924024 – (CVE-2024-20290, CVE-2024-20328) =app-antivirus/clamav-{1.0.3,1.1.0,1.1.3,1.2.1}: vulnerabilities

Bug 924024 (CVE-2024-20290, CVE-2024-20328) - =app-antivirus/clamav-{1.0.3,1.1.0,1.1.3,1.2.1}: vulnerabilities

Summary: =app-antivirus/clamav-{1.0.3,1.1.0,1.1.3,1.2.1}: vulnerabilities

Status:	CONFIRMED

Alias:	CVE-2024-20290, CVE-2024-20328

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://blog.clamav.net/2023/11/clama...
Whiteboard:	B2 [stable]
Keywords:

Depends on:	926021
Blocks:
	Show dependency tree

Reported:	2024-02-07 22:00 UTC by Thomas Raschbacher
Modified:	2024-03-03 08:14 UTC (History)
CC List:	4 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Raschbacher gentoo-dev

2024-02-07 22:00:33 UTC

details see https://blog.clamav.net/2023/11/clamav-130-122-105-released.html

Comment 1 Thomas Raschbacher gentoo-dev

2024-02-07 22:02:25 UTC

1.2.2 commited just now

Comment 2 Hans de Graaff gentoo-dev

2024-02-09 12:45:17 UTC

I've set the whiteboard to "stable?" with the assumption that there will not be a 1.0.5 ebuild and the 0.103* and 1.0* versions will be cleaned. Feel free to indicate otherwise and I'll update the whiteboard accordingly.

Comment 3 Michael Orlitzky gentoo-dev

2024-02-09 13:10:12 UTC

I'm going to maintain 0.103.x for as long as it's easy to do so. It's the last version without a mountain of bundled libraries. It's also apparently unaffected by these CVEs:

https://lists.clamav.net/pipermail/clamav-users/2024-February/013734.html

Comment 4 Hans de Graaff gentoo-dev

2024-02-11 08:42:36 UTC

(In reply to Michael Orlitzky from comment #3)
> I'm going to maintain 0.103.x for as long as it's easy to do so. It's the
> last version without a mountain of bundled libraries. It's also apparently
> unaffected by these CVEs:
> 
> https://lists.clamav.net/pipermail/clamav-users/2024-February/013734.html

I've updated the vulnerable versions in the summary accordingly.

Comment 5 Matt Jolly gentoo-dev

2024-03-02 10:00:12 UTC

Updating the LTS branch (1.0) now, and adding 1.3. Dropping outdated STS (1.1.x).

Comment 6 Larry the Git Cow gentoo-dev

2024-03-02 10:05:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79e6d80832f72eaf8466dda1a5055d5c391833d6

commit 79e6d80832f72eaf8466dda1a5055d5c391833d6
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2024-03-02 10:01:28 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2024-03-02 10:03:49 +0000

    app-antivirus/clamav: drop 1.0.3
    
    Bug: https://bugs.gentoo.org/924024
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 app-antivirus/clamav/Manifest            |  13 --
 app-antivirus/clamav/clamav-1.0.3.ebuild | 381 -------------------------------
 2 files changed, 394 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3835f1c72f88cb67dcfd4340e0ceb3ca16058267

commit 3835f1c72f88cb67dcfd4340e0ceb3ca16058267
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2024-03-02 09:55:51 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2024-03-02 10:03:48 +0000

    app-antivirus/clamav: add 1.0.5
    
    Bug: https://bugs.gentoo.org/924024
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 app-antivirus/clamav/Manifest            |  16 ++
 app-antivirus/clamav/clamav-1.0.5.ebuild | 398 +++++++++++++++++++++++++++++++
 2 files changed, 414 insertions(+)