Bug 9853 - Multiple vulnerabilities in clamav
: Multiple vulnerabilities in clamav
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/548896/
: mga2-32-OK mga2-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-24 14:12 CEST by Oden Eriksson
Modified: 2013-05-02 19:27 CEST (History)
4 users (show)

See Also:
Source RPM: clamav-0.97.7-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description Oden Eriksson 2013-04-24 14:12:42 CEST
Date: Wed, 24 Apr 2013 07:59:04 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@...hat.com>
To: Felix Groebert <groebert@...gle.com>
Cc: "Steven M. Christey" <coley@...us.mitre.org>,
        oss-security@...ts.openwall.com
Subject: Multiple potential security issues fixed in ClamAV 0.97.8 - any
 further details?

Hello Felix,

  this is due the ClamAV 0.97.8 release:
  [1] http://blog.clamav.net/2013/04/clamav-0978-has-been-released.html
  [2] https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog
  [3] https://bugzilla.redhat.com/show_bug.cgi?id=956176
  [4] https://bugzilla.novell.com/show_bug.cgi?id=816865

Could you clarify how many and what kind of possible security issues
has been corrected within this release? (so we would know how many
CVE identifiers should be allocated to these)

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2013-04-24 15:04:05 CEST
http://freecode.com/projects/clamav/releases/354139
Comment 2 Thomas Spuhler 2013-04-24 20:11:56 CEST
This update is now in mga2/updates/testing
it fixes (from upstream) 
“ClamAV 0.97.8 addresses several reported potential security bugs. Thanks to
Felix Groebert of the Google Security Team for finding and reporting these issues.”
(The upgrade request has also been submitted to Cauldron)
Comment 3 David Walser 2013-04-24 21:48:07 CEST
Fixed in Cauldron in clamav-0.97.8-1.mga3.  Thanks Thomas.
Comment 4 Carolyn Rowse 2013-04-26 20:35:18 CEST
Tested i586 in VM using clamtk - no regressions noticed after update.

Carolyn
Comment 5 Carolyn Rowse 2013-04-28 20:36:29 CEST
Tested x86_64 on real hw using clamtk - no regressions noticed after update.

Update validated.

See comment 2 for advisory.

SRPM: clamav-0.97.8-1.mga2.src.prm

Could sysadmin please push from core/updates_testing to core/updates.

Thanks.

Carolyn
Comment 6 Oden Eriksson 2013-04-30 07:37:27 CEST
From oss-security:

CVE-2013-2020:
https://bugzilla.clamav.net/show_bug.cgi?id=7055
heap corruption, potentially exploitable.

CVE-2013-2021:
https://bugzilla.clamav.net/show_bug.cgi?id=7053
overflow due to PDF key length computation. Potentially exploitable.

CVE-2013-????:
https://bugzilla.clamav.net/show_bug.cgi?id=7054
NULL pointer dereference in sis parsing.
Comment 7 David Walser 2013-04-30 18:03:58 CEST
Here's Mandriva's advisory with the CVE and upstream bug references:
http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:159/
Comment 8 David Walser 2013-04-30 19:49:11 CEST
Original bug URL:
http://www.openwall.com/lists/oss-security/2013/04/24/3
Comment 9 Thomas Backlund 2013-05-02 19:27:49 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0132

Note You need to log in before you can comment on or make changes to this bug.