Bug 46180 - clamav: Multiple issues (4.2)
clamav: Multiple issues (4.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.2
All Linux
: P5 major (vote)
: UCS 4.2-3-errata
Assigned To: Philipp Hahn
Stefan Gohmann
http://metadata.ftp-master.debian.org...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-28 11:59 CET by Philipp Hahn
Modified: 2018-01-29 17:14 CET (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 5.5 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
hahn: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2018-01-28 11:59:31 CET
+++ This bug was initially created as a clone of Bug #45615 +++
ucs_4.2-0 has clamav (0.99.2+dfsg-0+deb8u2)
<http://xen1.knut.univention.de:8000/packages/source/clamav/?since=4.1-0>
Waiting for <https://bugs.debian.org/888484> and <https://bugs.debian.org/888553>

CVE-2017-12374
    ClamAV has a use-after-free condition arising from a lack of input
    validation. A remote attacker could exploit this vulnerability with
    a crafted email message to cause a denial of service.
CVE-2017-12375
    ClamAV has a buffer overflow vulnerability arising from a lack of
    input validation. An unauthenticated remote attacker could send a
    crafted email message to the affected device, triggering a buffer
    overflow and potentially a denial of service when the malicious
    message is scanned.
CVE-2017-12376
    ClamAV has a buffer overflow vulnerability arising from improper
    input validation when handling Portable Document Format (PDF) files.
    An unauthenticated remote attacker could send a crafted PDF file to
    the affected device, triggering a buffer overflow and potentially a
    denial of service or arbitrary code execution when the malicious
    file is scanned.
CVE-2017-12377
    ClamAV has a heap overflow vulnerability arising from improper input
    validation when handling mew packets. An attacker could exploit this
    by sending a crafted message to the affected device, triggering a
    denial of service or possible arbitrary code execution when the
    malicious file is scanned.
CVE-2017-12378
    ClamAV has a buffer overread vulnerability arising from improper
    input validation when handling tape archive (TAR) files. An
    unauthenticated remote attacker could send a crafted TAR file to
    the affected device, triggering a buffer overread and potentially a
    denial of service when the malicious file is scanned.
CVE-2017-12379
    ClamAV has a buffer overflow vulnerability arising from improper
    input validation in the message parsing function. An unauthenticated
    remote attacker could send a crafted email message to the affected
    device, triggering a buffer overflow and potentially a denial of
    service or arbitrary code execution when the malicious message is
    scanned.
CVE-2017-12380
    ClamAV has a NULL dereference vulnerability arising from improper
    input validation in the message parsing function. An unauthenticated
    remote attacker could send a crafted email message to the affected
    device, triggering a NULL pointer dereference, which may result in a
    denial of service.

FYI: The previous UCS build was missing all patches:
> clamav (0.99.2+dfsg-0.A~4.2.0.201703071307) ucs4-2-0-0; urgency=low
>   * UCS auto build. No patches were applied to the original source package
> clamav (0.99.2+dfsg-0+deb8u2) stable; urgency=medium
Comment 1 Philipp Hahn univentionstaff 2018-01-28 12:17:11 CET
r17999 | Bug #46180: clamav

Sort as given
> 0.99.2+dfsg-0.A~4.2.0.201703071307 (4.2-0)
> 0.99.2+dfsg-0.A~4.2.3.201801281200 (4.2-3 errata) <===
> 0.99.2+dfsg-6+b1A~4.3.0.201712111442 (4.3-0)

build-package-ng -p clamav -r 4.2 -s errata4.2-3 -v '0.99.2+dfsg-0.A~4.2.3.201801281200'

Package: clamav
Version: 0.99.2+dfsg-0.A~4.2.3.201801281200
Branch: ucs_4.2-0
Scope: errata4.2-3

6094cee27d Bug #46180: clamav

FYI: This can be ignored:
dpkg-gensymbols: warning: debian/libclamav7/DEBIAN/symbols doesn't match completely debian/libclamav7.symbols
--- debian/libclamav7.symbols (libclamav7_0.99.2+dfsg-0.A~4.2.3.201801281200_i386)
+++ dpkg-gensymbolsDksVMK       2018-01-28 11:07:23.810856101 +0000
@@ -63,7 +63,7 @@
  cl_load_cert@CLAMAV_PRIVATE 0.99.2
  cl_load_crl@CLAMAV_PRIVATE 0.99.2
  cl_retdbdir@CLAMAV_PUBLIC 0.99~rc1
- cl_retflevel@CLAMAV_PUBLIC 0.99.2+dfsg-6+deb8u2
+ cl_retflevel@CLAMAV_PUBLIC 0.99.2+dfsg-0.A~4.2.3.201801281200
  cl_retver@CLAMAV_PUBLIC 0.99~rc1
  cl_scandesc@CLAMAV_PUBLIC 0.99~rc1
  cl_scandesc_callback@CLAMAV_PUBLIC 0.99~rc1
Comment 2 Stefan Gohmann univentionstaff 2018-01-29 12:38:24 CET
YAML: OK

Build: OK (Patches have been applied)
-------------------------------------------
$ zless /usr/share/doc/clamav/changelog.Debian.gz 
clamav (0.99.2+dfsg-0.A~4.2.3.201801281200) ucs4-2-0-0; urgency=low

  * UCS auto build. The following patches have been applied to the original source package
    010-utilize_ucr_autostart_settings
    020-dont_fail_in_postinst_if_start_fails
    025-CVE-2017-xxx
    030-silence-version-msg

 -- Univention builddaemon <buildd@univention.de>  Sun, 28 Jan 2018 12:04:08 +0100

clamav (0.99.2+dfsg-0+deb8u3) jessie; urgency=medium

  * Apply security patches from 0.99.3 (Closes: #888484):
    - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
      CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
      CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
  * Bump symbol version of cl_retflevel because CL_FLEVEL changed.
  * Cherry-pick patch from bb11549 to fix a temp file cleanup issue
    (Closes: #824196).
-------------------------------------------

Tests: OK. Mail tests were successful.
Comment 3 Arvid Requate univentionstaff 2018-01-29 17:14:08 CET
<http://errata.software-univention.de/ucs/4.2/266.html>