| Summary: | <app-antivirus/clamav-0.102.1: long scanning time of specially crafted email file leads to denial of service (CVE-2019-15961) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | antivirus, atoth |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://blog.clamav.net/2019/11/clamav-01021-and-01015-patches-have.html | ||
| Whiteboard: | B3 [glsa+ cve] | ||
| Package list: |
app-antivirus/clamav-0.102.1-r3
|
Runtime testing required: | --- |
| Bug Depends on: | 709616 | ||
| Bug Blocks: | |||
|
Description
GLSAMaker/CVETool Bot
2019-12-05 02:14:38 UTC
amd64 stable x86 stable ia64/ppc/ppc64 stable arm stable hppa stable this one blocked on bug 709616 as well for arm64, as it's supposed to be a simple fix to at least avoid build failures.. (In reply to Mart Raudsepp from comment #6) > this one blocked on bug 709616 as well for arm64, as it's supposed to be a > simple fix to at least avoid build failures.. The upstream autoconf scripts are broken, and check for libcurl even when "libclamav" only is set (whose main purpose is to eliminate the dependency on curl). It probably won't be fixed until the next upstream release because these autoconf checks are a tangled mess of if this and not that and this then optionally that. In the meantime, we can tell people not to set USE=libclamav-only, or to "emerge -1 curl" as a workaround. No, in the meantime you can add a curl dep (possibly build-time only if it's not actually linked to or used at runtime) for this case as well. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8601e1fc186ccfca22e2f13a970168f9968b1090 commit 8601e1fc186ccfca22e2f13a970168f9968b1090 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-19 20:39:43 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-19 20:39:57 +0000 app-antivirus/clamav: security cleanup (bug #702010) Bug: https://bugs.gentoo.org/702010 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-antivirus/clamav/Manifest | 3 - app-antivirus/clamav/clamav-0.101.2-r1.ebuild | 176 ----------------------- app-antivirus/clamav/clamav-0.101.4.ebuild | 176 ----------------------- app-antivirus/clamav/clamav-0.102.1-r3.ebuild | 197 -------------------------- 4 files changed, 552 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66fddd21b881edb4d02301d53dd33d0b7d850e42 commit 66fddd21b881edb4d02301d53dd33d0b7d850e42 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-19 20:38:27 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-19 20:39:56 +0000 app-antivirus/clamav: mark arm64 stable (bug #702010) Bug: https://bugs.gentoo.org/702010 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-antivirus/clamav/clamav-0.102.1-r3.ebuild | 2 +- app-antivirus/clamav/clamav-0.102.2.ebuild | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Added to an existing GLSA. This issue was resolved and addressed in GLSA 202003-46 at https://security.gentoo.org/glsa/202003-46 by GLSA coordinator Thomas Deutschmann (whissi). |
