Bug 54330 – clamav: Multiple issues (4.4)

Bug 54330 - clamav: Multiple issues (4.4)


Summary:	clamav: Multiple issues (4.4)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.4
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.4-8-errata
Assigned To:	Quality Assurance
QA Contact:	Philipp Hahn

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-01-12 12:45 CET by Philipp Hahn
Modified:	2022-01-12 16:33 CET (History)
CC List:	0 users

See Also:	33716
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) NVD

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2022-01-12 12:45:53 CET

New Debian clamav None fixes:
This update addresses the following issues:
- Fix for Excel XLM parser infinite loop. (CVE-2021-1252)
- Fix for PDF parser buffer over-read; possible crash. (CVE-2021-1404)
- Fix for mail parser NULL-dereference crash. (CVE-2021-1405)

Comment 1 Quality Assurance

2022-01-12 13:05:29 CET

--- mirror/ftp/4.4/unmaintained/4.4-8/source/clamav_0.102.4+dfsg-0+deb9u2A~4.4.8.202104141431.dsc
+++ apt/ucs_4.4-0-errata4.4-8/source/clamav_0.103.4+dfsg-0+deb9u1A~4.4.0.202201121248.dsc
@@ -1,7 +1,24 @@
-0.102.4+dfsg-0+deb9u2A~4.4.8.202104141431 [Wed, 14 Apr 2021 14:41:46 +0200] Univention builddaemon <buildd@univention.de>:
+0.103.4+dfsg-0+deb9u1A~4.4.0.202201121248 [Wed, 12 Jan 2022 12:48:10 +0100] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     030-silence-version-msg
+
+0.103.4+dfsg-0+deb9u1 [Wed, 05 Jan 2022 12:22:29 +0100] Emilio Pozuelo Monfort <pochu@debian.org>:
+
+  * Non-maintainer upload by the LTS Team.
+  * New upstream release.
+  * Update symbols file.
+  * Refresh patches.
+  * Backport some changes from the buster update:
+  * Add clamonacc.8.
+  * Remove clamav user on purge (Closes: #987861).
+  * Remove freshclam.dat on purge.
+  * Remove deprecated option SafeBrowsing from debconf templates.
+  * Handle new clamd.conf options.
+  * Update apparmor profile for freshclam. Thanks to Michael Borgelt.
+    (Closes: #972974)
+  * Update apparmor profile for clamd. Thanks to Stefano Callegari.
+    (Closes: #973619).
 
 0.102.4+dfsg-0+deb9u2 [Wed, 14 Apr 2021 13:26:10 +0530] Utkarsh Gupta <utkarsh@debian.org>:
 

<http://piuparts.knut.univention.de/4.4-8/#8460072206533760751>

Comment 2 Philipp Hahn

2022-01-12 16:09:14 CET

OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.4-8] 0e71c971f1 Bug #54330: clamav 0.103.4+dfsg-0+deb9u1A~4.4.0.202201121248
 doc/errata/staging/clamav.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

Comment 3 Julia Bremer

2022-01-12 16:33:47 CET

<https://errata.software-univention.de/#/?erratum=4.4x1147>