Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 924024 (CVE-2024-20290, CVE-2024-20328)

Summary: =app-antivirus/clamav-{1.0.3,1.1.0,1.1.3,1.2.1}: vulnerabilities
Product: Gentoo Security Reporter: Thomas Raschbacher <lordvan>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: antivirus, kangie, lordvan, mjo
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://blog.clamav.net/2023/11/clamav-130-122-105-released.html
Whiteboard: B2 [stable]
Package list:
Runtime testing required: ---
Bug Depends on: 926021    
Bug Blocks:    

Description Thomas Raschbacher gentoo-dev 2024-02-07 22:00:33 UTC 
details see https://blog.clamav.net/2023/11/clamav-130-122-105-released.html
Comment 1 Thomas Raschbacher gentoo-dev 2024-02-07 22:02:25 UTC 
1.2.2 commited just now
Comment 2 Hans de Graaff gentoo-dev Security 2024-02-09 12:45:17 UTC 
I've set the whiteboard to "stable?" with the assumption that there will not be a 1.0.5 ebuild and the 0.103* and 1.0* versions will be cleaned. Feel free to indicate otherwise and I'll update the whiteboard accordingly.
Comment 3 Michael Orlitzky gentoo-dev 2024-02-09 13:10:12 UTC 
I'm going to maintain 0.103.x for as long as it's easy to do so. It's the last version without a mountain of bundled libraries. It's also apparently unaffected by these CVEs:

https://lists.clamav.net/pipermail/clamav-users/2024-February/013734.html
Comment 4 Hans de Graaff gentoo-dev Security 2024-02-11 08:42:36 UTC 
(In reply to Michael Orlitzky from comment #3)
> I'm going to maintain 0.103.x for as long as it's easy to do so. It's the
> last version without a mountain of bundled libraries. It's also apparently
> unaffected by these CVEs:
> 
> https://lists.clamav.net/pipermail/clamav-users/2024-February/013734.html

I've updated the vulnerable versions in the summary accordingly.
Comment 5 Matt Jolly gentoo-dev 2024-03-02 10:00:12 UTC 
Updating the LTS branch (1.0) now, and adding 1.3. Dropping outdated STS (1.1.x).
Comment 6 Larry the Git Cow gentoo-dev 2024-03-02 10:05:52 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=79e6d80832f72eaf8466dda1a5055d5c391833d6

commit 79e6d80832f72eaf8466dda1a5055d5c391833d6
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2024-03-02 10:01:28 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2024-03-02 10:03:49 +0000

    app-antivirus/clamav: drop 1.0.3
    
    Bug: https://bugs.gentoo.org/924024
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 app-antivirus/clamav/Manifest            |  13 --
 app-antivirus/clamav/clamav-1.0.3.ebuild | 381 -------------------------------
 2 files changed, 394 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3835f1c72f88cb67dcfd4340e0ceb3ca16058267

commit 3835f1c72f88cb67dcfd4340e0ceb3ca16058267
Author:     Matt Jolly <kangie@gentoo.org>
AuthorDate: 2024-03-02 09:55:51 +0000
Commit:     Matt Jolly <kangie@gentoo.org>
CommitDate: 2024-03-02 10:03:48 +0000

    app-antivirus/clamav: add 1.0.5
    
    Bug: https://bugs.gentoo.org/924024
    Signed-off-by: Matt Jolly <kangie@gentoo.org>

 app-antivirus/clamav/Manifest            |  16 ++
 app-antivirus/clamav/clamav-1.0.5.ebuild | 398 +++++++++++++++++++++++++++++++
 2 files changed, 414 insertions(+)