Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 645794 (CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, CVE-2017-12378, CVE-2017-12379, CVE-2017-12380)

Summary: <app-antivirus/clamav-0.99.3: multiple vulnerabilities
Product: Gentoo Security Reporter: tomas charvat <tc>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: antivirus, ap, himbeere, hydrapolic, net-mail+disabled, toto
Priority: High Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
Whiteboard: B1 [glsa+ cve]
Package list:
app-antivirus/clamav-0.99.3-r1
 Runtime testing required: ---
Bug Depends on: 649314    
Bug Blocks:    

Description tomas charvat 2018-01-26 12:09:27 UTC 
clamav version bellow 0.99.3 is subject to
CVE-2017-12374
CVE-2017-12375
CVE-2017-12376
CVE-2017-12377
CVE-2017-12378
CVE-2017-12379
CVE-2017-12380
And probably some more that do not have CVE yet.

Additional reason to version bump is fact, that since new clamav release, content of daily.cvd cause clamav 0.99.2 to crash



Reproducible: Always

Steps to Reproduce:
1. freshclam
2. reload clamd database
3. see clam log file
Actual Results:  
LibClamAV Error: cli_scanscript: could not map file /tmp/clamav-4f44363190ef9da19b58fe176ee5e22d.tmp
LibClamAV Error: cli_scanscript: could not map file /tmp/clamav-92bc8f14fbf93f57e5ac90379c0c3ae3.tmp


Expected Results:  
clean log file

To fix clamd errors, which prevent clamd working you can delete daily.cvd and stop freshclam.

Im not sure whenever clamav 0.99.3 will fix this, however there are other reasons to version bump and it could also fix problem with daily.cvd.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-26 14:02:22 UTC 
@ tomas: Please do not add version information to summary when you report vulnerabilities. Thank you.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2018-01-26 14:31:16 UTC 
*** Bug 645806 has been marked as a duplicate of this bug. ***
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2018-01-26 14:39:07 UTC 
0.99.3 is not in the Gentoo repository yet.  Please do not put the version in the summary until an unaffected ebuild is committed.
Comment 4 Larry the Git Cow gentoo-dev 2018-01-26 14:52:40 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2ba0e7dfb1e0e5290366cef02a553c3e56120b9

commit f2ba0e7dfb1e0e5290366cef02a553c3e56120b9
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-01-26 14:46:05 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-01-26 14:52:33 +0000

    app-antivirus/clamav: bump, fixes multiple vulnerabilites
    
    Bug: https://bugs.gentoo.org/645794
    Package-Manager: Portage-2.3.20, Repoman-2.3.6

 app-antivirus/clamav/Manifest             |   1 +
 app-antivirus/clamav/clamav-0.99.3.ebuild | 158 ++++++++++++++++++++++++++++++
 2 files changed, 159 insertions(+)}
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-26 14:54:17 UTC 
@ Arches,

please test and mark stable:

  =app-antivirus/clamav-0.99.3
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-26 15:13:51 UTC 
I'll push -r1 to fix a fd leak problem in cli scanner.
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-26 15:57:21 UTC 
New GLSA request filed.
Comment 9 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-01-26 16:09:58 UTC 
amd64 stable
Comment 10 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-26 16:13:40 UTC 
x86 stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2018-01-26 16:19:06 UTC 
This issue was resolved and addressed in
 GLSA 201801-19 at https://security.gentoo.org/glsa/201801-19
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-26 16:19:45 UTC 
Re-opening for remaining architectures.
Comment 13 Thomas Raschbacher gentoo-dev 2018-01-26 17:38:53 UTC 
Thanks for adding 0.99.3 - I just got home a bit earlier and was going to have a go at it, but looks like you saved me some work ;)
Comment 14 tomas charvat 2018-01-26 18:11:08 UTC 
I have tested  0.99.3-r1 and problem with hang on daily.cvd signatures is gone. Its working well.
Comment 15 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-28 12:14:45 UTC 
ia64 stable
Comment 16 Sergei Trofimovich (RETIRED) gentoo-dev 2018-01-28 18:00:45 UTC 
ppc stable
Comment 17 Sergei Trofimovich (RETIRED) gentoo-dev 2018-02-10 19:22:26 UTC 
hppa stable
Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-02 18:53:34 UTC 
Superseded by bug 649314.
Comment 19 Tobias Klausmann (RETIRED) gentoo-dev 2018-03-04 17:08:27 UTC 
Stable on alpha.
Comment 20 Aaron Bauman (RETIRED) gentoo-dev 2018-04-22 21:46:23 UTC 
Cleanup will happen with GLSA release.