Summary: | <app-antivirus/clamav-{0.103.5,0.104.2}: invalid pointer read | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Raschbacher <lordvan> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | antivirus, kangie, mjo, proxy-maint |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa+] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 831281 | ||
Bug Blocks: |
Description
Thomas Raschbacher
2022-01-12 20:53:31 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b942e8883e4a2d6d3a863701d453c60c6a1ee02 commit 6b942e8883e4a2d6d3a863701d453c60c6a1ee02 Author: Thomas Raschbacher <lordvan@gentoo.org> AuthorDate: 2022-01-12 21:19:19 +0000 Commit: Thomas Raschbacher <lordvan@gentoo.org> CommitDate: 2022-01-12 21:22:03 +0000 app-antivirus/clamav: new upstream security release v0.104.2. Bug: https://bugs.gentoo.org/831083 Closes: https://bugs.gentoo.org/819216 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Thomas Raschbacher <lordvan@gentoo.org> app-antivirus/clamav/Manifest | 2 - app-antivirus/clamav/clamav-0.104.0-r1.ebuild | 219 -------------------------- app-antivirus/clamav/clamav-0.104.1.ebuild | 215 ------------------------- app-antivirus/clamav/clamav-0.104.2.ebuild | 4 +- 4 files changed, 2 insertions(+), 438 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c15e9c20273d48f6437163ee57a48b8ba07a2d6 commit 3c15e9c20273d48f6437163ee57a48b8ba07a2d6 Author: Thomas Raschbacher <lordvan@gentoo.org> AuthorDate: 2022-01-12 21:09:10 +0000 Commit: Thomas Raschbacher <lordvan@gentoo.org> CommitDate: 2022-01-12 21:20:07 +0000 app-antivirus/clamav: new upstream security release Bug: https://bugs.gentoo.org/831083 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Thomas Raschbacher <lordvan@gentoo.org> app-antivirus/clamav/Manifest | 1 + app-antivirus/clamav/clamav-0.104.2.ebuild | 215 +++++++++++++++++++++++++++++ 2 files changed, 216 insertions(+) mjo already added 0.103.5 already: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=669ac0a9ae4134b20e228f544229ff6a50b79965 rest is up to security team Also fixed a config file defaults bug and removed vulnerable non-stable versions already. CVE-2022-20698: "Fix for invalid pointer read that may cause a crash. This issue affects 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) is enabled. Cisco would like to thank Laurent Delosieres of ManoMano for reporting this vulnerability." Thanks guys! Please stabilize a fixed version when ready. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1259a46e77e330738303cf3d703156301c35961e commit 1259a46e77e330738303cf3d703156301c35961e Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2022-02-02 13:50:45 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2022-02-02 13:50:45 +0000 app-antivirus/clamav: remove vulnerable v0.103.4. Bug: https://bugs.gentoo.org/831083 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> app-antivirus/clamav/Manifest | 1 - app-antivirus/clamav/clamav-0.103.4.ebuild | 239 ----------------------------- 2 files changed, 240 deletions(-) Thanks! afaik this can be closed as none of those versions are still in portage - cann someone from the security team confirm and/or close the bug please? GLSA request filed The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=de933a38b263b239206a394919eff4c8f72f835c commit de933a38b263b239206a394919eff4c8f72f835c Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2023-10-01 08:37:38 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2023-10-01 08:39:35 +0000 [ GLSA 202310-01 ] ClamAV: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/831083 Bug: https://bugs.gentoo.org/842813 Bug: https://bugs.gentoo.org/894672 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202310-01.xml | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) |