Bug 26653 - clamav new security issues CVE-2020-3327 and CVE-2020-3341
Summary: clamav new security issues CVE-2020-3327 and CVE-2020-3341
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-05-21 00:00 CEST by David Walser
Modified: 2020-05-24 20:06 CEST (History)
5 users (show)

See Also:
Source RPM: clamav-0.102.2-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-05-21 00:00:38 CEST
Debian-LTS has issued an advisory today (May 20):
https://www.debian.org/lts/security/2020/dla-2215

The issues are fixed upstream in 0.102.3:
https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html

Mageia 7 is also affected.
David Walser 2020-05-21 00:00:54 CEST

Whiteboard: (none) => MGA7TOO
Status comment: (none) => Fixed upstream in 0.102.3
CC: (none) => nicolas.salguero

Comment 1 Nicolas Lécureuil 2020-05-21 01:33:10 CEST
Advisory:
This update provides a new version of clamav.

CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.2 that could cause a denial-of-service condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability.
CVE-2020-3341: Fixed a vulnerability in the PDF-parsing module in ClamAV 0.101 - 0.102.2 that could cause a denial-of-service condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read, which may cause a crash. OSS-Fuzz discovered this vulnerability.

References:
https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html
https://www.debian.org/lts/security/2020/dla-2215

rpms:
clamav-0.102.3-1.mga7
clamd-0.102.3-1.mga7
clamav-milter-0.102.3-1.mga7
clamav-db-0.102.3-1.mga7
lib64clamav9-0.102.3-1.mga7
lib64clamav-devel-0.102.3-1.mga7
clamav-debugsource-0.102.3-1.mga7
clamav-debuginfo-0.102.3-1.mga7
clamd-debuginfo-0.102.3-1.mga7
lib64clamav9-debuginfo-0.102.3-1.mga7

from:
clamav-0.102.3-1.mga7

CC: (none) => mageia
Whiteboard: MGA7TOO => (none)
Version: Cauldron => 7
Assignee: pkg-bugs => qa-bugs

David Walser 2020-05-21 02:11:47 CEST

Status comment: Fixed upstream in 0.102.3 => (none)

Comment 2 Herman Viaene 2020-05-21 14:11:12 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref bug 25764 for tests
# freshclam
ClamAV update process started at Thu May 21 14:02:00 2020
Current working dir is /var/lib/clamav/
Querying current.cvd.clamav.net
til
bytecode.cvd database is up to date (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
fc_update_database: bytecode.cvd already up-to-date.

# clamscan -vr
Scanning /root/.local/share/teeworlds/masters.cfg
/root/.local/share/teeworlds/masters.cfg: OK
/root/.local/share/webkitgtk/databases/indexeddb/v0: Symbolic link
Scanning /root/.local/share/recently-used.xbel
/root/.local/share/recently-used.xbel: OK
til
----------- SCAN SUMMARY -----------
Known viruses: 6999351
Engine version: 0.102.3
Scanned directories: 49
Scanned files: 51
Infected files: 0
Data scanned: 37.54 MB
Data read: 16.39 MB (ratio 2.29:1)
Time: 22.396 sec (0 m 22 s)

# systemctl -l status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
     Docs: man:clamd(8)
           man:clamd.conf(5)
           https://www.clamav.net/documents/

# systemctl start clamav-daemon

# systemctl -l status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2020-05-21 14:03:42 CEST; 4s ago
     Docs: man:clamd(8)
           man:clamd.conf(5)
           https://www.clamav.net/documents/
 Main PID: 1438 (clamd)
    Tasks: 1 (limit: 4915)
   Memory: 375.3M
   CGroup: /system.slice/clamav-daemon.service
           └─1438 /usr/sbin/clamd --foreground=true

May 21 14:03:42 mach5.hviaene.thuis systemd[1]: Started Clam AntiVirus userspace daemon.

All OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 3 David Walser 2020-05-21 22:14:23 CEST
Ubuntu has issued an advisory for this today (May 21):
https://usn.ubuntu.com/4370-1/

Severity: normal => major

Thomas Backlund 2020-05-24 19:19:56 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => tmb, sysadmin-bugs

Comment 4 Mageia Robot 2020-05-24 20:06:45 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0226.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.