Univention Bugzilla – Full Text Bug Listing |
Summary: | Update clamav to 0.98.7 (3.2) | ||
---|---|---|---|
Product: | UCS | Reporter: | Moritz Muehlenhoff <jmm> |
Component: | Security updates | Assignee: | Philipp Hahn <hahn> |
Status: | CLOSED FIXED | QA Contact: | Janek Walkenhorst <walkenhorst> |
Severity: | normal | ||
Priority: | P5 | CC: | botner, gohmann, requate |
Version: | UCS 3.2 | Flags: | requate:
Patch_Available+
|
Target Milestone: | UCS 3.2-6-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Security | |
Max CVSS v3 score: |
Description
Moritz Muehlenhoff
2014-11-24 12:42:15 CET
The patches have been ported: 010utilize_ucr_autostart_settings.patch -> Updated to 0.98.5 in 010-utilize_ucr_autostart_settings.patch 02-disable-rules-dh_reconf.patch -> Updated to 0.98.5 with another backport change in 020-backport.patch 02-silence-version-msg.patch -> Updated to 0.98.5 in 030-silence-version-msg.patch The new version requires libmspack for processing various Microsoft compression formats. This library has been built in the errata3.2-4 scope as well. To ensure upgradibility to 4.0-0 the source package was rebuilt as 0.98.1+dfsg-1+deb7u4+really0.98.5+dfsg-0+deb7u2 using "dpkg-buildpackage -S" before the import. (In reply to Moritz Muehlenhoff from comment #2) > The new version requires libmspack for processing various Microsoft > compression formats. This library has been built in the errata3.2-4 scope as > well. I removed it again from the errata3.2-4 scope and added a patch to continue to use the internal CAB parser in clamav. The patch to use the external libmspack requires a full dh-autoreconf at build time (which our debhelper 8 in UCS 3.2 doesn't support without massive manual changes) and might cause subtle changes. 0.98.6 will be released soon, let's directly move to that version 0.98.6 has been released. It also fixes a security issue: Memory corruption in processing upack archives (CVE-2014-9328) 0.98.6 also fixes a security issue: Memory corruption in processing upack archives (CVE-2014-9328). Also CVE-2015-1461, CVE-2015-1462, CVE-2015-1463 Whe building this the update to the new upstream release needs to be added as a patch, otherwise we have the problem that there might be an erratum update in 3.2, which is more recent than in 4.0-0. The clamav version in 4.0 uses the system copy of LLVM, but the ClamAV tarball also includes a local copy, so the dependenciees must be adapted not to build-depend on libllvm. *** Bug 38426 has been marked as a duplicate of this bug. *** The changelog of Debian package version clamav 0.98.7+dfsg-1 lists these security issues as fixed: * Crash in upx decoder with crafted file (CVE-2015-2170) * Infinite loop condition on crafted y0da cryptor file (CVE-2015-2221) * Crash on crafted petite packed file (CVE-2015-2222) * Infinite loop condition on a crafted "xz" archive file (CVE-2015-2668) * Heap overflow vulnerability in regcomp.c (CVE-2015-2305) The changelog of the Debian Squeeze-LTS package version 0.98.7+dfsg-0+deb6u1 claims additional issues as fixed: "contains security fixes related to packed or crypted files (CVE-2014-9328, CVE-2015-1461, CVE-2015-1462, CVE-2015-1463, CVE-2015-2170, CVE-2015-2221, CVE-2015-2222, and CVE-2015-2668) and several fixes to the embedded libmspack library, including a potential infinite loop in the Quantum decoder (CVE-2014-9556)." CVE-2015-2305 has not been fixed yet, but assessed as unimportant by the Debian ClamAV packaging team. If required the upstream tarball is here: http://sourceforge.net/projects/clamav/files/clamav/0.98.7/ (In reply to Moritz Muehlenhoff from comment #2) > To ensure upgradibility to 4.0-0 the source package was rebuilt as > 0.98.1+dfsg-1+deb7u4+really0.98.5+dfsg-0+deb7u2 using "dpkg-buildpackage -S" > before the import. This version string breaks in repo-ng, as the reg-exp matched the '+deb7u4' in the middle and not at the end: ucs-3.2/internal/repo-ng/build-package/build-package-ng:269 > buildversion=$(echo $buildversion | sed -re 's#[+~]?(wheezy|squeeze|lenny|etch|etchnhalf|deb6u|deb7u)[0-9]+##') Allowed: +-.0…9:A…Za…z~ Ordering: '~' < '\0' < [A-Z] < [a-z] < '+' < '-' < '.' < ':' (42~-1 < 42 < 42A-1 < 42a-1 < 42+-1 < 42--1 < 42.-1 < 0:42:-1) Debian-Version Scope UCS-Version 0.98.1+dfsg-1+deb7u3 errata3.2-2 0.98.1+dfsg-1.128.201406171144 0.98.4+dfsg-0+deb7u2 ucs4.0-0 0.98.4+dfsg-0.132.201410191831 r14793 | Bug #36965: ClamAV 0.98.7 for UCS-3.2 r14794 | Bug #36965: ClamAV 0.98.7 for UCS-3.2 Package: clamav Version: 0.98.1+dfsg-2~really0.98.7+dfsg-0.150.201506021701 Branch: ucs_3.2-0 Scope: errata3.2-6 OK: aptitude install '?source-package(clamav)~u' OK: clamscan test/clam* r61005 | Bug #36965: ClamAV UCS-3.2 2015-06-02-clamav.yaml clamav depends on libjson0 which is unmaintained. Felix has more details. See http://jenkins.knut.univention.de:8080/job/UCS-3.2/job/UCS-3.2-6/job/Autotest%20MultiEnv/lastCompletedBuild/SambaVersion=s3,Systemrolle=master/testReport/20_appcenter/20_can_apps_be_installed/test/ Changed to --without-libjson due to multiple security issues in json-c Package: clamav Version: 0.98.1+dfsg-2~really0.98.7+dfsg-0.151.201506081022 Branch: ucs_3.2-0 Scope: errata3.2-6 r61098 | Bug #36965: ClamAV UCS-3.2 2015-06-02-clamav.yaml Tests: OK Advisory: OK The fixes for - CVE-2014-9050 - CVE-2013-6497 - CVE-2015-1461 - CVE-2015-1462 - CVE-2015-1463 seem to be missing. Please check/clarify how they are included. (In reply to Janek Walkenhorst from comment #13) > The fixes for > - <https://security-tracker.debian.org/tracker/CVE-2014-9050> OK: <https://github.com/vrtadmin/clamav-devel/commit/fc3794a54d2affe5770c1f876484a871c783e91e> in libclamav/pe.c > - <https://security-tracker.debian.org/tracker/CVE-2013-6497> OK: bb11088 - Merge in fixes for clamscan -a crash bug OK: <http://blog.clamav.net/2014/11/clamav-0985-has-been-released.html> 0.98.5 > - <https://security-tracker.debian.org/tracker/CVE-2015-1461> > - <https://security-tracker.debian.org/tracker/CVE-2015-1462> > - <https://security-tracker.debian.org/tracker/CVE-2015-1463> OK: These are the 3 un-numbered entries on <http://blog.clamav.net/2015/01/clamav-0986-has-been-released.html> 0.98.6 OK: <https://github.com/vrtadmin/clamav-devel/commit/96ff19a19eba64bdf47f2f12ecdbc5ee331c09e2> in libclamav/petite.c > seem to be missing. Please check/clarify how they are included. |