Bug 24704 - clamav new security issues CVE-2019-178[7-9]
Summary: clamav new security issues CVE-2019-178[7-9]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-04-22 23:18 CEST by David Walser
Modified: 2020-12-18 20:25 CET (History)
9 users (show)

See Also:
Source RPM: clamav-0.100.2-1.mga6.src.rpm
CVE: CVE-2019-1787, CVE-2019-1788, CVE-2019-1789
Status comment:


Attachments

Description David Walser 2019-04-22 23:18:31 CEST
Ubuntu has issued an advisory on April 8:
https://usn.ubuntu.com/3940-1/

The issues are fixed upstream in 0.100.3 and 0.101.2.

Mageia 6 is also affected.
David Walser 2019-04-22 23:18:38 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2019-04-23 20:28:19 CEST
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Also CC'ing some committers.

Assignee: bugsquad => pkg-bugs
CC: (none) => geiger.david68210, guillomovitch, mageia, marja11, nicolas.salguero

Comment 2 Nicolas Salguero 2019-04-26 14:16:52 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A vulnerability in the Portable Document Format (PDF) scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of proper data handling mechanisms within the device buffer while indexing remaining file data on an affected device. An attacker could exploit this vulnerability by sending crafted PDF files to an affected device. A successful exploit could allow the attacker to cause a heap buffer out-of-bounds read condition, resulting in a crash that could result in a denial of service condition on an affected device. (CVE-2019-1787)

A vulnerability in the Object Linking & Embedding (OLE2) file scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to a lack of proper input and validation checking mechanisms for OLE2 files sent an affected device. An attacker could exploit this vulnerability by sending malformed OLE2 files to the device running an affected version ClamAV Software. An exploit could allow the attacker to cause an out-of-bounds write condition, resulting in a crash that could result in a denial of service condition on an affected device. (CVE-2019-1788)

An out-of-bounds heap read condition when scanning PE files. (CVE-2019-1789)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1787
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1789
https://usn.ubuntu.com/3940-1/
========================

Updated packages in core/updates_testing:
========================
clamav-0.100.3-1.mga6
clamd-0.100.3-1.mga6
clamav-milter-0.100.3-1.mga6
clamav-db-0.100.3-1.mga6
lib(64)clamav7-0.100.3-1.mga6
lib(64)clamav-devel-0.100.3-1.mga6

from SRPMS:
clamav-0.100.3-1.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Source RPM: clamav-0.100.2-1.mga7.src.rpm => clamav-0.100.2-1.mga6.src.rpm
CVE: (none) => CVE-2019-1787, CVE-2019-1788, CVE-2019-1789
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs

Comment 3 Brian Rockwell 2019-04-27 16:19:04 CEST
The following 9 packages are going to be installed:

- clamav-0.100.3-1.mga6.x86_64
- clamav-db-0.100.3-1.mga6.noarch
- clamav-milter-0.100.3-1.mga6.x86_64
- clamd-0.100.3-1.mga6.x86_64
- lib64clamav-devel-0.100.3-1.mga6.x86_64
- lib64clamav7-0.100.3-1.mga6.x86_64
- lib64json-devel-0.12.1-1.mga6.x86_64
- lib64json2-0.12.1-1.mga6.x86_64
- lib64xml2-devel-2.9.9-1.mga6.x86_64


# freshclam
ClamAV update process started at Sat Apr 27 09:04:47 2019
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.100.3 Recommended version: 0.101.2
DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Downloading daily-25432.cdiff [100%]
daily.cld updated (version: 25432, sigs: 1563538, f-level: 63, builder: raynman)
Downloading bytecode.cvd [100%]
bytecode.cvd updated (version: 328, sigs: 94, f-level: 63, builder: neo)
Database updated (6129881 signatures) from database.clamav.net (IP: 104.16.219.84)
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/lib/clamav/clamd.socket: No such file or directory

# systemctl start clamd

# ps -ef | grep clam
clamav   15610     1  0 09:06 ?        00:00:00 /usr/sbin/clamd --config-file=/etc/clamd.conf


# clamscan -rv /home

----------- SCAN SUMMARY -----------
Known viruses: 6121153
Engine version: 0.100.3
Scanned directories: 2432
Scanned files: 17465
Infected files: 0
Data scanned: 2617.44 MB
Data read: 23267.08 MB (ratio 0.11:1)
Time: 528.687 sec (8 m 48 s)


Seems to be working as designed.

CC: (none) => brtians1
Whiteboard: (none) => MGA6-64-OK

Comment 4 Brian Rockwell 2019-04-27 19:51:34 CEST
The following 14 packages are going to be installed:

- clamav-0.100.3-1.mga6.i586
- clamav-db-0.100.3-1.mga6.noarch
- clamav-milter-0.100.3-1.mga6.i586
- clamd-0.100.3-1.mga6.i586
- libbzip2-devel-1.0.6-10.mga6.i586
- libclamav-devel-0.100.3-1.mga6.i586
- libclamav7-0.100.3-1.mga6.i586
- libjson-devel-0.12.1-1.mga6.i586
- liblzma-devel-5.2.3-1.mga6.i586
- libopenssl-devel-1.0.2r-1.mga6.i586
- libpcre-devel-8.41-1.mga6.i586
- libpcre32_0-8.41-1.mga6.i586
- libxml2-devel-2.9.9-1.mga6.i586
- libzlib-devel-1.2.11-4.1.mga6.i586



# clamscan -rv /home

----------- SCAN SUMMARY -----------
Known viruses: 6121153
Engine version: 0.100.3
Scanned directories: 3733
Scanned files: 40605
Infected files: 0
Data scanned: 15513.57 MB
Data read: 85413.87 MB (ratio 0.18:1)
Time: 5312.815 sec (88 m 32 s

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Comment 5 Thomas Andrews 2019-04-28 04:08:26 CEST
Validating. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-05-12 09:37:06 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 6 Mageia Robot 2019-05-12 11:37:08 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0162.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2020-12-18 20:25:15 CET
This update also fixed CVE-2019-1785 CVE-2019-1786 CVE-2019-1798:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/DHFME6EFDMW6BQBIYMTU3MBXQLVR7QTK/

Note You need to log in before you can comment on or make changes to this bug.