A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiVirus (ClamAV) Software versions 0.102.1 and 0.102.0 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to an out-of-bounds read affecting users that have enabled the optional DLP feature. An attacker could exploit this vulnerability by sending a crafted email file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123 https://nvd.nist.gov/vuln/detail/CVE-2020-3123
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e358b025b6215c284de6047b54dca1e9b981126a commit e358b025b6215c284de6047b54dca1e9b981126a Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2020-02-06 00:13:31 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2020-02-06 00:16:37 +0000 app-antivirus/clamav: new security release v0.102.2. Bug: https://bugs.gentoo.org/708424 Package-Manager: Portage-2.3.84, Repoman-2.3.20 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> app-antivirus/clamav/Manifest | 1 + app-antivirus/clamav/clamav-0.102.2.ebuild | 198 +++++++++++++++++++++++++++++ 2 files changed, 199 insertions(+)
Ready for stabilization, tests should pass.
x86 stable
amd64 stable
ppc64 stable
ia64 stable
ppc stable
arm stable
hppa stable
arm64 blocked on bug 709616
arm64 marked stable New GLSA request filed.
This issue was resolved and addressed in GLSA 202003-46 at https://security.gentoo.org/glsa/202003-46 by GLSA coordinator Thomas Deutschmann (whissi).