Bug 722726 (CVE-2020-3327, CVE-2020-3341)

Summary:	<app-antivirus/clamav-0.102.3: Multiple vulnerabilities (CVE-2020-{3327,3341})
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	antivirus
Priority:	Normal	Keywords:	CC-ARCHES
Version:	unspecified	Flags:	nattka: sanity-check+
Hardware:	All
OS:	Linux
URL:	https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=732944
Whiteboard:	B3 [noglsa cve]
Package list:	=app-antivirus/clamav-0.102.3	Runtime testing required:	---

Description Sam James archtester

2020-05-12 15:42:57 UTC

* CVE-2020-3327
Description:
"Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash."

* CVE-2020-3341
Description:
"Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash. Bug found by OSS-Fuzz."

Comment 1 Sam James archtester

2020-05-12 15:44:16 UTC

@maintainer(s), please bump to 0.102.3.

Comment 2 Thomas Raschbacher gentoo-dev

2020-05-12 18:21:36 UTC

0.102.3 is out. will add it to the tree in a bit when at my dev box

Comment 3 Thomas Raschbacher gentoo-dev

2020-05-12 18:41:41 UTC

commited the version bump as ~arch

Comment 4 Sam James archtester

2020-05-12 18:45:29 UTC

Thanks. Please let us know when you are ready for stabilisation, or call yourself.

Comment 5 Sam James archtester

2020-05-15 14:36:57 UTC

(In reply to Sam James (sec padawan) from comment #4)
> Thanks. Please let us know when you are ready for stabilisation, or call
> yourself.

How're we looking?

Comment 6 Michael Orlitzky gentoo-dev

2020-05-18 01:44:39 UTC

I think it's OK to stabilize.

Comment 7 Sam James archtester

2020-05-18 07:28:19 UTC

(In reply to Michael Orlitzky from comment #6)
> I think it's OK to stabilize.

Great, thanks!

Comment 8 Agostino Sarubbo gentoo-dev

2020-05-18 12:58:59 UTC

arm stable

Comment 9 Agostino Sarubbo gentoo-dev

2020-05-18 13:00:18 UTC

ppc stable

Comment 10 Agostino Sarubbo gentoo-dev

2020-05-18 15:09:35 UTC

amd64 stable

Comment 11 Agostino Sarubbo gentoo-dev

2020-05-18 15:12:40 UTC

ppc64 stable

Comment 12 Agostino Sarubbo gentoo-dev

2020-05-18 21:13:50 UTC

x86 stable

Comment 13 Sam James archtester

2020-06-07 21:06:47 UTC

arm64 stable

----
@maintainer(s), please cleanup

Comment 14 Larry the Git Cow gentoo-dev

2020-06-09 01:53:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=948d05626dc945da43baa24204331dd87fe534fb

commit 948d05626dc945da43baa24204331dd87fe534fb
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-06-09 01:45:45 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-06-09 01:45:45 +0000

    app-antivirus/clamav: remove older vulnerable versions.
    
    Bug: https://bugs.gentoo.org/722726
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 app-antivirus/clamav/Manifest                      |   1 -
 app-antivirus/clamav/clamav-0.102.2-r1.ebuild      | 214 --------------------
 app-antivirus/clamav/clamav-0.102.2-r3.ebuild      | 225 ---------------------
 .../files/clamav-0.101.2-libxml2_pkgconfig.patch   |  78 -------
 4 files changed, 518 deletions(-)