Fixed in Cauldron

Thanks Thomas.  I see the updates for Mageia 1 and 2 are built as well.

Now we just need an advisory.  I was going to use the CVE blurbs, but they're a bit verbose :o)  Here's an incomplete one.  Feel free to augment it.

Incomplete Advisory:
========================

Updated clamav packages fix security vulnerabilities:

This updates clamav to 0.97.5 which fixes three security issues
(CVE-2012-1457, CVE-2012-1458, CVE-2012-1459), as well as some
other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1457
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1459
http://blog.clamav.net/2012/06/clamav-0975-has-been-released.html
========================

Updated packages in core/updates_testing:
========================
clamav-0.97.5-1.mga1
clamd-0.97.5-1.mga1
clamav-milter-0.97.5-1.mga1
clamav-db-0.97.5-1.mga1
libclamav6-0.97.5-1.mga1
libclamav-devel-0.97.5-1.mga1
clamav-0.97.5-1.mga2
clamd-0.97.5-1.mga2
clamav-milter-0.97.5-1.mga2
clamav-db-0.97.5-1.mga2
libclamav6-0.97.5-1.mga2
libclamav-devel-0.97.5-1.mga2

from SRPMS:
clamav-0.97.5-1.mga1.src.rpm
clamav-0.97.5-1.mga2.src.rpm

Version: Cauldron => 2
Assignee: bugsquad => qa-bugs
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

David, I haven't tested the updates yet and I am not sure I get to test them tonight.
I am OK with the advisery

OK, no problem.  I'll move QA to CC and you can assign back to them when it's really ready (sorry for jumping the gun :o).

CC: (none) => qa-bugs
Assignee: qa-bugs => thomas

David, I haven't tested the updates yet and I am not sure I get to test them tonight.
I am OK with the advisery

Ooops someone got in between.
I have now installed the update on mga2 and scanned the home directory.
The software installed and the scan went OK
I did the same on my mga1 server and additionally I sent my self a good test message and It came through. I also sent myself a e-mail that had the eicar test virus and it did not get through.
I consider the software is ready to be released for the update.

CC: qa-bugs => bugsquad
Assignee: thomas => qa-bugs

Mandriva's advisory has better descriptions for the security issues fixed:
http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:094

I've tried it on mga2 i586: updated related *clam* packages from Testing and checked if it still works. Sent a message with the EICAR test string which was correctly catched by clamd and ran a scan with clamscan which seemed to work as well. Could not check if the actual issues are fixed but at least I found no regressions so I'd trust upstream for the fixes here. I suggest to accept this update.

Only noticed one thing which does not block this just mentioning it in case someone want's to look at it. After the update, freshclam downloaded some database updates but issued a warning at the end:

WARNING: Clamd was NOT notified: Can't connect to clamd through /var/lib/clamav/clamd.socket

Maybe clamd did not start yet (or was restarting at that moment). Here is what's in the log:

Jun 24 22:53:24 systemd[1]: Reloading.
Jun 24 22:53:25 systemd[1]: freshclam.service: main process exited, code=exited, status=2
Jun 24 22:53:25 freshclam[18315]: Stopping Clam AntiVirus Update Daemon: [  OK  ]
Jun 24 22:53:25 systemd[1]: Unit freshclam.service entered failed state.
Jun 24 22:53:26 freshclam[18343]: Starting Clam AntiVirus Update Daemon: [  OK  ]
Jun 24 22:53:26 systemd[1]: Reloading.
Jun 24 22:53:28 clamd[18388]: Stopping Clam AntiVirus Daemon: [  OK  ]
Jun 24 22:53:42 clamd[18417]: Starting Clam AntiVirus Daemon: [  OK  ]

When I checked, the socket already existed and clamd has automatically reread the database 10 minutes later during the next regular selfcheck so this did "selfheal":
Sun Jun 24 23:03:41 2012 -> No stats for Database check - forcing reload
Sun Jun 24 23:03:42 2012 -> Reading databases from /var/lib/clamav
Sun Jun 24 23:03:53 2012 -> Database correctly reloaded (1258767 signatures)

CC: (none) => balaton

Added tag for testing clamav-0.97.5-1.mga2.src.rpm on mga2 i586 (see Comment 8 for details)

Whiteboard: MGA1TOO => MGA1TOO MGA2-32-OK

INFO: No PoCs could be found, so the security fixes can not be verified. Therefore only regression testing is needed.

CC: (none) => wassi

Created attachment 2492 [details]
Test case for CVE-2012-1457 (could not reproduce bug though)

Tried to reproduce at least one of the CVEs described at http://www.securityfocus.com/archive/1/522005 on mga2 x86_64. I've constructed the attached tar file as per point 39. as a test case for CVE-2012-1457 but clamscan could detect it even before the update and can still detect it with version 0.97.5-1.mga2. I conclude that I found no regressions on x86_64 either so it's tested for both archs for mga2 now.

Whiteboard: MGA1TOO MGA2-32-OK => MGA1TOO MGA2-32-OK MGA2-64-OK

Testing complete on Mageia 1 i586.

Just used freshclam in update, and clamscan on eicar.

CC: (none) => davidwhodgins
Whiteboard: MGA1TOO MGA2-32-OK MGA2-64-OK => MGA1TOO MGA2-32-OK MGA2-64-OK mga1-32-OK

Testing complete on Mageia 1 x86_64

No additional dependency found by depcheck.

See comment #2 for advisory and list of packages.

If someone provides a better advisory before the package is pushed, use the new one, otherwise that one will do.

Keywords: (none) => validated_update
CC: (none) => stormi, sysadmin-bugs
Whiteboard: MGA1TOO MGA2-32-OK MGA2-64-OK mga1-32-OK => MGA1TOO MGA2-32-OK MGA2-64-OK mga1-32-OK mga1-64-OK

Here's a better one :o)

Advisory:
========================

Updated clamav packages fix security vulnerabilities:

The TAR file parser in ClamAV 0.96.4 allows remote attackers to bypass
malware detection via a TAR archive entry with a length field that
exceeds the total TAR file size. NOTE: this may later be SPLIT into
multiple CVEs if additional information is published showing that the
error occurred independently in different TAR parser implementations
(CVE-2012-1457).

The Microsoft CHM file parser in ClamAV 0.96.4 allows remote attackers
to bypass malware detection via a crafted reset interval in the LZXC
header of a CHM file. NOTE: this may later be SPLIT into multiple CVEs
if additional information is published showing that the error occurred
independently in different CHM parser implementations (CVE-2012-1458).

The TAR file parser in ClamAV 0.96.4 allows remote attackers to
bypass malware detection via a TAR archive entry with a length field
corresponding to that entire entry, plus part of the header of the
next entry. NOTE: this may later be SPLIT into multiple CVEs if
additional information is published showing that the error occurred
independently in different TAR parser implementations (CVE-2012-1459). 

This update upgrades clamav to the latest version (0.97.5), which
resolves these security issues as well as some other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1457
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1458
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1459
http://blog.clamav.net/2012/06/clamav-0975-has-been-released.html
http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:094
========================

Updated packages in core/updates_testing:
========================
clamav-0.97.5-1.mga1
clamd-0.97.5-1.mga1
clamav-milter-0.97.5-1.mga1
clamav-db-0.97.5-1.mga1
libclamav6-0.97.5-1.mga1
libclamav-devel-0.97.5-1.mga1
clamav-0.97.5-1.mga2
clamd-0.97.5-1.mga2
clamav-milter-0.97.5-1.mga2
clamav-db-0.97.5-1.mga2
libclamav6-0.97.5-1.mga2
libclamav-devel-0.97.5-1.mga2

from SRPMS:
clamav-0.97.5-1.mga1.src.rpm
clamav-0.97.5-1.mga2.src.rpm

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0144

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED