Bug 174375

Summary:	app-antivirus/clamav Two issues CVE-2007-{1745\|1997}
Product:	Gentoo Security	Reporter:	Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	antivirus, bernd, chainsaw, gentoo
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2/3 [glsa] jaervosz
Package list:		Runtime testing required:	---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-13 07:17:21 UTC

Not sure how serius this is.

From 0.90.2 Changelog

    - libclamav/chmunpack.c: fix fd leak in chm_decompress_stream
      (CVE-2007-1745)
    - libclamav/cab.c: fix buffer overflow, reported through iDefense
      Vulnerability Contributor Program (CVE-2007-1997)
    - libclamav/pdf.c: Fix fd leak on empty objects. Scan in user memory
    - libclamav/lockdb.c: fix fd leak on EACCES/EAGAIN (bb#400)

Comment 1 Andrej Kacian (RETIRED) gentoo-dev

2007-04-13 08:47:50 UTC

Ebuild is in the tree. The nls patch update mentioned in the changelog shouldn't stop anyone from security-stabilizing this version - if anything, it will produce less bugs than the previous patch. :)

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-13 10:07:56 UTC

Thx Ticho.

Arches please test and mark stable. Target keywords are:

clamav-0.90.2.ebuild:KEYWORDS="alpha amd64 hppa ia64 ppc ppc64 sparc x86 ~x86-fbsd"

Comment 3 Raúl Porcel (RETIRED) gentoo-dev

2007-04-13 11:34:08 UTC

ia64 + x86 stable

Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev

2007-04-13 14:03:21 UTC

sparc stable.

Comment 5 Fernando J. Pereda (RETIRED) gentoo-dev

2007-04-13 14:47:37 UTC

Alpha done.

Comment 6 Peter Weller (RETIRED) gentoo-dev

2007-04-13 14:56:11 UTC

amd64 done

Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev

2007-04-13 16:31:47 UTC

ppc stable

Comment 8 Jeroen Roovers (RETIRED) gentoo-dev

2007-04-13 19:25:44 UTC

Stable for HPPA.

Comment 9 Jeremy Huddleston (RETIRED) gentoo-dev

2007-04-13 20:26:31 UTC

You should get the patch in bug #174512 in asap as well so users don't have trouble restarting their clamd process when they do this security update.

Comment 10 Andrej Kacian (RETIRED) gentoo-dev

2007-04-13 20:57:42 UTC

(In reply to comment #9)
> You should get the patch in bug #174512 in asap as well so users don't have
> trouble restarting their clamd process when they do this security update.
> 

It is in. Thanks and sorry for the omission.

Comment 11 Markus Rothe (RETIRED) gentoo-dev

2007-04-15 19:21:15 UTC

ppc64 stable

Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-17 05:29:55 UTC

Since this is rated B2/3 I'm calling a vote. I vote YES.

Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-04-19 10:35:42 UTC

voting YES.

Comment 14 NETwork.ORGanization - Alexander Schoberl 2007-04-20 00:46:03 UTC

After updating to 0.90-2 the clamscan will need a lot of time for scanning.

# /usr/bin/clamscan - </dev/null
stdin: OK
----------- SCAN SUMMARY -----------
Known viruses: 215418
Engine version: 0.90.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Time: 53.279 sec (0 m 53 s)

Any resolving idea about this ??

Comment 15 Andrej Kacian (RETIRED) gentoo-dev

2007-04-22 05:38:06 UTC

(In reply to comment #14)
> After updating to 0.90-2 the clamscan will need a lot of time for scanning.

That's an upstream issue, and is/was discussed on upstream mailing lists, if i remember correctly. It's unrelated to this bugzilla entry.

Comment 16 Matthias Geerdsen (RETIRED) gentoo-dev

2007-04-23 15:21:22 UTC

updating status, GLSA is in the queue

Comment 17 Matthias Geerdsen (RETIRED) gentoo-dev

2007-04-24 15:52:19 UTC

GLSA 200704-21

thanks everyone