Summary: | <app-antivirus/clamav-{0.103.10, 1.1.2}: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Icebird2000 <icebird2000> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | CC: | antivirus, kangie, mjo, proxy-maint |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://blog.clamav.net/2023/08/clamav-120-feature-version-and-111-102.html | ||
See Also: | https://github.com/gentoo/gentoo/pull/32528 | ||
Whiteboard: | B2 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 913962 | ||
Bug Blocks: | 913247 |
Description
Icebird2000
2023-08-30 07:16:55 UTC
(We don't have 1.0.3 in tree, so removing from summary.) We depend on app-arch/unrar, so are we even affeced by the copy in clamav? I found this confusing: commit d7f27b89f427927f5f4ee67261a22f3c7bfda054 Author: Michael Orlitzky <mjo@gentoo.org> Date: Mon Aug 28 18:43:04 2023 -0400 app-antivirus/clamav: add 0.103.10, drop 0.103.9 Upgrades the bundled unRAR (which clamav has renamed to libclamunrar) to fix CVE-2023-40477. We also add unRAR to LICENSE since it's clear that it applies to libclamunrar and that component is enabled by default. Signed-off-by: Michael Orlitzky <mjo@gentoo.org> (In reply to Sam James from comment #1) > (We don't have 1.0.3 in tree, so removing from summary.) I don't understand this, because version 1.0.2-r1:0/lts is in the tree and is vulnerable by CVE-2023-40477? (In reply to Icebird2000 from comment #3) > (In reply to Sam James from comment #1) > > (We don't have 1.0.3 in tree, so removing from summary.) > > I don't understand this, because version 1.0.2-r1:0/lts is in the tree and > is vulnerable by CVE-2023-40477? We put the first fixed versions in summaries. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=303ee72a8d76f5df19c4250434e8e5e072517f44 commit 303ee72a8d76f5df19c4250434e8e5e072517f44 Author: Matt Jolly <Matt.Jolly@footclan.ninja> AuthorDate: 2023-08-30 09:04:42 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-08-30 10:04:24 +0000 app-antivirus/clamav: add 1.0.3 Bug: https://bugs.gentoo.org/913246 Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja> Signed-off-by: Sam James <sam@gentoo.org> app-antivirus/clamav/Manifest | 1 + app-antivirus/clamav/clamav-1.0.3.ebuild | 381 +++++++++++++++++++++++++++++++ 2 files changed, 382 insertions(+) (In reply to Sam James from comment #2) > We depend on app-arch/unrar, so are we even affeced by the copy in clamav? > clamav-0.103.x doesn't depend on app-arch/unrar -- they might have unbundled it as part of the CMake rewrite? The autoconf bits in m4/reorganization/libs/unrar.m4 add a --disable-unrar flag, but it's never appeared in the ebuild and it does no detection of the system unrar. Before stabilizing 1.0.3 and 1.1.2 you need to stabilize virtual/rust-1.71 first |