)clamav-devel-0.100.3-1.mga6 from SRPMS: clamav-0.100.3-1.mga6.src.rpm
Whiteboard: MGA6TOO => (none)Version: Cauldron => 6Source RPM: clamav-0.100.2-1.mga7.src.rpm => clamav-0.100.2-1.mga6.src.rpmCVE: (none) => CVE-2019-1787, CVE-2019-1788, CVE-2019-1789Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
The following 9 packages are going to be installed: - clamav-0.100.3-1.mga6.x86_64 - clamav-db-0.100.3-1.mga6.noarch - clamav-milter-0.100.3-1.mga6.x86_64 - clamd-0.100.3-1.mga6.x86_64 - lib64clamav-devel-0.100.3-1.mga6.x86_64 - lib64clamav7-0.100.3-1.mga6.x86_64 - lib64json-devel-0.12.1-1.mga6.x86_64 - lib64json2-0.12.1-1.mga6.x86_64 - lib64xml2-devel-2.9.9-1.mga6.x86_64 # freshclam ClamAV update process started at Sat Apr 27 09:04:47 2019 WARNING: Your ClamAV installation is OUTDATED! WARNING: Local version: 0.100.3 Recommended version: 0.101.2 DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr) Downloading daily-25432.cdiff [100%] daily.cld updated (version: 25432, sigs: 1563538, f-level: 63, builder: raynman) Downloading bytecode.cvd [100%] bytecode.cvd updated (version: 328, sigs: 94, f-level: 63, builder: neo) Database updated (6129881 signatures) from database.clamav.net (IP: 104.16.219.84) WARNING: Clamd was NOT notified: Can't connect to clamd through /var/lib/clamav/clamd.socket: No such file or directory # systemctl start clamd # ps -ef | grep clam clamav 15610 1 0 09:06 ? 00:00:00 /usr/sbin/clamd --config-file=/etc/clamd.conf # clamscan -rv /home ----------- SCAN SUMMARY ----------- Known viruses: 6121153 Engine version: 0.100.3 Scanned directories: 2432 Scanned files: 17465 Infected files: 0 Data scanned: 2617.44 MB Data read: 23267.08 MB (ratio 0.11:1) Time: 528.687 sec (8 m 48 s) Seems to be working as designed.
CC: (none) => brtians1Whiteboard: (none) => MGA6-64-OK
The following 14 packages are going to be installed: - clamav-0.100.3-1.mga6.i586 - clamav-db-0.100.3-1.mga6.noarch - clamav-milter-0.100.3-1.mga6.i586 - clamd-0.100.3-1.mga6.i586 - libbzip2-devel-1.0.6-10.mga6.i586 - libclamav-devel-0.100.3-1.mga6.i586 - libclamav7-0.100.3-1.mga6.i586 - libjson-devel-0.12.1-1.mga6.i586 - liblzma-devel-5.2.3-1.mga6.i586 - libopenssl-devel-1.0.2r-1.mga6.i586 - libpcre-devel-8.41-1.mga6.i586 - libpcre32_0-8.41-1.mga6.i586 - libxml2-devel-2.9.9-1.mga6.i586 - libzlib-devel-1.2.11-4.1.mga6.i586 # clamscan -rv /home ----------- SCAN SUMMARY ----------- Known viruses: 6121153 Engine version: 0.100.3 Scanned directories: 3733 Scanned files: 40605 Infected files: 0 Data scanned: 15513.57 MB Data read: 85413.87 MB (ratio 0.18:1) Time: 5312.815 sec (88 m 32 s
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
Validating. Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0162.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
This update also fixed CVE-2019-1785 CVE-2019-1786 CVE-2019-1798: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DHFME6EFDMW6BQBIYMTU3MBXQLVR7QTK/