| Summary: | app-antivirus/clamav < 0.93.3: fix possible invalid memory access (CVE-2008-2713,CVE-2008-3215) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Hanno Böck <hanno> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | antivirus, net-mail+disabled |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2008/06/15/2 | ||
| Whiteboard: | B3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Hanno Böck
2008-06-15 23:46:26 UTC
antivirus/net-mail: 0.93.1 is in the tree, is it ok for stabilisation? (In reply to comment #1) > antivirus/net-mail: 0.93.1 is in the tree, is it ok for stabilisation? > looks so, #221715 as a tracker for b0rkage caused by 0.93 is to be closed (all blocking issues are fixed). Also i just bumped to 0.93.3 as per #231287. (In reply to comment #2) > (In reply to comment #1) > > antivirus/net-mail: 0.93.1 is in the tree, is it ok for stabilisation? > > > > looks so, #221715 as a tracker for b0rkage caused by 0.93 is to be closed (all > blocking issues are fixed). Also i just bumped to 0.93.3 as per #231287. > so, which one is the target for stabilization? 0.93.1 or 0.93.3? (In reply to comment #3) > > looks so, #221715 as a tracker for b0rkage caused by 0.93 is to be closed (all > > blocking issues are fixed). Also i just bumped to 0.93.3 as per #231287. > > > > so, which one is the target for stabilization? 0.93.1 or 0.93.3? 0.93.1 is in the tree for >1 months without relevant bugs reported in that time, 0.93.3 is in the tree for some minutes (same ebuild though) and doesn't include security-relevant fixes (at least none i could find in a changelog). The only reason to opt for 0.93.3 would be to avoid the annoying "clamav-version outdated" warning users will get with 0.93.1. So well, i'm unsure :P Let's wait some days to see if 0.93.3 introduced some b0rkage, if not we can mark that one stable - sounds like a plan to me :) I just had a look into the ChangeLog: We have to stabilize 0.93.3, 0.93.1 contains only partial fixes.
Mon Jul 7 15:48:48 CEST 2008
-----------------------------
* 0.93.2
Thu Jul 3 16:15:23 CEST 2008
-----------------------------
* libclamav/petite.c: fix another out of bounds memory read (bb#1000)
Reported by Secunia (CVE-2008-2713)
[..]
Wed Jun 4 14:18:12 CEST 2008 (tk)
----------------------------------
* 0.93.1
Wed Jun 4 14:18:27 CEST 2008 (tk)
----------------------------------
* libclamav/petite.c: fix possible invalid memory access (bb#1000)
Reported by Damian Put
The upstream bug reports confirms that: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1000
(In reply to comment #5) > Thu Jul 3 16:15:23 CEST 2008 > ----------------------------- > * libclamav/petite.c: fix another out of bounds memory read (bb#1000) > Reported by Secunia (CVE-2008-2713) > > [..] It's better to not ask how I missed that :P In that case let's get =app-antivirus/clamav-0.93.3 stable ... Arches, please test and mark stable: =app-antivirus/clamav-0.93.3 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" AMD64 stable keyword; tested on hardened Opteron 2218 & Core 2 Duo systems. ppc64 stable Stable for HPPA. alpha/ia64/sparc/x86 stable CVE-2008-3215 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3215): libclamav/petite.c in ClamAV before 0.93.3 allows remote attackers to cause a denial of service via a malformed Petite file that triggers an out-of-bounds memory access. NOTE: this issue exists because of an incomplete fix for CVE-2008-2713. ppc stable Ready for vote, I vote YES. glsa vote: YES GLSA 200808-07 combining bug 204340 and bug 227351, thanks everyone. |