Univention Bugzilla – Bug 36965
Update clamav to 0.98.7 (3.2)
Last modified: 2015-07-16 15:11:09 CEST
clamav 0.98.5 has been released. We should update to this version in 3.2 and 4.0 to keep up-to-date with handling engine features required for malware scanning.
The release also adresses two security issues:
Buffer overflow when parsing crafted y0da Crypter PE files (CVE-2014-9050)
The patches have been ported:
-> Updated to 0.98.5 in 010-utilize_ucr_autostart_settings.patch
-> Updated to 0.98.5 with another backport change in 020-backport.patch
-> Updated to 0.98.5 in 030-silence-version-msg.patch
The new version requires libmspack for processing various Microsoft compression formats. This library has been built in the errata3.2-4 scope as well.
To ensure upgradibility to 4.0-0 the source package was rebuilt as 0.98.1+dfsg-1+deb7u4+really0.98.5+dfsg-0+deb7u2 using "dpkg-buildpackage -S" before the import.
(In reply to Moritz Muehlenhoff from comment #2)
> The new version requires libmspack for processing various Microsoft
> compression formats. This library has been built in the errata3.2-4 scope as
I removed it again from the errata3.2-4 scope and added a patch to continue to use the internal CAB parser in clamav.
The patch to use the external libmspack requires a full dh-autoreconf at build time (which our debhelper 8 in UCS 3.2 doesn't support without massive manual changes) and might cause subtle changes.
0.98.6 will be released soon, let's directly move to that version
0.98.6 has been released. It also fixes a security issue: Memory corruption in processing upack archives (CVE-2014-9328)
0.98.6 also fixes a security issue: Memory corruption in processing upack
archives (CVE-2014-9328). Also CVE-2015-1461, CVE-2015-1462, CVE-2015-1463
Whe building this the update to the new upstream release needs to be added as a patch, otherwise we have the problem that there might be an erratum update in 3.2, which is more recent than in 4.0-0.
The clamav version in 4.0 uses the system copy of LLVM, but the ClamAV tarball also includes a local copy, so the dependenciees must be adapted not to build-depend on libllvm.
*** Bug 38426 has been marked as a duplicate of this bug. ***
The changelog of Debian package version clamav 0.98.7+dfsg-1 lists these security issues as fixed:
* Crash in upx decoder with crafted file (CVE-2015-2170)
* Infinite loop condition on crafted y0da cryptor file (CVE-2015-2221)
* Crash on crafted petite packed file (CVE-2015-2222)
* Infinite loop condition on a crafted "xz" archive file (CVE-2015-2668)
* Heap overflow vulnerability in regcomp.c (CVE-2015-2305)
The changelog of the Debian Squeeze-LTS package version 0.98.7+dfsg-0+deb6u1 claims additional issues as fixed:
"contains security fixes related to packed or crypted files (CVE-2014-9328, CVE-2015-1461, CVE-2015-1462, CVE-2015-1463, CVE-2015-2170, CVE-2015-2221, CVE-2015-2222, and CVE-2015-2668) and several fixes to the embedded libmspack library, including a potential infinite loop in the Quantum decoder (CVE-2014-9556)."
CVE-2015-2305 has not been fixed yet, but assessed as unimportant by the Debian ClamAV packaging team.
If required the upstream tarball is here: http://sourceforge.net/projects/clamav/files/clamav/0.98.7/
(In reply to Moritz Muehlenhoff from comment #2)
> To ensure upgradibility to 4.0-0 the source package was rebuilt as
> 0.98.1+dfsg-1+deb7u4+really0.98.5+dfsg-0+deb7u2 using "dpkg-buildpackage -S"
> before the import.
This version string breaks in repo-ng, as the reg-exp matched the '+deb7u4' in the middle and not at the end:
> buildversion=$(echo $buildversion | sed -re 's#[+~]?(wheezy|squeeze|lenny|etch|etchnhalf|deb6u|deb7u)[0-9]+##')
Ordering: '~' < '\0' < [A-Z] < [a-z] < '+' < '-' < '.' < ':'
(42~-1 < 42 < 42A-1 < 42a-1 < 42+-1 < 42--1 < 42.-1 < 0:42:-1)
Debian-Version Scope UCS-Version
0.98.1+dfsg-1+deb7u3 errata3.2-2 0.98.1+dfsg-1.128.201406171144
0.98.4+dfsg-0+deb7u2 ucs4.0-0 0.98.4+dfsg-0.132.201410191831
r14793 | Bug #36965: ClamAV 0.98.7 for UCS-3.2
r14794 | Bug #36965: ClamAV 0.98.7 for UCS-3.2
OK: aptitude install '?source-package(clamav)~u'
OK: clamscan test/clam*
r61005 | Bug #36965: ClamAV UCS-3.2
clamav depends on libjson0 which is unmaintained. Felix has more details.
Changed to --without-libjson due to multiple security issues in json-c
r61098 | Bug #36965: ClamAV UCS-3.2
The fixes for
seem to be missing. Please check/clarify how they are included.
(In reply to Janek Walkenhorst from comment #13)
> The fixes for
> - <https://security-tracker.debian.org/tracker/CVE-2014-9050>
OK: <https://github.com/vrtadmin/clamav-devel/commit/fc3794a54d2affe5770c1f876484a871c783e91e> in libclamav/pe.c
> - <https://security-tracker.debian.org/tracker/CVE-2013-6497>
OK: bb11088 - Merge in fixes for clamscan -a crash bug
OK: <http://blog.clamav.net/2014/11/clamav-0985-has-been-released.html> 0.98.5
> - <https://security-tracker.debian.org/tracker/CVE-2015-1461>
> - <https://security-tracker.debian.org/tracker/CVE-2015-1462>
> - <https://security-tracker.debian.org/tracker/CVE-2015-1463>
OK: These are the 3 un-numbered entries on <http://blog.clamav.net/2015/01/clamav-0986-has-been-released.html> 0.98.6
OK: <https://github.com/vrtadmin/clamav-devel/commit/96ff19a19eba64bdf47f2f12ecdbc5ee331c09e2> in libclamav/petite.c
> seem to be missing. Please check/clarify how they are included.