Bug 53470 - clamav: Multiple issues (5.0)
clamav: Multiple issues (5.0)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 5.0
All Linux
: P3 normal (vote)
: UCS 5.0-0-errata
Assigned To: Quality Assurance
Erik Damrose
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-06-21 09:55 CEST by Quality Assurance
Modified: 2021-06-23 15:55 CEST (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) NVD


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2021-06-21 09:55:55 CEST
New Debian clamav 0.103.2+dfsg-0+deb10u1A~5.0.0.202106210952 fixes:
This update addresses the following issue:
* A vulnerability in the email parsing module in Clam AntiVirus (ClamAV)  Software version 0.103.1 and all prior versions could allow an  unauthenticated, remote attacker to cause a denial of service condition on  an affected device. The vulnerability is due to improper variable  initialization that may result in an NULL pointer read. An attacker could  exploit this vulnerability by sending a crafted email to an affected  device. An exploit could allow the attacker to cause the ClamAV scanning  process crash, resulting in a denial of service condition. (CVE-2021-1405)
Comment 1 Quality Assurance univentionstaff 2021-06-21 11:00:15 CEST
--- mirror/ftp/pool/main/c/clamav/clamav_0.102.4+dfsg-0+deb10u1A~5.0.0.202008030841.dsc
+++ apt/ucs_5.0-0-errata5.0-0/source/clamav_0.103.2+dfsg-0+deb10u1A~5.0.0.202106210952.dsc
@@ -1,7 +1,29 @@
-0.102.4+dfsg-0+deb10u1A~5.0.0.202008030841 [Mon, 03 Aug 2020 08:53:48 +0200] Univention builddaemon <buildd@univention.de>:
+0.103.2+dfsg-0+deb10u1A~5.0.0.202106210952 [Mon, 21 Jun 2021 09:56:25 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     030-silence-version-msg
+
+0.103.2+dfsg-0+deb10u1 [Wed, 14 Apr 2021 08:38:52 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  [ Sebastian Andrzej Siewior ]
+  * Import 0.103.2
+    - CVE-2021-1252 (Fix for Excel XLM parser infinite loop.)
+    - CVE-2021-1404 (Fix for PDF parser buffer over-read; possible crash.)
+    - CVE-2021-1405 (Fix for mail parser NULL-dereference crash.)
+    - Fix testsuite in an IPv6 only environment (Closes: #963853).
+    - Update symbol file.
+    - Drop CURL_CA_BUNDLE related patch, changes applied upstream.
+   (Closes: #986622).
+  * Rename NEWS.Debian to NEWS.
+  * Update lintian overrides.
+  * Update apparmor profile for freshclam. Thanks to Michael Borgelt.
+    (Closes: #972974)
+  * Update apparmor profile for clamd. Thanks to Stefano Callegari.
+    (Closes: #973619).
+  * Remove deprecated option SafeBrowsing from debconf templates.
+
+  [ Helmut Grohne ]
+  * Honour DEB_BUILD_OPTIONS=nocheck again. (Closes: #960843)
 
 0.102.4+dfsg-0+deb10u1 [Sat, 18 Jul 2020 00:22:32 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 

<http://piuparts.knut.univention.de/5.0-0/#5608041106165004562>
Comment 2 Erik Damrose univentionstaff 2021-06-23 09:39:46 CEST
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[5.0-0] ec91f44a99 Bug #53470: clamav 0.103.2+dfsg-0+deb10u1A~5.0.0.202106210952
 doc/errata/staging/clamav.yaml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
Comment 3 Erik Damrose univentionstaff 2021-06-23 15:55:53 CEST
<https://errata.software-univention.de/#/?erratum=5.0x15>