Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 462278 (CVE-2013-7087) - <app-antivirus/clamav-0.97.7: Multiple vulnerabilities (CVE-2013-{7087,7088,7089})
Summary: <app-antivirus/clamav-0.97.7: Multiple vulnerabilities (CVE-2013-{7087,7088,7...
Status: RESOLVED FIXED
Alias: CVE-2013-7087
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/52647/
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-03-19 09:00 UTC by Agostino Sarubbo
Modified: 2014-05-16 12:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-03-19 09:00:25 UTC
From ${URL} :

Description
Two vulnerabilities with an unknown impact have been reported in ClamAV.

1) A double-free error exists within the "unrar_extract_next_prepare()" function 
(libclamunrar_iface/unrar_iface.c) when parsing a RAR file.

2) An unspecified error within the "wwunpack()" function (libclamav/wwunpack.c) when unpacking a 
WWPack file can be exploited to corrupt heap memory.

The vulnerabilities are reported in version 0.97.6. Prior versions may also be affected.


Solution
Update to version 0.97.7.

Provided and/or discovered by
The vendor credits Felix Groebert, Mateusz Jurczyk, and Gynvael Coldwind, Google Security Team.

Original Advisory
ClamAV:
http://blog.clamav.net/2013/03/clamav-0977-has-been-released.html
Comment 1 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-20 23:21:30 UTC
Maintainers, may we proceed with stabilization of =app-antivirus/clamav-0.97.7 ?
Comment 2 Eray Aslan gentoo-dev 2013-03-21 05:57:24 UTC
@security: Please stabilize =app-antivirus/clamav-0.97.7.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2013-03-21 19:21:46 UTC
(In reply to comment #2)
> @security: Please stabilize =app-antivirus/clamav-0.97.7.

Arches, please test and mark stable ^
Target KEYWORDS: "alpha amd64 ~arm hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~sparc-solaris ~x86-solaris"
Comment 4 Agostino Sarubbo gentoo-dev 2013-03-22 16:17:12 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-03-22 16:19:59 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-03-22 17:22:32 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-03-23 09:49:28 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-03-23 13:25:57 UTC
alpha stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2013-03-24 16:12:07 UTC
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2013-04-01 19:43:15 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-04-02 10:55:09 UTC
sparc stable
Comment 12 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 03:54:09 UTC
GLSA request filed.
Comment 13 Thomas Raschbacher gentoo-dev 2014-04-02 17:24:33 UTC
not in tree anymore.
Comment 14 Thomas Raschbacher gentoo-dev 2014-04-02 17:25:53 UTC
ah sorry I thought this one was assigned to antivirus@g.o as well .. if security still wants this open please re-open.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-05-15 16:41:38 UTC
(In reply to Thomas Raschbacher from comment #14)
> ah sorry I thought this one was assigned to antivirus@g.o as well .. if
> security still wants this open please re-open.

We need this opened for GLSA release. There is a GLSA pending.

And yes we still have a backlog of GLSA's, we are trying to get the newer ones out first and work on the older ones in spare time.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-05-16 12:53:23 UTC
This issue was resolved and addressed in
 GLSA 201405-08 at http://security.gentoo.org/glsa/glsa-201405-08.xml
by GLSA coordinator Sergey Popov (pinkbyte).