|Summary:||<app-antivirus/clamav-0.98.5: multiple vulnerabilities (CVE-2014-9050)|
|Product:||Gentoo Security||Reporter:||Hanno Böck <hanno>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||antivirus, jaco, kevin, net-mail+disabled|
|Package list:||Runtime testing required:||---|
Description Hanno Böck 2014-11-18 23:05:45 UTC
From Changelog: Security fix for ClamAV crash when using 'clamscan -a'. This issue was identified by Kurt Siefried of Red Hat. Security fix for ClamAV crash when scanning maliciously crafted yoda's crypter files. This issue, as well as several other bugs fixed in this release, were identified by Damien Millescamp of Oppida. http://blog.clamav.net/2014/11/clamav-0985-has-been-released.html No more details yet.
Comment 1 Hanno Böck 2014-11-21 12:02:04 UTC
This sounds more severe: http://www.openwall.com/lists/oss-security/2014/11/21/12 Please update as soon as possible.
Comment 2 Thomas Raschbacher 2014-11-27 08:33:54 UTC
Thanks for reminding me Hanno. I am guilty of seeing the release mail for 0.98.5 but not reading it (therefore I hadn't noticed the security fix) Looking at it now (just deciding what to do about the new feature which requires libjson-c)
Comment 3 Thomas Raschbacher 2014-11-27 09:34:34 UTC
Committed. I assume you want it stabilized asap but leaving the rest to Security Team.
Comment 4 Yury German 2014-11-27 20:02:34 UTC
Maintainer(s): Please let us know when the ebuild is ready for stabilization, or call for stabilization. Notes on compromise: A heap buffer overflow was reported in  in ClamAV when scanning a specially crafted y0da Crypter obfuscated PE file. Note that this is remotely exploitable when ClamAV is used as a mail gateway scanner.
Comment 5 Thomas Raschbacher 2014-11-28 09:55:27 UTC
Works for me on 2 machines so afaik ok -> STABLEREQ + CC Arch teams no extensive tests yet but compiles and runs for me -- amd64
Comment 6 Agostino Sarubbo 2014-11-28 13:51:35 UTC
Comment 7 Agostino Sarubbo 2014-11-28 13:52:04 UTC
Comment 8 Jeroen Roovers (RETIRED) 2014-11-29 13:08:07 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo 2014-11-29 13:29:53 UTC
Comment 10 Agostino Sarubbo 2014-12-01 09:18:27 UTC
Comment 11 Agostino Sarubbo 2014-12-02 11:58:22 UTC
Comment 12 Agostino Sarubbo 2014-12-03 09:59:09 UTC
Comment 13 Agostino Sarubbo 2014-12-06 16:49:19 UTC
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Comment 14 GLSAMaker/CVETool Bot 2014-12-07 19:52:53 UTC
CVE-2014-9050 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9050): Heap-based buffer overflow in the cli_scanpe function in libclamav/pe.c in ClamAV before 0.95.4 allows remote attackers to cause a denial of service (crash) via a crafted y0da Crypter PE file.
Comment 15 Yury German 2014-12-07 19:56:43 UTC
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). New GLSA Request filed.
Comment 16 Sergey Popov 2014-12-09 12:53:12 UTC
+ 09 Dec 2014; Sergey Popov <firstname.lastname@example.org> package.mask: + Mask vulnerable versions of app-antivirus/clamav
Comment 17 GLSAMaker/CVETool Bot 2014-12-10 11:39:23 UTC
This issue was resolved and addressed in GLSA 201412-05 at http://security.gentoo.org/glsa/glsa-201412-05.xml by GLSA coordinator Mikle Kolyada (Zlogene).
Comment 18 Thomas Raschbacher 2015-02-05 15:17:40 UTC
removed old versions after waiting a bit in case there were some issues/complaints.