Univention Bugzilla – Bug 55188
clamav: Multiple issues (5.0)
Last modified: 2022-09-13 17:50:20 CEST
New Debian clamav 0.103.6+dfsg-0+deb10u1A~5.0.2.202209111835 fixes: This update addresses the following issues: * On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in CHM file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available. (CVE-2022-20770) * On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in the TIFF file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available. (CVE-2022-20771) * On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in HTML file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available. (CVE-2022-20785) * A vulnerability in the regex module used by the signature database load module of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an authenticated, local attacker to crash ClamAV at database load time, and possibly gain code execution. The vulnerability is due to improper bounds checking that may result in a multi-byte heap buffer overwflow write. An attacker could exploit this vulnerability by placing a crafted CDB ClamAV signature database file in the ClamAV database directory. An exploit could allow the attacker to run code as the clamav user. (CVE-2022-20792) * On May 4, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in Clam AntiVirus (ClamAV) versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2 could allow an authenticated, local attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. (CVE-2022-20796)
--- mirror/ftp/pool/main/c/clamav/clamav_0.103.5+dfsg-0+deb10u1A~5.0.1.202203271459.dsc +++ apt/ucs_5.0-0-errata5.0-2/source/clamav_0.103.6+dfsg-0+deb10u1A~5.0.0.202209120853.dsc @@ -1,7 +1,22 @@ -0.103.5+dfsg-0+deb10u1A~5.0.1.202203271459 [Mon, 28 Mar 2022 08:44:25 +0200] Univention builddaemon <buildd@univention.de>: +0.103.6+dfsg-0+deb10u1A~5.0.0.202209120853 [Mon, 12 Sep 2022 08:53:34 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 030-silence-version-msg + +0.103.6+dfsg-0+deb10u1 [Thu, 26 May 2022 10:19:13 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: + + * Import 0.103.6 + - CVE-2022-20770 (Possible infinite loop vulnerability in the CHM file + parser). + - CVE-2022-20796 (Possible NULL-pointer dereference crash in the scan + verdict cache check). + - CVE-2022-20771 (Possible infinite loop vulnerability in the TIFF file + parser). + - CVE-2022-20785 (Possible memory leak in the HTML file parser/ + Javascript normalizer). + - CVE-2022-20792 (Possible multi-byte heap buffer overflow write + vulnerability in the signature database load module. + - Update symbol file. 0.103.5+dfsg-0+deb10u1 [Thu, 13 Jan 2022 21:51:03 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: <http://piuparts.knut.univention.de/5.0-2/#1721682631646228144>
OK: yaml OK: announce_errata OK: patch OK: piuparts [5.0-2] 110b7482f2 Bug #55188: clamav 0.103.6+dfsg-0+deb10u1A~5.0.0.202209120853 doc/errata/staging/clamav.yaml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+)
<https://errata.software-univention.de/#/?erratum=5.0x413>