Sadly, clamav doesn't issue security advisories since a long time. According to ChangeLog, this sounds like a security issue: * libclamav/bytecode.c,bytecode_api.c: fix recursion level crash (bb #3706). Upstream bug is invisible to the public. I'll request a CVE on oss-security.
Thanks, Hanno. @net-mail or @antivirus, 0.97.3 is already in the tree. Ok to stabilize it?
(In reply to comment #1) > Thanks, Hanno. > > @net-mail or @antivirus, 0.97.3 is already in the tree. Ok to stabilize it? Yes, arches go ahead.
Arches, please test and mark stable: =app-antivirus/clamav-0.97.3 target KEYWORDS : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
looks perfect on a server, amd64 ok
Stable for HPPA.
amd64: all ok
+ 19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> clamav-0.97.3.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #387521.
x86 stable
alpha/ia64/sparc stable
We'll need toc workaround[1] for ppc64 before stabilizing, you're ok if I add it? I'm pretty sure it wasn't needed before :/ [1] use ppc64 && append-flags -mminimal-toc
ppc/ppc64 stable, last arch done
Thanks, everyone. Added to pending GLSA request.
This issue was resolved and addressed in GLSA 201110-20 at http://security.gentoo.org/glsa/glsa-201110-20.xml by GLSA coordinator Tim Sammut (underling).
The posted GLSA (http://www.gentoo.org/security/en/glsa/glsa-201110-20.xml) says: Vulnerable version: < 0.97.3 [...] NOTE: This is a legacy GLSA. Updates for all affected architectures are available since August 27, 2011. It is likely that your system is already no longer affected by this issue. Since 0.97.3 was added to the tree only 5 days ago, it seems impossible that any updates were available on August 27, 2011.
(In reply to comment #14) > The posted GLSA (http://www.gentoo.org/security/en/glsa/glsa-201110-20.xml) > says: > > Vulnerable version: < 0.97.3 > [...] > NOTE: This is a legacy GLSA. Updates for all affected architectures are > available since August 27, 2011. It is likely that your system is already no > longer affected by this issue. > > Since 0.97.3 was added to the tree only 5 days ago, it seems impossible that > any updates were available on August 27, 2011. Thanks for letting me know, Nick. I have corrected the advisory and it should show up online shortly. http://www.gentoo.org/security/en/glsa/glsa-201110-20.xml
CVE-2011-3627 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3627): The bytecode engine in ClamAV before 0.97.3 allows remote attackers to cause a denial of service (crash) via vectors related to "recursion level" and (1) libclamav/bytecode.c and (2) libclamav/bytecode_api.c.
