Univention Bugzilla – Bug 46616
clamav: Multiple issues (4.3)
Last modified: 2018-05-16 17:03:58 CEST
New Debian clamav 0.99.4+dfsg-1+deb9u1 fixes: This update addresses the following issues: * libclamav/message.c allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted e-mail message. (CVE-2017-6418) * mspack/lzxd.c allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file. (CVE-2017-6419) * Out-of-bounds heap read in XAR parser (CVE-2018-1000085) * The cabd_read_string function allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted CAB file. (CVE-2017-11423) * The wwunpack function allows remote attackers to cause a denial of service (use-after-free) via a crafted PE file with WWPack compression. (CVE-2017-6420) * Out-of-bounds access in the PDF parser (CVE-2018-0202) libclamav/message.c in ClamAV 0.99.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted e-mail message. CVE-2017-6419 libmspack, clamav: heap-based buffer overflow in mspack/lzxd.c CVE-2018-1000085 CVE-2017-11423 libmspack, clamav: Stack-based buffer over-read in cabd_read_string function The wwunpack function in libclamav/wwunpack.c in ClamAV 0.99.2 allows remote attackers to cause a denial of service (use-after-free) via a crafted PE file with WWPack compression. CVE-2018-0202
[4.3-0] bada9173bd Bug #46616: clamav_0.99.4+dfsg-1+deb9u1
--- mirror/ftp/4.3/unmaintained/4.3-0/source/clamav_0.99.2+dfsg-6+b1A~4.3.0.201712111442.dsc +++ apt/ucs_4.3-0-errata4.3-0/source/clamav_0.99.4+dfsg-1+deb9u1.dsc @@ -1,10 +1,18 @@ -0.99.2+dfsg-6+b1A~4.3.0.201712111442 [Mon, 11 Dec 2017 14:42:56 +0100] Univention builddaemon <buildd@univention.de>: +0.99.4+dfsg-1+deb9u1 [Sat, 03 Mar 2018 12:15:58 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: - * UCS auto build. The following patches have been applied to the original source package - 01-fix-ftbfs - 010-utilize_ucr_autostart_settings - 020-dont_fail_in_postinst_if_start_fails - 030-silence-version-msg + * Update to upstream 0.99.4: + Fixes for CVE: CVE-2018-1000085, CVE-2018-0202. + * Update the gpg signing key (the old DSA expired). + * Update version of private symbols due to version change. + * Bump symbol version of cl_retflevel because CL_FLEVEL changed. + +0.99.2+dfsg-6+deb9u1 [Sat, 27 Jan 2018 00:33:28 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: + + * Apply security patches from 0.99.3 (Closes: #888484): + - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420, + CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, + CVE-2017-12378, CVE-2017-12379, CVE-2017-12380. + * Bump symbol version of cl_retflevel because CL_FLEVEL changed. 0.99.2+dfsg-6 [Sat, 04 Feb 2017 21:54:51 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
(In reply to Quality Assurence from comment #2) > --- clamav_0.99.2+dfsg-6+b1A~4.3.0.201712111442.dsc > +++ clamav_0.99.4+dfsg-1+deb9u1.dsc > - * UCS auto build. The following patches have been applied to the original > source package > - 01-fix-ftbfs > - 010-utilize_ucr_autostart_settings > - 020-dont_fail_in_postinst_if_start_fails > - 030-silence-version-msg This does not look right.
(In reply to Philipp Hahn from comment #3) > (In reply to Quality Assurence from comment #2) > > --- clamav_0.99.2+dfsg-6+b1A~4.3.0.201712111442.dsc > > +++ clamav_0.99.4+dfsg-1+deb9u1.dsc > > - * UCS auto build. The following patches have been applied to the original > > source package > > - 01-fix-ftbfs No longer needed as the build system is now UCS-4.3 > > - 010-utilize_ucr_autostart_settings No longer needed as we have the generic systemd handler > > - 020-dont_fail_in_postinst_if_start_fails No longer needed withsystemd > > - 030-silence-version-msg This is the only remaining patch, which could also be dropped. Package: clamav Version: 0.99.4+dfsg-1+deb9u1A~4.3.0.201805042157 Branch: ucs_4.3-0 Scope: errata4.3-0 [4.3-0] 272c3b2c26 Bug #46616: clamav 0.99.4+dfsg-1+deb9u1 doc/errata/staging/clamav.yaml | 2 +-
--- mirror/ftp/4.3/unmaintained/4.3-0/source/clamav_0.99.2+dfsg-6+b1A~4.3.0.201712111442.dsc +++ apt/ucs_4.3-0-errata4.3-0/source/clamav_0.99.4+dfsg-1+deb9u1A~4.3.0.201805042157.dsc @@ -1,10 +1,23 @@ -0.99.2+dfsg-6+b1A~4.3.0.201712111442 [Mon, 11 Dec 2017 14:42:56 +0100] Univention builddaemon <buildd@univention.de>: +0.99.4+dfsg-1+deb9u1A~4.3.0.201805042157 [Fri, 04 May 2018 21:57:00 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package - 01-fix-ftbfs - 010-utilize_ucr_autostart_settings - 020-dont_fail_in_postinst_if_start_fails 030-silence-version-msg + +0.99.4+dfsg-1+deb9u1 [Sat, 03 Mar 2018 12:15:58 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: + + * Update to upstream 0.99.4: + Fixes for CVE: CVE-2018-1000085, CVE-2018-0202. + * Update the gpg signing key (the old DSA expired). + * Update version of private symbols due to version change. + * Bump symbol version of cl_retflevel because CL_FLEVEL changed. + +0.99.2+dfsg-6+deb9u1 [Sat, 27 Jan 2018 00:33:28 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: + + * Apply security patches from 0.99.3 (Closes: #888484): + - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420, + CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, + CVE-2017-12378, CVE-2017-12379, CVE-2017-12380. + * Bump symbol version of cl_retflevel because CL_FLEVEL changed. 0.99.2+dfsg-6 [Sat, 04 Feb 2017 21:54:51 +0100] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
* Obsolete patches removed: Ok: 010-utilize_ucr_autostart_settings.patch 020-dont_fail_in_postinst_if_start_fails.patch 01-fix-ftbfs.patch clamav/freshclam/autostart=false clamav/daemon/autostart=false still works * UCS specific 030-silence-version-msg.quilt merged and applied during built * Comparison to previously shipped version ok * Binary package update Ok * Advisory adjusted: 2b5c0b326c | Sort CVEs
<http://errata.software-univention.de/ucs/4.3/44.html>