913246 – <app-antivirus/clamav-{0.103.10, 1.1.2}: Multiple vulnerabilities

Bug 913246 - <app-antivirus/clamav-{0.103.10, 1.1.2}: Multiple vulnerabilities

Summary: <app-antivirus/clamav-{0.103.10, 1.1.2}: Multiple vulnerabilities

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://blog.clamav.net/2023/08/clama...
Whiteboard:	B2 [glsa?]
Keywords:	PullRequest

Depends on:	913962
Blocks:	CVE-2023-40477
	Show dependency tree

Reported:	2023-08-30 07:16 UTC by Icebird2000
Modified:	2024-07-06 05:36 UTC (History)
CC List:	4 users (show)

See Also:	https://github.com/gentoo/gentoo/pull/32528
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Icebird2000 2023-08-30 07:16:55 UTC

https://blog.clamav.net/2023/08/clamav-120-feature-version-and-111-102.html
This fix CVE-2023-40477 - 

Reproducible: Always

Comment 1 Sam James archtester

2023-08-30 07:20:20 UTC

(We don't have 1.0.3 in tree, so removing from summary.)

Comment 2 Sam James archtester

2023-08-30 07:22:34 UTC

We depend on app-arch/unrar, so are we even affeced by the copy in clamav?

I found this confusing:

commit d7f27b89f427927f5f4ee67261a22f3c7bfda054
Author: Michael Orlitzky <mjo@gentoo.org>
Date:   Mon Aug 28 18:43:04 2023 -0400

    app-antivirus/clamav: add 0.103.10, drop 0.103.9

    Upgrades the bundled unRAR (which clamav has renamed to libclamunrar) to
    fix CVE-2023-40477. We also add unRAR to LICENSE since it's clear that
    it applies to libclamunrar and that component is enabled by default.

    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

Comment 3 Icebird2000 2023-08-30 07:41:28 UTC

(In reply to Sam James from comment #1)
> (We don't have 1.0.3 in tree, so removing from summary.)

I don't understand this, because version 1.0.2-r1:0/lts is in the tree and is vulnerable by CVE-2023-40477?

Comment 4 Sam James archtester

2023-08-30 07:43:53 UTC

(In reply to Icebird2000 from comment #3)
> (In reply to Sam James from comment #1)
> > (We don't have 1.0.3 in tree, so removing from summary.)
> 
> I don't understand this, because version 1.0.2-r1:0/lts is in the tree and
> is vulnerable by CVE-2023-40477?

We put the first fixed versions in summaries.

Comment 5 Larry the Git Cow gentoo-dev

2023-08-30 10:05:00 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=303ee72a8d76f5df19c4250434e8e5e072517f44

commit 303ee72a8d76f5df19c4250434e8e5e072517f44
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-08-30 09:04:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-08-30 10:04:24 +0000

    app-antivirus/clamav: add 1.0.3
    
    Bug: https://bugs.gentoo.org/913246
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-antivirus/clamav/Manifest            |   1 +
 app-antivirus/clamav/clamav-1.0.3.ebuild | 381 +++++++++++++++++++++++++++++++
 2 files changed, 382 insertions(+)

Comment 6 Michael Orlitzky gentoo-dev

2023-08-30 13:45:24 UTC

(In reply to Sam James from comment #2)
> We depend on app-arch/unrar, so are we even affeced by the copy in clamav?
> 

clamav-0.103.x doesn't depend on app-arch/unrar -- they might have unbundled it as part of the CMake rewrite?

The autoconf bits in m4/reorganization/libs/unrar.m4 add a --disable-unrar flag, but it's never appeared in the ebuild and it does no detection of the system unrar.

Comment 7 Icebird2000 2023-08-31 15:56:44 UTC

Before stabilizing 1.0.3 and 1.1.2 you need to stabilize virtual/rust-1.71 first