Univention Bugzilla – Bug 47614
clamav: Multiple issues (4.2)
Last modified: 2018-08-22 15:03:16 CEST
New Debian clamav 0.100.1+dfsg-0+deb8u1A~4.2.4.201808200927 fixes: This update addresses the following issues: * ClamAV before 0.100.1 has an HWP integer overflow with a resultant infinite loop via a crafted Hangul Word Processor file. This is in parsehwp3_paragraph() in libclamav/hwp.c. (CVE-2018-0360) * ClamAV before 0.100.1 lacks a PDF object length check, resulting in an unreasonably long time to parse a relatively small file. (CVE-2018-0361)
--- mirror/ftp/4.2/unmaintained/component/4.2-4-errata/source/clamav_0.100.1+dfsg-0+deb8u0A~4.2.0.201808131059.dsc +++ apt/ucs_4.2-0-errata4.2-4/source/clamav_0.100.1+dfsg-0+deb8u1A~4.2.4.201808200927.dsc @@ -1,28 +1,32 @@ -0.100.1+dfsg-0+deb8u0A~4.2.0.201808131059 [Mon, 13 Aug 2018 10:59:23 +0200] Univention builddaemon <buildd@univention.de>: +0.100.1+dfsg-0+deb8u1A~4.2.4.201808200927 [Mon, 20 Aug 2018 09:28:06 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 010-utilize_ucr_autostart_settings 020-dont_fail_in_postinst_if_start_fails 030-silence-version-msg -0.100.1+dfsg-0+deb8u0 [Mon, 13 Aug 2018 10:02:25 +0200] Philipp Hahn <hahn@univention.de>: +0.100.1+dfsg-0+deb8u1 [Mon, 06 Aug 2018 16:59:51 +0200] Santiago Ruano Rincón <santiagorr@riseup.net>: + + * Non-maintainer upload by the LTS Team. + * Update to upstream release 0.100.1 (Closes: #903896). + * Fixes: + - CVE-2018-0360 (HWP integer overflow, infinite loop vulnerabi) + - CVE-2018-0361 (ClamAV PDF object length check, unreasonably long + time to + parse relatively small file) + * debian/clamav-daemon.config.in: fix infinite loop after SelfCheck + state (Closes: #905044). + + * Upload based on the stretch package, thanks to: [ Scott Kitterman ] - * Only create clamav user during clamav-base install if it does not exist - (LP: #121872) - - Thanks to Shane Williams for the patch + * Only create clamav user during clamav-base install if it does not + exist. Patch by Shane Williams. [ Sebastian Andrzej Siewior ] * Bump symbol version due to new version. * Add read permission for freshclam on /var/log in the apparmor profile. Thanks to Robie Basak (Closes: #902601). - - [ Philipp Hahn ] - * NMU. - * New upstrem relase (0.100.1) - - CVE-2018-0360 (HWP integer overflow, infinite loop vulnerabi) - - CVE-2018-0361 (ClamAV PDF object length check, unreasonably long time to - parse relatively small file) 0.100.0+dfsg-0+deb8u1 [Wed, 25 Apr 2018 21:58:31 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: <http://10.200.17.11/4.2-4/#5215523218139993552>
OK: yaml OK: errata-announce OK: patch OK: piuparts [4.2-4] eb6b5cfa46 Bug #47614: clamav 0.100.1+dfsg-0+deb8u1A~4.2.4.201808200927 doc/errata/staging/clamav.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) [4.2-4] e4f9de3a7f Bug #47614: clamav 0.100.1+dfsg-0+deb8u1A~4.2.4.201808200927 doc/errata/staging/clamav.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) [4.2-4] 2f0c313ad1 Bug #47474: clamav ANNOUNCE doc/errata/staging/clamav.yaml | 26 -------------------------- 1 file changed, 26 deletions(-) [4.2-4] 6fd42bfe8e Bug #47474: Advisory wording fix doc/errata/staging/clamav.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) [4.2-4] 957ceef5ca Bug #47474: clamav 0.100.1+dfsg-0+deb8u0A~4.2.0.201808131059 doc/errata/staging/clamav.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) [4.2-4] a48e1cbca0 Bug #47474: clamav 0.100.1+dfsg-0+deb8u0A~4.2.0.201808131059 doc/errata/staging/clamav.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
<http://errata.software-univention.de/ucs/4.2/491.html>