Released today. Source & Changelog: http://www.clamav.net/lang/en/download/sources/
clamav-0.96.3 is now in our software repository. It will be available on the mirrors soon. Thank you for your bug report.
Repopening to investigate this later: Mon Sep 20 14:16:59 CEST 2010 (acab) ------------------------------------ * libclamav/nsis/bzlib.cld sys: port upstream fixes for CVE-2010-0405, check for buggy bzip2 (bb#2230, bb#2231)
I think the bzip-issue doesn't affect us as we don't use the bundled bzip2-code (though not sure about it).But that also sounds like it's security relevant:Mon Sep 20 14:50:34 EEST 2010 (edwin)------------------------------------- * libclamav/pdf.c: Add missing boundscheck to pdf code (bb #2226)The referenced bug is not visible to the public, so it's likely a security issue.
There is new version 0.96.4 , http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=clamav-0.96.4
(In reply to comment #3) > I think the bzip-issue doesn't affect us as we don't use the bundled bzip2-code > (though not sure about it).But that also sounds like it's security relevant:Mon > Sep 20 14:50:34 EEST 2010 (edwin)------------------------------------- * > libclamav/pdf.c: Add missing boundscheck to pdf code (bb #2226)The referenced > bug is not visible to the public, so it's likely a security issue. > Agreed and that is listed as fixed in 0.96.3. 0.96.4 is in the tree thanks to Bug 345189. Unless @antivirus objects... Arches, please test and mark stable: =app-antivirus/clamav-0.96.4 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
x86 done thanks.
Stable for HPPA PPC.
amd64 done
alpha/ia64/sparc stable
On ppc64 64ul, getting TOC errors on clamav now /usr/lib/gcc/powerpc64-unknown-linux-gnu/4.3.4/../../../../powerpc64-unknown-linux-gnu/bin/ld: c++/.libs/libclamavcxx.a(LegalizeVectorTypes.o)(.text+0x16bd8): sibling call optimization to `llvm::DAGTypeLegalizer::GetScalarizedVector(llvm::SDValue)' does not allow automatic multiple TOCs; recompile with -mminimal-toc or -fno-optimize-sibling-calls, or make `llvm::DAGTypeLegalizer::GetScalarizedVector(llvm::SDValue)' extern /usr/lib/gcc/powerpc64-unknown-linux-gnu/4.3.4/../../../../powerpc64-unknown-linux-gnu/bin/ld: c++/.libs/libclamavcxx.a(LegalizeVectorTypes.o)(.text+0x17aac): sibling call optimization to `llvm::DAGTypeLegalizer::GetScalarizedVector(llvm::SDValue)' does not allow automatic multiple TOCs; recompile with -mminimal-toc or -fno-optimize-sibling-calls, or make `llvm::DAGTypeLegalizer::GetScalarizedVector(llvm::SDValue)' extern
We have got clamav-0.96.5 ( http://git.clamav.net/gitweb?p=clamav-devel.git;a=blob_plain;f=ChangeLog;hb=clamav-0.96.5 ).
Updated toolchain fixed the TOC problem. Marking stable ppc64
Thanks, folks. GLSA request filed.
CVE-2010-3434 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3434): Buffer overflow in the find_stream_bounds function in pdf.c in libclamav in ClamAV before 0.96.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document. NOTE: some of these details are obtained from third party information.
Rerating B1 since clamav often runs in automated systems where it simply scans all email processed, i.e. no user action is required to be exploited.
This issue was resolved and addressed in GLSA 201110-20 at http://security.gentoo.org/glsa/glsa-201110-20.xml by GLSA coordinator Tim Sammut (underling).