Summary: | <app-antivirus/clamav-0.101.0: multiple vulnerabilities through embedded/forked UnRAR version (CVE-2017-{12940,12941,12942}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | ajak, antivirus, net-mail+disabled |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 628178 |
Description
GLSAMaker/CVETool Bot
2017-08-18 15:07:55 UTC
Please see the tracker bug 628178 for more details. It isn't clear at the moment if ClamAV's own libunrar is affected or not. good question .. on the blog they mention this: Buffer over-read in unRAR code due to missing max value checks in table initialization. Reported by Rui Reis. (Section Fixes for a few additional bugs) and i found this: -- no clue if that is it: https://github.com/Cisco-Talos/clamav-devel/commit/d2aa492c7f9c3560f6421be0bd81d72c55fd1081 https://github.com/Cisco-Talos/clamav-devel/commit/65ed9df7f1a635ca7dd1799d656d805eab86158d (In reply to Thomas Raschbacher from comment #2) > good question .. > > on the blog they mention this: > > Buffer over-read in unRAR code due to missing max value checks in table > initialization. Reported by Rui Reis. > > (Section Fixes for a few additional bugs) > > and i found this: -- no clue if that is it: > https://github.com/Cisco-Talos/clamav-devel/commit/ > d2aa492c7f9c3560f6421be0bd81d72c55fd1081 > https://github.com/Cisco-Talos/clamav-devel/commit/ > 65ed9df7f1a635ca7dd1799d656d805eab86158d Note that 0.101.0 [0] has replaced the old unrar lib: >Support for RAR v5 archive extraction! >We replaced the legacy C-based unrar implementation with RarLabs UnRAR 5.6.5 library. >Licensing is the same as before, although our libclamunrar_iface supporting library has changed from LGPL to the BSD 3-Clause license. [0] https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html (In reply to Sam James (sec padawan) from comment #3) > Note that 0.101.0 [0] has replaced the old unrar lib: > >Support for RAR v5 archive extraction! > >We replaced the legacy C-based unrar implementation with RarLabs UnRAR 5.6.5 library. > >Licensing is the same as before, although our libclamunrar_iface supporting library has changed from LGPL to the BSD 3-Clause license. > > [0] https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html UnRAR 5.6.5 was never a vulnerable version and we only have ClamAV newer than 0.101.0 in the tree, so we should be good here as far as ClamAV is concerned, right? (In reply to John Helmert III (ajak) from comment #4) > UnRAR 5.6.5 was never a vulnerable version and we only have ClamAV newer > than 0.101.0 in the tree, so we should be good here as far as ClamAV is > concerned, right? ClamAV stopped shipping the vulnerable one in late 2018 with the fixed 0.101.0. Cleanup done early 2019: https://gitweb.gentoo.org/repo/gentoo.git/commit/app-antivirus/clamav?id=c12ddccad01d344a1b5b5ed9d5b2a0f3be9a8717. So yep! |