30417 – clamav new security issues CVE-2022-2077[01], CVE-2022-20785, CVE-2022-2079[26]

Bug 30417 - clamav new security issues CVE-2022-2077[01], CVE-2022-20785, CVE-2022-2079[26]

Summary: clamav new security issues CVE-2022-2077[01], CVE-2022-20785, CVE-2022-2079[26]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-05-13 16:44 CEST by Nicolas Salguero
Modified:	2022-05-15 12:08 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	clamav-0.103.5-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2022-05-13 16:44:18 CEST

Upstream has released ClamAV 0.103.6 on May 4, fixing security issues:
https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html

SUSE has issued an advisory for this on May 12:
https://www.suse.com/support/update/announcement/2022/suse-su-20221647-1/

Mageia 8 is also affected.

Nicolas Salguero 2022-05-13 16:45:00 CEST

Assignee: bugsquad => nicolas.salguero
Whiteboard: (none) => MGA8TOO
Source RPM: (none) => clamav-0.103.5-1.mga8.src.rpm
CC: (none) => nicolas.salguero

Comment 1 David Walser 2022-05-13 22:34:28 CEST

Equivalent openSUSE advisory:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OQIRF7L5ZKGSRUC6DDORCDJYKMVJMCEB/

Comment 2 Nicolas Salguero 2022-05-14 08:52:06 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Infinite loop vulnerability in the CHM file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. (CVE-2022-20770)

Infinite loop vulnerability in the TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. The issue only occurs if the "--alert-broken-media" ClamScan option is enabled. For ClamD, the affected option is "AlertBrokenMedia yes", and for libclamav it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option. (CVE-2022-20771)

Memory leak in the HTML file parser / Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. (CVE-2022-20785)

Multi-byte heap buffer overflow write vulnerability in the signature database load module. The fix was to update the vendored regex library to the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. (CVE-2022-20792)

NULL-pointer dereference crash in the scan verdict cache check. Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2. (CVE-2022-20796)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20770
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20771
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20792
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20796
https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
https://www.suse.com/support/update/announcement/2022/suse-su-20221647-1/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/OQIRF7L5ZKGSRUC6DDORCDJYKMVJMCEB/
========================

Updated packages in core/updates_testing:
========================
clamav-0.103.6-1.mga8
clamav-db-0.103.6-1.mga8
clamav-milter-0.103.6-1.mga8
clamd-0.103.6-1.mga8
lib(64)clamav9-0.103.6-1.mga8
lib(64)clamav-devel-0.103.6-1.mga8

from SRPM:
clamav-0.103.6-1.mga8.src.rpm

Version: Cauldron => 8
Status: NEW => ASSIGNED
Whiteboard: MGA8TOO => (none)
Assignee: nicolas.salguero => qa-bugs

Comment 3 Herman Viaene 2022-05-14 11:25:17 CEST

MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Ref bug 29663 for tests
# freshclam
Current working dir is /var/lib/clamav/
Can't open freshclam.dat in /var/lib/clamav
It probably doesn't exist yet. That's ok.
Failed to load freshclam.dat; will create a new freshclam.dat
Creating new freshclam.dat
Saved freshclam.dat
ClamAV update process started at Sat May 14 11:14:32 2022
Current working dir is /var/lib/clamav/
Querying current.cvd.clamav.net
TTL: 1800
fc_dns_query_update_info: Software version from DNS: 0.103.6
etc .... ending with
Testing database: '/var/lib/clamav/tmp.5f9cd029a8/clamav-c99dff76a017882ad6f70185746e6bf1.tmp-bytecode.cld' ...
Loading signatures from /var/lib/clamav/tmp.5f9cd029a8/clamav-c99dff76a017882ad6f70185746e6bf1.tmp-bytecode.cld
Properly loaded 92 signatures from /var/lib/clamav/tmp.5f9cd029a8/clamav-c99dff76a017882ad6f70185746e6bf1.tmp-bytecode.cld
Database test passed.
bytecode.cld updated (version: 333, sigs: 92, f-level: 63, builder: awillia2)
fc_update_database: bytecode.cld updated.
WARNING: Clamd was NOT notified: Can't connect to clamd through /var/lib/clamav/clamd.socket: No such file or directory
I didn't start clamav-daemon yet, explaining last statement
$ clamscan
/home/tester8/.screenrc: OK
/home/tester8/.xsession-errors: OK
/home/tester8/archtar: OK
/home/tester8/.bashrc: OK
/home/tester8/.muttrc: OK
/home/tester8/.dmrc: OK
/home/tester8/.bash_profile: OK
/home/tester8/foo.diff: OK
/home/tester8/.qareporc: OK
/home/tester8/.bash_completion: OK
/home/tester8/.xsession-errors.old: OK
/home/tester8/.bash_logout: OK
/home/tester8/.bash_history: OK
/home/tester8/.esd_auth: OK
/home/tester8/.gtkrc-2.0: OK
/home/tester8/.mdk-menu-migrated: Empty file
/home/tester8/vis.mp3: OK
/home/tester8/pgadmin.log: OK

----------- SCAN SUMMARY -----------
Known viruses: 8616481
Engine version: 0.103.6
Scanned directories: 1
Scanned files: 17
Infected files: 0
Data scanned: 0.48 MB
Data read: 39.09 MB (ratio 0.01:1)
Time: 19.444 sec (0 m 19 s)
Start Date: 2022:05:14 11:15:33
End Date:   2022:05:14 11:15:52


# systemctl -l status clamav-daemon
* clamav-daemon.service - Clam AntiVirus userspace daemon
     Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; vendor preset: disabled)
     Active: inactive (dead)
TriggeredBy: * clamav-daemon.socket
       Docs: man:clamd(8)
             man:clamd.conf(5)
             https://docs.clamav.net/

mei 14 11:16:42 mach5.hviaene.thuis systemd[1]: /usr/lib/systemd/system/clamav-daemon.service:13: Standard output type syslog is obsolete, automatically updating to journal.>
mei 14 11:16:42 mach5.hviaene.thuis systemd[1]: /usr/lib/systemd/system/clamav-daemon.service:13: Standard output type syslog is obsolete, automatically updating to journal.>

# systemctl start clamav-daemon
# systemctl -l status clamav-daemon
* clamav-daemon.service - Clam AntiVirus userspace daemon
     Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; vendor preset: disabled)
     Active: active (running) since Sat 2022-05-14 11:17:13 CEST; 3s ago
TriggeredBy: * clamav-daemon.socket
       Docs: man:clamd(8)
             man:clamd.conf(5)
             https://docs.clamav.net/
   Main PID: 158854 (clamd)
      Tasks: 1 (limit: 9395)
     Memory: 489.6M
        CPU: 3.957s
     CGroup: /system.slice/clamav-daemon.service
             `-158854 /usr/sbin/clamd --foreground=true

mei 14 11:17:13 mach5.hviaene.thuis systemd[1]: Started Clam AntiVirus userspace daemon.

all looks OK to me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-05-15 03:44:01 CEST

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-05-15 04:18:06 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-05-15 12:08:15 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0187.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.