Bug 26221 - clamav new security issue CVE-2020-3123
Summary: clamav new security issue CVE-2020-3123
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-02-19 23:31 CET by David Walser
Modified: 2020-02-26 11:22 CET (History)
5 users (show)

See Also:
Source RPM: clamav-0.101.5-1.2.mga7.src.rpm
CVE: CVE-2020-3123
Status comment:


Attachments

Description David Walser 2020-02-19 23:31:00 CET
Ubuntu has issued an advisory on February 18:
https://usn.ubuntu.com/4280-1/

The issue is fixed upstream in 0.102.2:
https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html

Mageia 7 is also affected.
David Walser 2020-02-19 23:31:10 CET

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-02-20 19:57:15 CET
'clamav' has no registered maintainer, so assigning globally; CC'ing NicolasS as a recent committer.

CC: (none) => nicolas.salguero
Assignee: bugsquad => pkg-bugs

David Walser 2020-02-21 17:52:55 CET

Status comment: (none) => Fixed upstream in 0.102.2

Comment 2 Nicolas Salguero 2020-02-21 21:44:22 CET
Suggested advisory:
========================

The updated packages fix a security vulnerability:

A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiVirus (ClamAV) Software versions 0.102.1 and 0.102.0 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to an out-of-bounds read affecting users that have enabled the optional DLP feature. An attacker could exploit this vulnerability by sending a crafted email file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition. (CVE-2020-3123)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123
https://usn.ubuntu.com/4280-1/
https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html
========================

Updated packages in core/updates_testing:
========================
clamav-0.102.2-1.mga7
clamd-0.102.2-1.mga7
clamav-milter-0.102.2-1.mga7
clamav-db-0.102.2-1.mga7
lib(64)clamav9-0.102.2-1.mga7
lib(64)clamav-devel-0.102.2-1.mga7

from SRPMS:
clamav-0.102.2-1.mga7.src.rpm

CVE: (none) => CVE-2020-3123
Status: NEW => ASSIGNED
Whiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs
Version: Cauldron => 7
Source RPM: clamav-0.101.5-4.mga8.src.rpm => clamav-0.101.5-1.2.mga7.src.rpm

David Walser 2020-02-21 23:13:35 CET

Status comment: Fixed upstream in 0.102.2 => (none)

Comment 3 Herman Viaene 2020-02-24 15:04:38 CET
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug 25764 for tests
# freshclam 
ClamAV update process started at Mon Feb 24 14:54:18 2020
Current working dir is /var/lib/clamav/
Querying current.cvd.clamav.net
TTL: 1800
fc_dns_query_update_info: Software version from DNS: 0.102.2
Current working dir is /var/lib/clamav/
check_for_new_database_version: Local copy of daily found: daily.cvd.
etc ......
# clamscan -vr
/root/.local/share/webkitgtk/databases/indexeddb/v0: Symbolic link
Scanning /root/.local/share/recently-used.xbel
/root/.local/share/recently-used.xbel: OK
and a lot more, ending with
Known viruses: 6748718
Engine version: 0.102.2
Scanned directories: 42
Scanned files: 44
Infected files: 0
Data scanned: 37.52 MB
Data read: 16.34 MB (ratio 2.30:1)
Time: 22.088 sec (0 m 22 s)

Tested also
# systemctl -l status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:clamd(8)
           man:clamd.conf(5)
           https://www.clamav.net/documents/
# systemctl start clamav-daemon
# systemctl -l status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-02-24 15:03:02 CET; 3s ago
     Docs: man:clamd(8)
           man:clamd.conf(5)
           https://www.clamav.net/documents/
 Main PID: 7648 (clamd)
   Memory: 485.7M
   CGroup: /system.slice/clamav-daemon.service
           └─7648 /usr/sbin/clamd --foreground=true

Feb 24 15:03:02 mach5.hviaene.thuis systemd[1]: Started Clam AntiVirus userspace daemon.


Seems OK to me

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-02-25 00:10:28 CET
Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-02-26 10:42:58 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 5 Mageia Robot 2020-02-26 11:22:18 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0105.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.