Univention Bugzilla – Bug 49360
clamav: Multiple issues (4.3)
Last modified: 2019-05-02 12:34:54 CEST
New Debian clamav 0.100.3+dfsg-0+deb9u1A~4.3.4.201904290751 fixes: This update addresses the following issues: * A vulnerability in the Portable Document Format (PDF) scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to a lack of proper data handling mechanisms within the device buffer while indexing remaining file data on an affected device. An attacker could exploit this vulnerability by sending crafted PDF files to an affected device. A successful exploit could allow the attacker to cause a heap buffer out-of-bounds read condition, resulting in a crash that could result in a denial of service condition on an affected device. (CVE-2019-1787) * A vulnerability in the Object Linking & Embedding (OLE2) file scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to a lack of proper input and validation checking mechanisms for OLE2 files sent an affected device. An attacker could exploit this vulnerability by sending malformed OLE2 files to the device running an affected version ClamAV Software. An exploit could allow the attacker to cause an out-of-bounds write condition, resulting in a crash that could result in a denial of service condition on an affected device. (CVE-2019-1788) * clamav (CVE-2019-1789)
--- mirror/ftp/4.3/unmaintained/4.3-3/source/clamav_0.100.2+dfsg-0+deb9u1A~4.3.0.201810250854.dsc +++ apt/ucs_4.3-0-errata4.3-4/source/clamav_0.100.3+dfsg-0+deb9u1A~4.3.4.201904290751.dsc @@ -1,7 +1,27 @@ -0.100.2+dfsg-0+deb9u1A~4.3.0.201810250854 [Thu, 25 Oct 2018 08:54:49 +0200] Univention builddaemon <buildd@univention.de>: +0.100.3+dfsg-0+deb9u1A~4.3.4.201904290751 [Mon, 29 Apr 2019 07:52:01 +0200] Univention builddaemon <buildd@univention.de>: * UCS auto build. The following patches have been applied to the original source package 030-silence-version-msg + +0.100.3+dfsg-0+deb9u1 [Fri, 29 Mar 2019 19:40:34 -0400] Scott Kitterman <scott@kitterman.com>: + + * New upstream security release + - Fixes for the following vulnerabilities: + - [CVE-2019-1787]: + An out-of-bounds heap read condition may occur when scanning PDF + documents. The defect is a failure to correctly keep track of the number + of bytes remaining in a buffer when indexing file data. + - [CVE-2019-1789]: + An out-of-bounds heap read condition may occur when scanning PE files + (i.e. Windows EXE and DLL files) that have been packed using Aspack as a + result of inadequate bound-checking. + - [CVE-2019-1788]: + An out-of-bounds heap write condition may occur when scanning OLE2 files + such as Microsoft Office 97-2003 documents. The invalid write happens when + an invalid pointer is mistakenly used to initialize a 32bit integer to + zero. This is likely to crash the application. + * Update debian/copyright + * Update private symbols for new upstream release 0.100.2+dfsg-0+deb9u1 [Fri, 12 Oct 2018 23:44:44 +0200] Sebastian Andrzej Siewior <sebastian@breakpoint.cc>: <http://10.200.17.11/4.3-4/#4148252267222722491>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.3-4] 0552295421 Bug #49360: clamav 0.100.3+dfsg-0+deb9u1A~4.3.4.201904290751 doc/errata/staging/clamav.yaml | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) [4.3-4] 50fb1c6747 Bug #49360: clamav 0.100.3+dfsg-0+deb9u1A~4.3.4.201904290751 doc/errata/staging/clamav.yaml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+)
<http://errata.software-univention.de/ucs/4.3/482.html>