Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 913246

Summary: <app-antivirus/clamav-{0.103.10, 1.1.2}: Multiple vulnerabilities
Product: Gentoo Security Reporter: Icebird2000 <icebird2000>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: UNCONFIRMED ---    
Severity: normal CC: antivirus, kangie, mjo, proxy-maint
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blog.clamav.net/2023/08/clamav-120-feature-version-and-111-102.html
See Also: https://github.com/gentoo/gentoo/pull/32528
Whiteboard: B2 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 913962    
Bug Blocks: 913247    

Description Icebird2000 2023-08-30 07:16:55 UTC
https://blog.clamav.net/2023/08/clamav-120-feature-version-and-111-102.html
This fix CVE-2023-40477 - 

Reproducible: Always
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-30 07:20:20 UTC
(We don't have 1.0.3 in tree, so removing from summary.)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-30 07:22:34 UTC
We depend on app-arch/unrar, so are we even affeced by the copy in clamav?

I found this confusing:

commit d7f27b89f427927f5f4ee67261a22f3c7bfda054
Author: Michael Orlitzky <mjo@gentoo.org>
Date:   Mon Aug 28 18:43:04 2023 -0400

    app-antivirus/clamav: add 0.103.10, drop 0.103.9

    Upgrades the bundled unRAR (which clamav has renamed to libclamunrar) to
    fix CVE-2023-40477. We also add unRAR to LICENSE since it's clear that
    it applies to libclamunrar and that component is enabled by default.

    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Comment 3 Icebird2000 2023-08-30 07:41:28 UTC
(In reply to Sam James from comment #1)
> (We don't have 1.0.3 in tree, so removing from summary.)

I don't understand this, because version 1.0.2-r1:0/lts is in the tree and is vulnerable by CVE-2023-40477?
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-08-30 07:43:53 UTC
(In reply to Icebird2000 from comment #3)
> (In reply to Sam James from comment #1)
> > (We don't have 1.0.3 in tree, so removing from summary.)
> 
> I don't understand this, because version 1.0.2-r1:0/lts is in the tree and
> is vulnerable by CVE-2023-40477?

We put the first fixed versions in summaries.
Comment 5 Larry the Git Cow gentoo-dev 2023-08-30 10:05:00 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=303ee72a8d76f5df19c4250434e8e5e072517f44

commit 303ee72a8d76f5df19c4250434e8e5e072517f44
Author:     Matt Jolly <Matt.Jolly@footclan.ninja>
AuthorDate: 2023-08-30 09:04:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-08-30 10:04:24 +0000

    app-antivirus/clamav: add 1.0.3
    
    Bug: https://bugs.gentoo.org/913246
    Signed-off-by: Matt Jolly <Matt.Jolly@footclan.ninja>
    Signed-off-by: Sam James <sam@gentoo.org>

 app-antivirus/clamav/Manifest            |   1 +
 app-antivirus/clamav/clamav-1.0.3.ebuild | 381 +++++++++++++++++++++++++++++++
 2 files changed, 382 insertions(+)
Comment 6 Michael Orlitzky gentoo-dev 2023-08-30 13:45:24 UTC
(In reply to Sam James from comment #2)
> We depend on app-arch/unrar, so are we even affeced by the copy in clamav?
> 

clamav-0.103.x doesn't depend on app-arch/unrar -- they might have unbundled it as part of the CMake rewrite?

The autoconf bits in m4/reorganization/libs/unrar.m4 add a --disable-unrar flag, but it's never appeared in the ebuild and it does no detection of the system unrar.
Comment 7 Icebird2000 2023-08-31 15:56:44 UTC
Before stabilizing 1.0.3 and 1.1.2 you need to stabilize virtual/rust-1.71 first