34387 – clamav new security issues CVE-2025-20260 and CVE-2025-20234

Bug 34387 - clamav new security issues CVE-2025-20260 and CVE-2025-20234

Summary: clamav new security issues CVE-2025-20260 and CVE-2025-20234

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-06-23 09:22 CEST by Nicolas Salguero
Modified:	2025-06-25 07:32 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	clamav-1.0.8-1.mga9.src.rpm
CVE:	CVE-2025-20260
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-06-23 09:22:38 CEST

Those CVEs were announced here:
https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html

CVE-2025-20234 only affects Cauldron.

Nicolas Salguero 2025-06-23 09:23:15 CEST

CVE: (none) => CVE-2025-20260, CVE-2025-20234
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => clamav-1.4.2-2.mga10.src.rpm, clamav-1.0.8-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 1.4.3 and 1.0.9

Comment 1 Nicolas Salguero 2025-06-23 14:08:47 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Fixed a possible buffer overflow write bug in the PDF file parser that could cause a denial-of-service (DoS) condition or enable remote code execution. (CVE-2025-20260)

References:
https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html
========================

Updated packages in core/updates_testing:
========================
clamav-1.0.9-1.mga9
clamav-db-1.0.9-1.mga9
clamav-milter-1.0.9-1.mga9
clamd-1.0.9-1.mga9
lib(64)clamav11-1.0.9-1.mga9
lib(64)clamav-devel-1.0.9-1.mga9

from SRPM:
clamav-1.0.9-1.mga9.src.rpm

CVE: CVE-2025-20260, CVE-2025-20234 => CVE-2025-20260
Assignee: bugsquad => qa-bugs
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 1.4.3 and 1.0.9 => (none)
Version: Cauldron => 9
Source RPM: clamav-1.4.2-2.mga10.src.rpm, clamav-1.0.8-1.mga9.src.rpm => clamav-1.0.8-1.mga9.src.rpm

katnatek 2025-06-23 19:14:04 CEST

Keywords: (none) => advisory

Comment 2 Herman Viaene 2025-06-24 15:17:10 CEST

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 33969 for tests:
# freshclam
Current working dir is /var/lib/clamav/
Can't open freshclam.dat in /var/lib/clamav
It probably doesn't exist yet. That's ok.
Failed to load freshclam.dat; will create a new freshclam.dat
Creating new freshclam.dat
Saved freshclam.dat
ClamAV update process started at Tue Jun 24 15:03:11 2025
Current working dir is /var/lib/clamav/
Querying current.cvd.clamav.net
TTL: 1800
fc_dns_query_update_info: Software version from DNS: 1.0.9
Current working dir is /var/lib/clamav/
check_for_new_database_version: Local copy of daily found: daily.cvd.
query_remote_database_version: daily.cvd version from DNS: 27679
daily database available for update (local version: 27678, remote version: 27679)
Current database is 1 version behind.
Downloading database patch # 27679...
Retrieving https://database.clamav.net/daily-27679.cdiff
and a lot more ....
Database test passed.
bytecode.cvd updated (version: 336, sigs: 83, f-level: 90, builder: nrandolp)
fc_update_database: bytecode.cvd updated.

$ clamscan
Loading:    1m 51s, ETA:   0s [========================>]    8.71M/8.71M sigs       
Compiling:  19s, ETA:   0s [========================>]       41/41 tasks ks 

/home/tester9/.dmrc: OK
/home/tester9/.lesshst: OK
/home/tester9/.screenrc: OK
/home/tester9/.xsession-errors.old: OK
/home/tester9/.bash_completion: OK
/home/tester9/.bashrc: OK
etc..... ending
----------- SCAN SUMMARY -----------
Known viruses: 8707558
Engine version: 1.0.9
Scanned directories: 1
Scanned files: 26
Infected files: 0
Data scanned: 0.09 MB
Data read: 0.05 MB (ratio 1.83:1)
Time: 136.336 sec (2 m 16 s)
Start Date: 2025:06:24 15:06:56
End Date:   2025:06:24 15:09:13


# systemctl -l status clamav-daemon
○ clamav-daemon.service - Clam AntiVirus userspace daemon
     Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; preset: disabled)
     Active: inactive (dead)
TriggeredBy: ○ clamav-daemon.socket
       Docs: man:clamd(8)
             man:clamd.conf(5)
             https://docs.clamav.net/
# systemctl start clamav-daemon
# systemctl -l status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
     Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; preset: disabled)
     Active: active (running) since Tue 2025-06-24 15:10:16 CEST; 3s ago
TriggeredBy: ● clamav-daemon.socket
       Docs: man:clamd(8)
             man:clamd.conf(5)
             https://docs.clamav.net/
   Main PID: 71887 (clamd)
      Tasks: 1 (limit: 8806)
     Memory: 99.7M
        CPU: 3.308s
     CGroup: /system.slice/clamav-daemon.service
             └─71887 /usr/sbin/clamd --foreground=true

Jun 24 15:10:16 mach3.hviaene.thuis systemd[1]: Started clamav-daemon.service.

Looks all good.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2025-06-25 01:05:21 CEST

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 4 Mageia Robot 2025-06-25 07:32:44 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0190.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.