Mandriva has also updated this in Mandriva 2010.2 updates, so it also needs to be updated so that upgrading from that release still works. Current Mandriva version is 0.97.5-0.1mdv2010.2
CC: (none) => thomasWhiteboard: (none) => MGA2TOO, MGA1TOO
Status: NEW => ASSIGNED
Fixed in Cauldron
Thanks Thomas. I see the updates for Mageia 1 and 2 are built as well. Now we just need an advisory. I was going to use the CVE blurbs, but they're a bit verbose :o) Here's an incomplete one. Feel free to augment it. Incomplete Advisory: ======================== Updated clamav packages fix security vulnerabilities: This updates clamav to 0.97.5 which fixes three security issues (CVE-2012-1457, CVE-2012-1458, CVE-2012-1459), as well as some other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1457 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1459 http://blog.clamav.net/2012/06/clamav-0975-has-been-released.html ======================== Updated packages in core/updates_testing: ======================== clamav-0.97.5-1.mga1 clamd-0.97.5-1.mga1 clamav-milter-0.97.5-1.mga1 clamav-db-0.97.5-1.mga1 libclamav6-0.97.5-1.mga1 libclamav-devel-0.97.5-1.mga1 clamav-0.97.5-1.mga2 clamd-0.97.5-1.mga2 clamav-milter-0.97.5-1.mga2 clamav-db-0.97.5-1.mga2 libclamav6-0.97.5-1.mga2 libclamav-devel-0.97.5-1.mga2 from SRPMS: clamav-0.97.5-1.mga1.src.rpm clamav-0.97.5-1.mga2.src.rpm
Version: Cauldron => 2Assignee: bugsquad => qa-bugsWhiteboard: MGA2TOO, MGA1TOO => MGA1TOO
David, I haven't tested the updates yet and I am not sure I get to test them tonight. I am OK with the advisery
OK, no problem. I'll move QA to CC and you can assign back to them when it's really ready (sorry for jumping the gun :o).
CC: (none) => qa-bugsAssignee: qa-bugs => thomas
Ooops someone got in between. I have now installed the update on mga2 and scanned the home directory. The software installed and the scan went OK I did the same on my mga1 server and additionally I sent my self a good test message and It came through. I also sent myself a e-mail that had the eicar test virus and it did not get through. I consider the software is ready to be released for the update.
CC: qa-bugs => bugsquadAssignee: thomas => qa-bugs
Mandriva's advisory has better descriptions for the security issues fixed: http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:094
I've tried it on mga2 i586: updated related *clam* packages from Testing and checked if it still works. Sent a message with the EICAR test string which was correctly catched by clamd and ran a scan with clamscan which seemed to work as well. Could not check if the actual issues are fixed but at least I found no regressions so I'd trust upstream for the fixes here. I suggest to accept this update. Only noticed one thing which does not block this just mentioning it in case someone want's to look at it. After the update, freshclam downloaded some database updates but issued a warning at the end: WARNING: Clamd was NOT notified: Can't connect to clamd through /var/lib/clamav/clamd.socket Maybe clamd did not start yet (or was restarting at that moment). Here is what's in the log: Jun 24 22:53:24 systemd[1]: Reloading. Jun 24 22:53:25 systemd[1]: freshclam.service: main process exited, code=exited, status=2 Jun 24 22:53:25 freshclam[18315]: Stopping Clam AntiVirus Update Daemon: [ OK ] Jun 24 22:53:25 systemd[1]: Unit freshclam.service entered failed state. Jun 24 22:53:26 freshclam[18343]: Starting Clam AntiVirus Update Daemon: [ OK ] Jun 24 22:53:26 systemd[1]: Reloading. Jun 24 22:53:28 clamd[18388]: Stopping Clam AntiVirus Daemon: [ OK ] Jun 24 22:53:42 clamd[18417]: Starting Clam AntiVirus Daemon: [ OK ] When I checked, the socket already existed and clamd has automatically reread the database 10 minutes later during the next regular selfcheck so this did "selfheal": Sun Jun 24 23:03:41 2012 -> No stats for Database check - forcing reload Sun Jun 24 23:03:42 2012 -> Reading databases from /var/lib/clamav Sun Jun 24 23:03:53 2012 -> Database correctly reloaded (1258767 signatures)
CC: (none) => balaton
Added tag for testing clamav-0.97.5-1.mga2.src.rpm on mga2 i586 (see Comment 8 for details)
Whiteboard: MGA1TOO => MGA1TOO MGA2-32-OK
INFO: No PoCs could be found, so the security fixes can not be verified. Therefore only regression testing is needed.
CC: (none) => wassi
Created attachment 2492 [details] Test case for CVE-2012-1457 (could not reproduce bug though)
Tried to reproduce at least one of the CVEs described at http://www.securityfocus.com/archive/1/522005 on mga2 x86_64. I've constructed the attached tar file as per point 39. as a test case for CVE-2012-1457 but clamscan could detect it even before the update and can still detect it with version 0.97.5-1.mga2. I conclude that I found no regressions on x86_64 either so it's tested for both archs for mga2 now.
Whiteboard: MGA1TOO MGA2-32-OK => MGA1TOO MGA2-32-OK MGA2-64-OK
Testing complete on Mageia 1 i586. Just used freshclam in update, and clamscan on eicar.
CC: (none) => davidwhodginsWhiteboard: MGA1TOO MGA2-32-OK MGA2-64-OK => MGA1TOO MGA2-32-OK MGA2-64-OK mga1-32-OK
Testing complete on Mageia 1 x86_64 No additional dependency found by depcheck. See comment #2 for advisory and list of packages. If someone provides a better advisory before the package is pushed, use the new one, otherwise that one will do.
Keywords: (none) => validated_updateCC: (none) => stormi, sysadmin-bugsWhiteboard: MGA1TOO MGA2-32-OK MGA2-64-OK mga1-32-OK => MGA1TOO MGA2-32-OK MGA2-64-OK mga1-32-OK mga1-64-OK
Here's a better one :o) Advisory: ======================== Updated clamav packages fix security vulnerabilities: The TAR file parser in ClamAV 0.96.4 allows remote attackers to bypass malware detection via a TAR archive entry with a length field that exceeds the total TAR file size. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different TAR parser implementations (CVE-2012-1457). The Microsoft CHM file parser in ClamAV 0.96.4 allows remote attackers to bypass malware detection via a crafted reset interval in the LZXC header of a CHM file. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different CHM parser implementations (CVE-2012-1458). The TAR file parser in ClamAV 0.96.4 allows remote attackers to bypass malware detection via a TAR archive entry with a length field corresponding to that entire entry, plus part of the header of the next entry. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different TAR parser implementations (CVE-2012-1459). This update upgrades clamav to the latest version (0.97.5), which resolves these security issues as well as some other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1457 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1458 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1459 http://blog.clamav.net/2012/06/clamav-0975-has-been-released.html http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2012:094 ======================== Updated packages in core/updates_testing: ======================== clamav-0.97.5-1.mga1 clamd-0.97.5-1.mga1 clamav-milter-0.97.5-1.mga1 clamav-db-0.97.5-1.mga1 libclamav6-0.97.5-1.mga1 libclamav-devel-0.97.5-1.mga1 clamav-0.97.5-1.mga2 clamd-0.97.5-1.mga2 clamav-milter-0.97.5-1.mga2 clamav-db-0.97.5-1.mga2 libclamav6-0.97.5-1.mga2 libclamav-devel-0.97.5-1.mga2 from SRPMS: clamav-0.97.5-1.mga1.src.rpm clamav-0.97.5-1.mga2.src.rpm
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0144
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED