Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
As reported on oss-security, 0.93.1 contains security fixes. CVE is requested. http://www.openwall.com/lists/oss-security/2008/06/15/2
antivirus/net-mail: 0.93.1 is in the tree, is it ok for stabilisation?
(In reply to comment #1) > antivirus/net-mail: 0.93.1 is in the tree, is it ok for stabilisation? > looks so, #221715 as a tracker for b0rkage caused by 0.93 is to be closed (all blocking issues are fixed). Also i just bumped to 0.93.3 as per #231287.
(In reply to comment #2) > (In reply to comment #1) > > antivirus/net-mail: 0.93.1 is in the tree, is it ok for stabilisation? > > > > looks so, #221715 as a tracker for b0rkage caused by 0.93 is to be closed (all > blocking issues are fixed). Also i just bumped to 0.93.3 as per #231287. > so, which one is the target for stabilization? 0.93.1 or 0.93.3?
(In reply to comment #3) > > looks so, #221715 as a tracker for b0rkage caused by 0.93 is to be closed (all > > blocking issues are fixed). Also i just bumped to 0.93.3 as per #231287. > > > > so, which one is the target for stabilization? 0.93.1 or 0.93.3? 0.93.1 is in the tree for >1 months without relevant bugs reported in that time, 0.93.3 is in the tree for some minutes (same ebuild though) and doesn't include security-relevant fixes (at least none i could find in a changelog). The only reason to opt for 0.93.3 would be to avoid the annoying "clamav-version outdated" warning users will get with 0.93.1. So well, i'm unsure :P Let's wait some days to see if 0.93.3 introduced some b0rkage, if not we can mark that one stable - sounds like a plan to me :)
I just had a look into the ChangeLog: We have to stabilize 0.93.3, 0.93.1 contains only partial fixes. Mon Jul 7 15:48:48 CEST 2008 ----------------------------- * 0.93.2 Thu Jul 3 16:15:23 CEST 2008 ----------------------------- * libclamav/petite.c: fix another out of bounds memory read (bb#1000) Reported by Secunia (CVE-2008-2713) [..] Wed Jun 4 14:18:12 CEST 2008 (tk) ---------------------------------- * 0.93.1 Wed Jun 4 14:18:27 CEST 2008 (tk) ---------------------------------- * libclamav/petite.c: fix possible invalid memory access (bb#1000) Reported by Damian Put The upstream bug reports confirms that: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1000
(In reply to comment #5) > Thu Jul 3 16:15:23 CEST 2008 > ----------------------------- > * libclamav/petite.c: fix another out of bounds memory read (bb#1000) > Reported by Secunia (CVE-2008-2713) > > [..] It's better to not ask how I missed that :P In that case let's get =app-antivirus/clamav-0.93.3 stable ...
Arches, please test and mark stable: =app-antivirus/clamav-0.93.3 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
AMD64 stable keyword; tested on hardened Opteron 2218 & Core 2 Duo systems.
ppc64 stable
Stable for HPPA.
alpha/ia64/sparc/x86 stable
CVE-2008-3215 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3215): libclamav/petite.c in ClamAV before 0.93.3 allows remote attackers to cause a denial of service via a malformed Petite file that triggers an out-of-bounds memory access. NOTE: this issue exists because of an incomplete fix for CVE-2008-2713.
ppc stable
Ready for vote, I vote YES.
glsa vote: YES
GLSA 200808-07 combining bug 204340 and bug 227351, thanks everyone.
