Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 538084 (CVE-2014-9328) - <app-antivirus/clamav-0.98.6: Multiple vulnerabilities (CVE-2014-9328,CVE-2015-{1461,1462,1463})
Summary: <app-antivirus/clamav-0.98.6: Multiple vulnerabilities (CVE-2014-9328,CVE-201...
Status: RESOLVED FIXED
Alias: CVE-2014-9328
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa cve]
Keywords:
Depends on: CVE-2015-2221
Blocks:
  Show dependency tree
 
Reported: 2015-01-28 18:21 UTC by Marc Schiffbauer
Modified: 2015-12-30 14:02 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Schiffbauer gentoo-dev 2015-01-28 18:21:33 UTC
Dieses Advisory finden Sie auch im DFN-CERT Portal unter:
  <https://portal.cert.dfn.de/adv/DFN-CERT-2015-0117/>

ClamAV Download-Webseite:
  <http://www.clamav.net/download.html>

ClamAV Security Advisory ClamAV-ADV-2015-01-27:
  <http://lurker.clamav.net/message/20150127.232443.27bcc068.en.html>

ClamAV Security Blog ClamAV Release 0.98.6:
  <http://blog.clamav.net/2015/01/clamav-0986-has-been-released.html>

Schwachstelle CVE-2014-9328 (NVD):
  <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9328>
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-02-11 17:53:12 UTC
CVE-2015-1463 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1463):
  ClamAV before 0.98.6 allows remote attackers to cause a denial of service
  (crash) via a crafted petite packer file, related to an "incorrect compiler
  optimization."

CVE-2015-1462 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1462):
  ClamAV before 0.98.6 allows remote attackers to have unspecified impact via
  a crafted upx packer file, related to a "heap out of bounds condition."

CVE-2015-1461 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1461):
  ClamAV before 0.98.6 allows remote attackers to have unspecified impact via
  a crafted (1) Yoda's crypter or (2) mew packer file, related to a "heap out
  of bounds condition."
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2015-02-11 17:53:35 UTC
CVE-2014-9328 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9328):
  ClamAV before 0.98.6 allows remote attackers to have unspecified impact via
  a crafted upack packer file, related to a "heap out of bounds condition."
Comment 3 Kristian Fiskerstrand gentoo-dev Security 2015-02-11 17:55:31 UTC
@maintainers: Package is already in tree, please call for stabilization when appropriate.
Comment 4 Marc Schiffbauer gentoo-dev 2015-03-10 00:39:52 UTC
Any blockers here?
Comment 5 Thomas Raschbacher gentoo-dev 2015-05-27 18:12:22 UTC
sorry for the delay I've been quite busy lately so not too much time on Gentoo (even though I try to keep up on security issues, but I missed this one - and the next one in the dependency bug).

Since there's no point in stabilizing this I just add a depend on the 0.98.6 security bug #548066
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-12-30 14:02:16 UTC
This issue was resolved and addressed in
 GLSA 201512-08 at https://security.gentoo.org/glsa/201512-08
by GLSA coordinator Yury German (BlueKnight).