Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 548066 (CVE-2015-2221) - <app-antivirus/clamav-0.98.7: Multiple vulnerabilities (CVE-2015-{2170,2221,2222,2668})
Summary: <app-antivirus/clamav-0.98.7: Multiple vulnerabilities (CVE-2015-{2170,2221,2...
Status: RESOLVED FIXED
Alias: CVE-2015-2221
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 3 votes (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
: 549810 550652 (view as bug list)
Depends on: 460124 487020 551426
Blocks: CVE-2014-9328
  Show dependency tree
 
Reported: 2015-04-28 21:11 UTC by Frank Krömmelbein
Modified: 2016-01-17 16:57 UTC (History)
12 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Frank Krömmelbein 2015-04-28 21:11:27 UTC
ClamAV update process started at Tue Apr 28 23:07:22 2015
WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.98.6 Recommended version: 0.98.7

Changelog:
Mon, 27 Apr 12:00:00 EDT
-----------------------------------
 * 0.98.7 Release.

Tue, 14 Apr 2015 15:53:17 EDT (klin)
-----------------------------------
 * bb#11296 - various fixes to pdf string base64 string conversion 

Mon, 13 Apr 2015 12:14:41 EDT (smorgan)
-----------------------------------
 * bb11298 - look for TOC element name <unarchived-checksum> 
   (as a synonynm for <extracted-checksum>). Continue processing rather
    than exit in the event of missing or error in TOC checksum specification.

Wed, 8 Apr 2015 15:51:04 EDT (smorgan)
-----------------------------------
 * iso9660: remove unnecessaty parameter on iso_parse_dir() and reset return
   code when scanall is in effect. 

Wed, 1 Apr 2015 17:41:59 EDT (klin)
-----------------------------------
 * pdf: correctly handle decoding, decryption, character set conversions,
   and file properties collection(base64 encoded as needed).

Fri, 27 Mar 2015 13:21:49 EDT (klin)
-----------------------------------
 * converted cb_file_props from using engine-based ctx to file-based ctx 

Thu, 26 Mar 2015 12:24:02 EDT (smorgan)
-----------------------------------
 * bb11281 - Reworked reverted upack.c crash patch to fix regression
   false negatives. 

Tue, 24 Mar 2015 12:06:57 EDT (klin)
-----------------------------------
 * make check: added env check 'T' to set timeout 

Mon, 23 Mar 2015 17:58:35 EDT (klin)
-----------------------------------
 * bb#11282 - patch for code clean up in rebuildpe. Patch
   supplied by Sebastian Andrzej Siewior.

Mon, 23 Mar 2015 13:04:54 EDT (klin)
-----------------------------------
 * bb#11284 - fixed integer underflow in detecting W32.Polipos.A method.
   Patch supplied by Sebastian Andrzej Siewior.

Mon, 16 Mar 2015 18:35:14 EDT (klin)
-----------------------------------
 * updated documentation on document property collection 

Mon, 16 Mar 2015 18:26:07 EDT (klin)
-----------------------------------
 * added support for MS Office 2003 XML(msxml) document types and msxml
   file properties collection. 

Mon, 16 Mar 2015 13:11:56 EDT (klin)
-----------------------------------
 * fixed converity issue ID 12109 buffer was not freed on rare error case 

Mon, 16 Mar 2015 13:08:03 EDT (klin)
-----------------------------------
 * fixed coverity ID 12110 12111 changed a the type of a value from unsigned
  to signed due to possible negative values 

Thu, 12 Mar 2015 19:06:23 EDT (smorgan)
-----------------------------------
 * Fix for infinite loop on crafted xz file. 

Wed, 11 Mar 2015 15:03:43 EDT (smorgan)
-----------------------------------
 * bb11278 - was not detecting viruses on files inside iso9660.
   Also fix up all-match logic. 

Mon, 9 Mar 2015 13:02:25 EDT (smorgan)
-----------------------------------
 * bb11274 - adds out of bounds check for petite packed files.
   Patch from Sebastian Andrzej Siewior. 

Wed, 4 Mar 2015 14:04:24 EDT (klin)
-----------------------------------
 * updated example fileprop analysis bytecodes moved old example bytecodes
   to examples/fileprop_analysis/old/ 

Wed, 4 Mar 2015 12:08:34 EDT (klin)
-----------------------------------
 * backwards compatibility for target type 13 json scanning 

Tue, 3 Mar 2015 17:47:55 EDT (klin)
-----------------------------------
 * generates fmap from desc if no map is NULL 

Tue, 3 Mar 2015 16:37:08 EDT (smorgan)
-----------------------------------
 * Apply y0da cryptor patch sent in by Sebastian Andrzej Siewior. 

Tue, 3 Mar 2015 16:12:48 EDT (klin)
-----------------------------------
 * flevel updated to 80 (new bytecode hook type) 

Tue, 3 Mar 2015 16:12:22 EDT (klin)
-----------------------------------
 * clambc info option updated for new hook type 

Tue, 3 Mar 2015 15:00:41 EDT (klin)
-----------------------------------
 * added BC_PRECLASS hook support; replaces target type 13 

Mon, 2 Mar 2015 19:06:23 EDT (klin)
-----------------------------------
 * pdf string UTF-16 conversion no longer solely depends on ICONV reason:
   no ICONV meant no conversion even though conversion function existed 

Fri, 27 Feb 2015 15:23:51 EDT (klin)
-----------------------------------
 * bb#11269 - bm matcher no longer sets scanning window offset reason:
   certain segments could be hashed multiple times 

Wed, 25 Feb 2015 14:55:21 EDT (klin)
-----------------------------------
 * bb#11269 - hash does not compute on segments smaller than the maxpatlen 

Tue, 24 Feb 2015 16:21:09 EDT (klin)
-----------------------------------
 * bb#11267 - libclamav upx cover against hand crafted section ove patch
   supplied bySebastian Andrzej Siewior.

Fri, 27 Feb 2015 16:57:19 EDT (smorgan)
-----------------------------------
 * Patch for integer overflow checks for petite unpack code supplied by
   Sebastian Andrzej Siewior. 

Fri, 27 Feb 2015 16:54:55 EDT (smorgan)
-----------------------------------
 * remove obsolete parameters from the clamd.conf man page: MailMaxRecursion,
   ArchiveMaxFileSize, ArchiveMaxRecursion, ArchiveMaxFiles,
   ArchiveMaxCompressionRatio, ArchiveBlockMax, ArchiveLimitMemoryUsage, Clamuko*. 

Wed, 18 Feb 2015 15:23:54 EDT (klin)
-----------------------------------
 * bb#11212 - fix MEW unpacker 

Mon, 16 Feb 2015 11:46:21 EDT (smorgan)
-----------------------------------
 * bb11264 - patch for 'possible' heap overflow submitted by the Debian team. 

Tue, 10 Feb 2015 15:16:48 EDT (smorgan)
-----------------------------------
 * bb11260: fix compile error when './configure --disable-pthreads' is specified. 

Fri, 6 Feb 2015 14:59:43 EDT (klin)
-----------------------------------
 * bb#11254 - removed built-in llvm configure check and added
   --with-llvm-linking option to specify system-llvm linking method 

Fri, 6 Feb 2015 13:22:35 EDT (klin)
-----------------------------------
 * improved documentation on macro subsignatures 

Wed, 4 Feb 2015 18:52:01 EDT (smorgan)
-----------------------------------
 * fix documentation errors in example logical signature. 

Fri, 30 Jan 2015 12:15:07 EDT (klin)
-----------------------------------
 * bb#12887 - fixed an issue regarding (fd==-1) in WinAPI 

Wed, 28 Jan 2015 11:20:35 EDT (klin)
-----------------------------------
 * fixed Windows API SetOption/GetOption CLAM_LIMIT_RECURSION 

Wed, 21 Jan 2015 11:41:07 EDT (klin)
-----------------------------------
 * added ICONV to clamconf optional features report 

Thu, 15 Jan 2015 15:15:01 EDT (klin)
-----------------------------------
 * fixed an incorrect return value for magic_scandesc 

Wed, 14 Jan 2015 09:25:47 EDT (klin)
-----------------------------------
 * cleaned up configure help strings by using AS_HELP_STRING 

Mon, 12 Jan 2015 13:45:36 EDT (klin)
-----------------------------------
 * bb#11238 - added missing PDF preclass operations
   > added whitespace fix for indirect references strings
   > added PDF escape sequence handling (including octal) 

Thu, 8 Jan 2015 09:48:20 EDT (klin)
-----------------------------------
 * bb#11237 - fixed bug in building CUD file 

Wed, 7 Jan 2015 04:46:15 EDT (smorgan)
-----------------------------------
 * bb11233 - fix a strange bus error on Mac OS X PPC when using debug mode. 

Mon, 22 Dec 2014 12:13:38 EDT (klin)

Reproducible: Always
Comment 1 Nico Baggus 2015-05-01 21:58:34 UTC
please stabalie the new clamav..

WARNING: Your ClamAV installation is OUTDATED!
WARNING: Local version: 0.98.5 Recommended version: 0.98.7
DON'T PANIC! Read http://www.clamav.net/support/faq
main.cvd version from DNS: 55
Retrieving http://database.clamav.net/main-55.cdiff
Trying to download http://database.clamav.net/main-55.cdiff (IP: 145.58.29.83)
Downloading main-55.cdiff [100%]

no need to wait for systemd, for the ppl not running systemd.
Comment 3 Jaco Kroon 2015-05-15 09:42:02 UTC
Any progress on this?  This is a security issue so we really need to get the update out ASAP.  Please.  As per Nico:

no need to wait for systemd, for the ppl not running systemd.

The current version has no systemd support that I'm aware of so if that is a concern, just release a -r1 but please get this out the door as soon as possible.
Comment 4 Frank Krömmelbein 2015-05-17 08:46:27 UTC
Renaming of the Ebuild of the actual version works for me.

clamscan --version
ClamAV 0.98.7/20474/Sun May 17 09:38:29 2015
Comment 5 Agostino Sarubbo gentoo-dev 2015-05-18 13:34:46 UTC
*** Bug 549810 has been marked as a duplicate of this bug. ***
Comment 6 Jaco Kroon 2015-05-26 09:29:36 UTC
Progress status?
Comment 7 Tomáš Mózes 2015-05-26 10:52:48 UTC
(In reply to Frank Krömmelbein from comment #4)
> Renaming of the Ebuild of the actual version works for me.
> 
> clamscan --version
> ClamAV 0.98.7/20474/Sun May 17 09:38:29 2015

I can confirm on amd64.
Comment 8 Nico Baggus 2015-05-27 11:10:40 UTC
what is holding this up?
Comment 9 Thomas Raschbacher gentoo-dev 2015-05-27 13:18:44 UTC
(In reply to Nico Baggus from comment #8)
> what is holding this up?

The fact I am the only one in the antivirus herd and I was quite busy otherwise and completely missed this. Sorry for that.
Comment 10 Thomas Raschbacher gentoo-dev 2015-05-27 19:15:54 UTC
commited 0.98.7 .

Would be great if a few others could test it before we put it up for STABLEREQ (since I am short on time)
Comment 11 Nico Baggus 2015-05-27 19:40:03 UTC
No probem, i will run amd64 & x86 when available.
Comment 12 Tomáš Mózes 2015-05-28 13:55:49 UTC
Tested on ~amd64 and amd64 hardened, seems to work ok.
Comment 13 Mike Gilbert gentoo-dev 2015-05-29 01:58:55 UTC
*** Bug 550652 has been marked as a duplicate of this bug. ***
Comment 14 Nico Baggus 2015-05-31 19:28:43 UTC
It compiles & installs clean.
freshclam works and does not complain.

AFAICT it functions.
on both amd64 and x86.
Comment 15 Thomas Raschbacher gentoo-dev 2015-06-05 07:17:26 UTC
ok thanks for the additional testing. putting in STABLEREQ and CC'ing ARCH teams.
Leaving the rest to security team then ;)
Comment 16 Agostino Sarubbo gentoo-dev 2015-06-05 07:45:25 UTC
Arches, please test and mark stable:
=app-antivirus/clamav-0.98.7
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 17 Agostino Sarubbo gentoo-dev 2015-06-05 08:59:48 UTC
amd64 stable
Comment 18 Agostino Sarubbo gentoo-dev 2015-06-05 09:00:44 UTC
x86 stable
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:54:50 UTC
CVE-2015-2668 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2668):
  ClamAV before 0.98.7 allows remote attackers to cause a denial of service
  (infinite loop) via a crafted xz archive file.

CVE-2015-2222 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2222):
  ClamAV before 0.98.7 allows remote attackers to cause a denial of service
  (crash) via a crafted petite packed file.

CVE-2015-2221 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2221):
  ClamAV before 0.98.7 allows remote attackers to cause a denial of service
  (infinite loop) via a crafted y0da cryptor file.

CVE-2015-2170 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2170):
  The upx decoder in ClamAV before 0.98.7 allows remote attackers to cause a
  denial of service (crash) via a crafted file.
Comment 20 Agostino Sarubbo gentoo-dev 2015-06-24 07:58:58 UTC
ppc stable
Comment 21 Agostino Sarubbo gentoo-dev 2015-07-03 09:57:36 UTC
alpha stable
Comment 22 Yury German Gentoo Infrastructure gentoo-dev Security 2015-07-06 12:20:57 UTC
Pending CVE
http://seclists.org/oss-sec/2015/q2/346

All others have been entered.
Comment 23 Agostino Sarubbo gentoo-dev 2015-07-23 09:37:19 UTC
sparc stable
Comment 24 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-07-24 12:39:26 UTC
ia64 stable
Comment 25 Agostino Sarubbo gentoo-dev 2015-09-23 12:57:12 UTC
ppc64 stable
Comment 26 Jeroen Roovers gentoo-dev 2015-10-11 04:35:19 UTC
I guess there is no point in holding up stabilisation if the blocking bugs don't get fixed.

Stable for HPPA.
Comment 27 Yury German Gentoo Infrastructure gentoo-dev Security 2015-11-02 22:27:40 UTC
Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).
Comment 28 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-20 19:35:07 UTC
Ok let's try again.

Maintainer(s), please drop the vulnerable version(s).
Comment 29 GLSAMaker/CVETool Bot gentoo-dev 2015-12-30 14:02:23 UTC
This issue was resolved and addressed in
 GLSA 201512-08 at https://security.gentoo.org/glsa/201512-08
by GLSA coordinator Yury German (BlueKnight).
Comment 30 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-30 14:04:07 UTC
Re-Opening for cleanup. 

Maintainers, the GLSA has been released please clean up the Vulnerable versions.
Comment 31 Thomas Raschbacher gentoo-dev 2015-12-30 15:53:19 UTC
done: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=42315a699eed0f82c83ace523c7190a1e7c0e673

Sorry for the delay.