Debian-LTS has issued an advisory today (May 20): https://www.debian.org/lts/security/2020/dla-2215 The issues are fixed upstream in 0.102.3: https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOOStatus comment: (none) => Fixed upstream in 0.102.3CC: (none) => nicolas.salguero
Advisory: This update provides a new version of clamav. CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.2 that could cause a denial-of-service condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability. CVE-2020-3341: Fixed a vulnerability in the PDF-parsing module in ClamAV 0.101 - 0.102.2 that could cause a denial-of-service condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read, which may cause a crash. OSS-Fuzz discovered this vulnerability. References: https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html https://www.debian.org/lts/security/2020/dla-2215 rpms: clamav-0.102.3-1.mga7 clamd-0.102.3-1.mga7 clamav-milter-0.102.3-1.mga7 clamav-db-0.102.3-1.mga7 lib64clamav9-0.102.3-1.mga7 lib64clamav-devel-0.102.3-1.mga7 clamav-debugsource-0.102.3-1.mga7 clamav-debuginfo-0.102.3-1.mga7 clamd-debuginfo-0.102.3-1.mga7 lib64clamav9-debuginfo-0.102.3-1.mga7 from: clamav-0.102.3-1.mga7
CC: (none) => mageiaWhiteboard: MGA7TOO => (none)Version: Cauldron => 7Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 0.102.3 => (none)
MGA7-64 Plasma on Lenovo B50 No installation issues Ref bug 25764 for tests # freshclam ClamAV update process started at Thu May 21 14:02:00 2020 Current working dir is /var/lib/clamav/ Querying current.cvd.clamav.net til bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg) fc_update_database: bytecode.cvd already up-to-date. # clamscan -vr Scanning /root/.local/share/teeworlds/masters.cfg /root/.local/share/teeworlds/masters.cfg: OK /root/.local/share/webkitgtk/databases/indexeddb/v0: Symbolic link Scanning /root/.local/share/recently-used.xbel /root/.local/share/recently-used.xbel: OK til ----------- SCAN SUMMARY ----------- Known viruses: 6999351 Engine version: 0.102.3 Scanned directories: 49 Scanned files: 51 Infected files: 0 Data scanned: 37.54 MB Data read: 16.39 MB (ratio 2.29:1) Time: 22.396 sec (0 m 22 s) # systemctl -l status clamav-daemon ● clamav-daemon.service - Clam AntiVirus userspace daemon Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; vendor preset: disabled) Active: inactive (dead) Docs: man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/ # systemctl start clamav-daemon # systemctl -l status clamav-daemon ● clamav-daemon.service - Clam AntiVirus userspace daemon Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2020-05-21 14:03:42 CEST; 4s ago Docs: man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/ Main PID: 1438 (clamd) Tasks: 1 (limit: 4915) Memory: 375.3M CGroup: /system.slice/clamav-daemon.service └─1438 /usr/sbin/clamd --foreground=true May 21 14:03:42 mach5.hviaene.thuis systemd[1]: Started Clam AntiVirus userspace daemon. All OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Ubuntu has issued an advisory for this today (May 21): https://usn.ubuntu.com/4370-1/
Severity: normal => major
Keywords: (none) => advisory, validated_updateCC: (none) => tmb, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0226.html
Status: NEW => RESOLVEDResolution: (none) => FIXED