Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 913246 - <app-antivirus/clamav-{0.103.10, 1.1.2}: Multiple vulnerabilities
Summary: <app-antivirus/clamav-{0.103.10, 1.1.2}: Multiple vulnerabilities
Status: UNCONFIRMED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://blog.clamav.net/2023/08/clama...
Whiteboard: B2 [stable?]
Keywords: PullRequest
Depends on: 913962
Blocks: CVE-2023-40477
  Show dependency tree
 
Reported: 2023-08-30 07:16 UTC by Icebird2000
Modified: 2023-10-14 07:45 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Icebird2000 2023-08-30 07:16:55 UTC 
https://blog.clamav.net/2023/08/clamav-120-feature-version-and-111-102.html
This fix CVE-2023-40477 - 

Reproducible: Always
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-30 07:20:20 UTC 
(We don't have 1.0.3 in tree, so removing from summary.)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-30 07:22:34 UTC 
We depend on app-arch/unrar, so are we even affeced by the copy in clamav?

I found this confusing:

commit d7f27b89f427927f5f4ee67261a22f3c7bfda054
Author: Michael Orlitzky <mjo@gentoo.org>
Date:   Mon Aug 28 18:43:04 2023 -0400

    app-antivirus/clamav: add 0.103.10, drop 0.103.9

    Upgrades the bundled unRAR (which clamav has renamed to libclamunrar) to
    fix CVE-2023-40477. We also add unRAR to LICENSE since it's clear that
    it applies to libclamunrar and that component is enabled by default.

    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Comment 3 Icebird2000 2023-08-30 07:41:28 UTC 
(In reply to Sam James from comment #1)
> (We don't have 1.0.3 in tree, so removing from summary.)

I don't understand this, because version 1.0.2-r1:0/lts is in the tree and is vulnerable by CVE-2023-40477?
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-30 07:43:53 UTC 
(In reply to Icebird2000 from comment #3)
> (In reply to Sam James from comment #1)
> > (We don't have 1.0.3 in tree, so removing from summary.)
> 
> I don't understand this, because version 1.0.2-r1:0/lts is in the tree and
> is vulnerable by CVE-2023-40477?

We put the first fixed versions in summaries.
Comment 5 Larry the Git Cow gentoo-dev 2023-08-30 10:05:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=303ee72a8d76f5df19c4250434e8e5e072517f44

commit 303ee72a8d76f5df19c4250434e8e5e072517f44
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-08-30 09:04:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-08-30 10:04:24 +0000

    app-antivirus/clamav: add 1.0.3
    
    Bug: https://bugs.gentoo.org/913246
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-antivirus/clamav/Manifest            |   1 +
 app-antivirus/clamav/clamav-1.0.3.ebuild | 381 +++++++++++++++++++++++++++++++
 2 files changed, 382 insertions(+)
Comment 6 Michael Orlitzky gentoo-dev 2023-08-30 13:45:24 UTC 
(In reply to Sam James from comment #2)
> We depend on app-arch/unrar, so are we even affeced by the copy in clamav?
> 

clamav-0.103.x doesn't depend on app-arch/unrar -- they might have unbundled it as part of the CMake rewrite?

The autoconf bits in m4/reorganization/libs/unrar.m4 add a --disable-unrar flag, but it's never appeared in the ebuild and it does no detection of the system unrar.
Comment 7 Icebird2000 2023-08-31 15:56:44 UTC 
Before stabilizing 1.0.3 and 1.1.2 you need to stabilize virtual/rust-1.71 first