CVE-2018-1000085 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000085): An out-of-bounds heap read vulnerability was found in XAR parser that leads to clamscan crash when invoked on malicious XAR file. Upstream patch: https://github.com/Cisco-Talos/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6 Reference: http://www.openwall.com/lists/oss-security/2017/09/29/4 @ Maintainer(s): clamav-0.99.4 contains the fix.
CVE-2018-0202: Two newly reported vulnerabilities in the PDF parsing code.
@ Arches, please test and mark stable: =app-antivirus/clamav-0.99.4
ia64 stable
x86 stopped stabilization due to bug 649516.
tested on amd64, scanned 30mil. files, no problem
ppc Builds ok, but one test fails (bug #634142).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6164b7059e16d9c3f862ba52fd159297c7d2fe0e commit 6164b7059e16d9c3f862ba52fd159297c7d2fe0e Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-03-29 02:12:36 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-03-29 02:12:36 +0000 app-antivirus/clamav: amd64 stable Bug: https://bugs.gentoo.org/649314 Package-Manager: Portage-2.3.26, Repoman-2.3.7 app-antivirus/clamav/clamav-0.99.4.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
Restarting stabilization. Previous arch teams didn't notice the problem because clamav had an automagic on dev-libs/check. Without this package, the test revealing a major problem with zlib, wasn't run.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=761684544e0f106bf88eeebd083ac2f8ada95c2c commit 761684544e0f106bf88eeebd083ac2f8ada95c2c Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-03-30 00:14:54 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-03-30 00:14:54 +0000 app-antivirus/clamav: amd64 stable Bug: https://bugs.gentoo.org/649314 Package-Manager: Portage-2.3.26, Repoman-2.3.7 app-antivirus/clamav/clamav-0.99.4-r1.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
Stable on alpha.
x86 stable
ppc64 stable
hppa stable
@maintainer(s), please clean vulnerable. GLSA request filed.
This issue was resolved and addressed in GLSA 201804-16 at https://security.gentoo.org/glsa/201804-16 by GLSA coordinator Aaron Bauman (b-man).
re-opened for final arch and cleanup.
ppc stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=587259d7f37f395fb06bb8acd08f71c5c2049dea commit 587259d7f37f395fb06bb8acd08f71c5c2049dea Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-05-26 14:15:44 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-05-26 14:15:44 +0000 app-antivirus/clamav: drop vulnerable Bug: https://bugs.gentoo.org/649314 Package-Manager: Portage-2.3.40, Repoman-2.3.9 app-antivirus/clamav/Manifest | 2 - app-antivirus/clamav/clamav-0.99.2-r1.ebuild | 158 -------------------------- app-antivirus/clamav/clamav-0.99.2-r3.ebuild | 159 -------------------------- app-antivirus/clamav/clamav-0.99.3-r1.ebuild | 159 -------------------------- app-antivirus/clamav/clamav-0.99.3-r2.ebuild | 160 --------------------------- app-antivirus/clamav/clamav-0.99.4.ebuild | 156 -------------------------- 6 files changed, 794 deletions(-)