Ubuntu has issued an advisory on February 18: https://usn.ubuntu.com/4280-1/ The issue is fixed upstream in 0.102.2: https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
'clamav' has no registered maintainer, so assigning globally; CC'ing NicolasS as a recent committer.
CC: (none) => nicolas.salgueroAssignee: bugsquad => pkg-bugs
Status comment: (none) => Fixed upstream in 0.102.2
Suggested advisory: ======================== The updated packages fix a security vulnerability: A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiVirus (ClamAV) Software versions 0.102.1 and 0.102.0 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to an out-of-bounds read affecting users that have enabled the optional DLP feature. An attacker could exploit this vulnerability by sending a crafted email file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition. (CVE-2020-3123) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123 https://usn.ubuntu.com/4280-1/ https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html ======================== Updated packages in core/updates_testing: ======================== clamav-0.102.2-1.mga7 clamd-0.102.2-1.mga7 clamav-milter-0.102.2-1.mga7 clamav-db-0.102.2-1.mga7 lib(64)clamav9-0.102.2-1.mga7 lib(64)clamav-devel-0.102.2-1.mga7 from SRPMS: clamav-0.102.2-1.mga7.src.rpm
CVE: (none) => CVE-2020-3123Status: NEW => ASSIGNEDWhiteboard: MGA7TOO => (none)Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 7Source RPM: clamav-0.101.5-4.mga8.src.rpm => clamav-0.101.5-1.2.mga7.src.rpm
Status comment: Fixed upstream in 0.102.2 => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues Ref bug 25764 for tests # freshclam ClamAV update process started at Mon Feb 24 14:54:18 2020 Current working dir is /var/lib/clamav/ Querying current.cvd.clamav.net TTL: 1800 fc_dns_query_update_info: Software version from DNS: 0.102.2 Current working dir is /var/lib/clamav/ check_for_new_database_version: Local copy of daily found: daily.cvd. etc ...... # clamscan -vr /root/.local/share/webkitgtk/databases/indexeddb/v0: Symbolic link Scanning /root/.local/share/recently-used.xbel /root/.local/share/recently-used.xbel: OK and a lot more, ending with Known viruses: 6748718 Engine version: 0.102.2 Scanned directories: 42 Scanned files: 44 Infected files: 0 Data scanned: 37.52 MB Data read: 16.34 MB (ratio 2.30:1) Time: 22.088 sec (0 m 22 s) Tested also # systemctl -l status clamav-daemon ● clamav-daemon.service - Clam AntiVirus userspace daemon Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/ # systemctl start clamav-daemon # systemctl -l status clamav-daemon ● clamav-daemon.service - Clam AntiVirus userspace daemon Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2020-02-24 15:03:02 CET; 3s ago Docs: man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/ Main PID: 7648 (clamd) Memory: 485.7M CGroup: /system.slice/clamav-daemon.service └─7648 /usr/sbin/clamd --foreground=true Feb 24 15:03:02 mach5.hviaene.thuis systemd[1]: Started Clam AntiVirus userspace daemon. Seems OK to me
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0105.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED