Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 722726 (CVE-2020-3327, CVE-2020-3341)

Summary: <app-antivirus/clamav-0.102.3: Multiple vulnerabilities (CVE-2020-{3327,3341})
Product: Gentoo Security Reporter: Sam James <sam>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: antivirus
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html
See Also: https://bugs.gentoo.org/show_bug.cgi?id=732944
Whiteboard: B3 [noglsa cve]
Package list:
=app-antivirus/clamav-0.102.3
Runtime testing required: ---

Description Sam James archtester gentoo-dev Security 2020-05-12 15:42:57 UTC
* CVE-2020-3327
Description:
"Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash."

* CVE-2020-3341
Description:
"Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash. Bug found by OSS-Fuzz."
Comment 1 Sam James archtester gentoo-dev Security 2020-05-12 15:44:16 UTC
@maintainer(s), please bump to 0.102.3.
Comment 2 Thomas Raschbacher gentoo-dev 2020-05-12 18:21:36 UTC
0.102.3 is out. will add it to the tree in a bit when at my dev box
Comment 3 Thomas Raschbacher gentoo-dev 2020-05-12 18:41:41 UTC
commited the version bump as ~arch
Comment 4 Sam James archtester gentoo-dev Security 2020-05-12 18:45:29 UTC
Thanks. Please let us know when you are ready for stabilisation, or call yourself.
Comment 5 Sam James archtester gentoo-dev Security 2020-05-15 14:36:57 UTC
(In reply to Sam James (sec padawan) from comment #4)
> Thanks. Please let us know when you are ready for stabilisation, or call
> yourself.

How're we looking?
Comment 6 Michael Orlitzky gentoo-dev 2020-05-18 01:44:39 UTC
I think it's OK to stabilize.
Comment 7 Sam James archtester gentoo-dev Security 2020-05-18 07:28:19 UTC
(In reply to Michael Orlitzky from comment #6)
> I think it's OK to stabilize.

Great, thanks!
Comment 8 Agostino Sarubbo gentoo-dev 2020-05-18 12:58:59 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-05-18 13:00:18 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-05-18 15:09:35 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2020-05-18 15:12:40 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2020-05-18 21:13:50 UTC
x86 stable
Comment 13 Sam James archtester gentoo-dev Security 2020-06-07 21:06:47 UTC
arm64 stable

----
@maintainer(s), please cleanup
Comment 14 Larry the Git Cow gentoo-dev 2020-06-09 01:53:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=948d05626dc945da43baa24204331dd87fe534fb

commit 948d05626dc945da43baa24204331dd87fe534fb
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-06-09 01:45:45 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-06-09 01:45:45 +0000

    app-antivirus/clamav: remove older vulnerable versions.
    
    Bug: https://bugs.gentoo.org/722726
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 app-antivirus/clamav/Manifest                      |   1 -
 app-antivirus/clamav/clamav-0.102.2-r1.ebuild      | 214 --------------------
 app-antivirus/clamav/clamav-0.102.2-r3.ebuild      | 225 ---------------------
 .../files/clamav-0.101.2-libxml2_pkgconfig.patch   |  78 -------
 4 files changed, 518 deletions(-)