Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 538084 (CVE-2014-9328)

Summary: <app-antivirus/clamav-0.98.6: Multiple vulnerabilities (CVE-2014-9328,CVE-2015-{1461,1462,1463})
Product: Gentoo Security Reporter: Marc Schiffbauer <mschiff>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: antivirus, barzog, bug, hanno, net-mail+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 548066    
Bug Blocks:    

Description Marc Schiffbauer gentoo-dev 2015-01-28 18:21:33 UTC 
Dieses Advisory finden Sie auch im DFN-CERT Portal unter:
  <https://portal.cert.dfn.de/adv/DFN-CERT-2015-0117/>

ClamAV Download-Webseite:
  <http://www.clamav.net/download.html>

ClamAV Security Advisory ClamAV-ADV-2015-01-27:
  <http://lurker.clamav.net/message/20150127.232443.27bcc068.en.html>

ClamAV Security Blog ClamAV Release 0.98.6:
  <http://blog.clamav.net/2015/01/clamav-0986-has-been-released.html>

Schwachstelle CVE-2014-9328 (NVD):
  <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9328>
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-02-11 17:53:12 UTC 
CVE-2015-1463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1463):
  ClamAV before 0.98.6 allows remote attackers to cause a denial of service
  (crash) via a crafted petite packer file, related to an "incorrect compiler
  optimization."

CVE-2015-1462 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1462):
  ClamAV before 0.98.6 allows remote attackers to have unspecified impact via
  a crafted upx packer file, related to a "heap out of bounds condition."

CVE-2015-1461 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1461):
  ClamAV before 0.98.6 allows remote attackers to have unspecified impact via
  a crafted (1) Yoda's crypter or (2) mew packer file, related to a "heap out
  of bounds condition."
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-02-11 17:53:35 UTC 
CVE-2014-9328 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9328):
  ClamAV before 0.98.6 allows remote attackers to have unspecified impact via
  a crafted upack packer file, related to a "heap out of bounds condition."
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-11 17:55:31 UTC 
@maintainers: Package is already in tree, please call for stabilization when appropriate.
Comment 4 Marc Schiffbauer gentoo-dev 2015-03-10 00:39:52 UTC 
Any blockers here?
Comment 5 Thomas Raschbacher gentoo-dev 2015-05-27 18:12:22 UTC 
sorry for the delay I've been quite busy lately so not too much time on Gentoo (even though I try to keep up on security issues, but I missed this one - and the next one in the dependency bug).

Since there's no point in stabilizing this I just add a depend on the 0.98.6 security bug #548066
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-12-30 14:02:16 UTC 
This issue was resolved and addressed in
 GLSA 201512-08 at https://security.gentoo.org/glsa/201512-08
by GLSA coordinator Yury German (BlueKnight).