Bug 46616 – clamav: Multiple issues (4.3)

Bug 46616 - clamav: Multiple issues (4.3)


Summary:	clamav: Multiple issues (4.3)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 4.3
Hardware:	All Linux

Importance:	P3 normal (vote)
Target Milestone:	UCS 4.3-0-errata
Assigned To:	Philipp Hahn
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-03-13 16:37 CET by Philipp Hahn
Modified:	2018-05-16 17:03 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:	6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) NVD

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2018-03-13 16:37:36 CET

New Debian clamav 0.99.4+dfsg-1+deb9u1 fixes:
This update addresses the following issues:
* libclamav/message.c allows remote attackers to cause a denial of service
  (out-of-bounds read) via a crafted e-mail message. (CVE-2017-6418)
* mspack/lzxd.c allows remote attackers to cause a denial of service
  (heap-based buffer overflow and application crash) or possibly have
  unspecified other impact via a crafted CHM file. (CVE-2017-6419)
* Out-of-bounds heap read in XAR parser (CVE-2018-1000085)
* The cabd_read_string function allows remote attackers to cause a denial of
  service (stack-based buffer over-read and application crash) via a crafted
  CAB file. (CVE-2017-11423)
* The wwunpack function allows remote attackers to cause a denial of service
  (use-after-free) via a crafted PE file with WWPack compression.
  (CVE-2017-6420)
* Out-of-bounds access in the PDF parser (CVE-2018-0202)

libclamav/message.c in ClamAV 0.99.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted e-mail message.
CVE-2017-6419 libmspack, clamav: heap-based buffer overflow in mspack/lzxd.c
CVE-2018-1000085
CVE-2017-11423 libmspack, clamav: Stack-based buffer over-read in cabd_read_string function
The wwunpack function in libclamav/wwunpack.c in ClamAV 0.99.2 allows remote attackers to cause a denial of service (use-after-free) via a crafted PE file with WWPack compression.
CVE-2018-0202

Comment 1 Philipp Hahn

2018-03-13 17:42:13 CET

[4.3-0] bada9173bd Bug #46616: clamav_0.99.4+dfsg-1+deb9u1

Comment 2 Quality Assurance

2018-05-04 16:43:53 CEST

--- mirror/ftp/4.3/unmaintained/4.3-0/source/clamav_0.99.2+dfsg-6+b1A~4.3.0.201712111442.dsc
+++ apt/ucs_4.3-0-errata4.3-0/source/clamav_0.99.4+dfsg-1+deb9u1.dsc
@@ -1,10 +1,18 @@
-0.99.2+dfsg-6+b1A~4.3.0.201712111442 [Mon, 11 Dec 2017 14:42:56 +0100] Univention builddaemon <buildd@univention.de>:
+0.99.4+dfsg-1+deb9u1 [Sat, 03 Mar 2018 12:15:58 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
 
-  * UCS auto build. The following patches have been applied to the original source package
-    01-fix-ftbfs
-    010-utilize_ucr_autostart_settings
-    020-dont_fail_in_postinst_if_start_fails
-    030-silence-version-msg
+  * Update to upstream 0.99.4:
+    Fixes for CVE: CVE-2018-1000085, CVE-2018-0202.
+  * Update the gpg signing key (the old DSA expired).
+  * Update version of private symbols due to version change.
+  * Bump symbol version of cl_retflevel because CL_FLEVEL changed.
+
+0.99.2+dfsg-6+deb9u1 [Sat, 27 Jan 2018 00:33:28 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Apply security patches from 0.99.3 (Closes: #888484):
+    - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
+      CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
+      CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
+   * Bump symbol version of cl_retflevel because CL_FLEVEL changed.
 
 0.99.2+dfsg-6 [Sat, 04 Feb 2017 21:54:51 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:

Comment 3 Philipp Hahn

2018-05-04 16:50:50 CEST

(In reply to Quality Assurence from comment #2)
> --- clamav_0.99.2+dfsg-6+b1A~4.3.0.201712111442.dsc
> +++ clamav_0.99.4+dfsg-1+deb9u1.dsc
> -  * UCS auto build. The following patches have been applied to the original
> source package
> -    01-fix-ftbfs
> -    010-utilize_ucr_autostart_settings
> -    020-dont_fail_in_postinst_if_start_fails
> -    030-silence-version-msg

This does not look right.

Comment 4 Philipp Hahn

2018-05-04 22:41:00 CEST

(In reply to Philipp Hahn from comment #3)
> (In reply to Quality Assurence from comment #2)
> > --- clamav_0.99.2+dfsg-6+b1A~4.3.0.201712111442.dsc
> > +++ clamav_0.99.4+dfsg-1+deb9u1.dsc
> > -  * UCS auto build. The following patches have been applied to the original
> > source package
> > -    01-fix-ftbfs
No longer needed as the build system is now UCS-4.3

> > -    010-utilize_ucr_autostart_settings
No longer needed as we have the generic systemd handler

> > -    020-dont_fail_in_postinst_if_start_fails
No longer needed withsystemd

> > -    030-silence-version-msg
This is the only remaining patch, which could also be dropped.

Package: clamav
Version: 0.99.4+dfsg-1+deb9u1A~4.3.0.201805042157
Branch: ucs_4.3-0
Scope: errata4.3-0

[4.3-0] 272c3b2c26 Bug #46616: clamav 0.99.4+dfsg-1+deb9u1
 doc/errata/staging/clamav.yaml | 2 +-

Comment 5 Quality Assurance

2018-05-04 22:41:44 CEST

--- mirror/ftp/4.3/unmaintained/4.3-0/source/clamav_0.99.2+dfsg-6+b1A~4.3.0.201712111442.dsc
+++ apt/ucs_4.3-0-errata4.3-0/source/clamav_0.99.4+dfsg-1+deb9u1A~4.3.0.201805042157.dsc
@@ -1,10 +1,23 @@
-0.99.2+dfsg-6+b1A~4.3.0.201712111442 [Mon, 11 Dec 2017 14:42:56 +0100] Univention builddaemon <buildd@univention.de>:
+0.99.4+dfsg-1+deb9u1A~4.3.0.201805042157 [Fri, 04 May 2018 21:57:00 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
-    01-fix-ftbfs
-    010-utilize_ucr_autostart_settings
-    020-dont_fail_in_postinst_if_start_fails
     030-silence-version-msg
+
+0.99.4+dfsg-1+deb9u1 [Sat, 03 Mar 2018 12:15:58 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Update to upstream 0.99.4:
+    Fixes for CVE: CVE-2018-1000085, CVE-2018-0202.
+  * Update the gpg signing key (the old DSA expired).
+  * Update version of private symbols due to version change.
+  * Bump symbol version of cl_retflevel because CL_FLEVEL changed.
+
+0.99.2+dfsg-6+deb9u1 [Sat, 27 Jan 2018 00:33:28 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
+
+  * Apply security patches from 0.99.3 (Closes: #888484):
+    - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
+      CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
+      CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
+   * Bump symbol version of cl_retflevel because CL_FLEVEL changed.
 
 0.99.2+dfsg-6 [Sat, 04 Feb 2017 21:54:51 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:

Comment 6 Arvid Requate

2018-05-14 18:52:45 CEST

* Obsolete patches removed: Ok:
  010-utilize_ucr_autostart_settings.patch
  020-dont_fail_in_postinst_if_start_fails.patch
  01-fix-ftbfs.patch
  
  clamav/freshclam/autostart=false clamav/daemon/autostart=false still works

* UCS specific 030-silence-version-msg.quilt merged and applied during built
* Comparison to previously shipped version ok
* Binary package update Ok
* Advisory adjusted:
  2b5c0b326c | Sort CVEs

Comment 7 Arvid Requate

2018-05-16 17:03:58 CEST

<http://errata.software-univention.de/ucs/4.3/44.html>