Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 645794 (CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, CVE-2017-12378, CVE-2017-12379, CVE-2017-12380) - <app-antivirus/clamav-0.99.3: multiple vulnerabilities
Summary: <app-antivirus/clamav-0.99.3: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, CVE-2017-12378, CVE-2017-12379, CVE-2017-12380
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://blog.clamav.net/2018/01/clamav...
Whiteboard: B1 [glsa+ cve]
Keywords:
: 645806 (view as bug list)
Depends on: CVE-2018-0202, CVE-2018-1000085
Blocks:
  Show dependency tree
 
Reported: 2018-01-26 12:09 UTC by tomas charvat
Modified: 2018-04-22 21:46 UTC (History)
6 users (show)

See Also:
Package list:
app-antivirus/clamav-0.99.3-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description tomas charvat 2018-01-26 12:09:27 UTC
clamav version bellow 0.99.3 is subject to
CVE-2017-12374
CVE-2017-12375
CVE-2017-12376
CVE-2017-12377
CVE-2017-12378
CVE-2017-12379
CVE-2017-12380
And probably some more that do not have CVE yet.

Additional reason to version bump is fact, that since new clamav release, content of daily.cvd cause clamav 0.99.2 to crash



Reproducible: Always

Steps to Reproduce:
1. freshclam
2. reload clamd database
3. see clam log file
Actual Results:  
LibClamAV Error: cli_scanscript: could not map file /tmp/clamav-4f44363190ef9da19b58fe176ee5e22d.tmp
LibClamAV Error: cli_scanscript: could not map file /tmp/clamav-92bc8f14fbf93f57e5ac90379c0c3ae3.tmp


Expected Results:  
clean log file

To fix clamd errors, which prevent clamd working you can delete daily.cvd and stop freshclam.

Im not sure whenever clamav 0.99.3 will fix this, however there are other reasons to version bump and it could also fix problem with daily.cvd.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-01-26 14:02:22 UTC
@ tomas: Please do not add version information to summary when you report vulnerabilities. Thank you.
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2018-01-26 14:31:16 UTC
*** Bug 645806 has been marked as a duplicate of this bug. ***
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-01-26 14:39:07 UTC
0.99.3 is not in the Gentoo repository yet.  Please do not put the version in the summary until an unaffected ebuild is committed.
Comment 4 Larry the Git Cow gentoo-dev 2018-01-26 14:52:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2ba0e7dfb1e0e5290366cef02a553c3e56120b9

commit f2ba0e7dfb1e0e5290366cef02a553c3e56120b9
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-01-26 14:46:05 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-01-26 14:52:33 +0000

    app-antivirus/clamav: bump, fixes multiple vulnerabilites
    
    Bug: https://bugs.gentoo.org/645794
    Package-Manager: Portage-2.3.20, Repoman-2.3.6

 app-antivirus/clamav/Manifest             |   1 +
 app-antivirus/clamav/clamav-0.99.3.ebuild | 158 ++++++++++++++++++++++++++++++
 2 files changed, 159 insertions(+)}
Comment 5 Thomas Deutschmann gentoo-dev Security 2018-01-26 14:54:17 UTC
@ Arches,

please test and mark stable:

  =app-antivirus/clamav-0.99.3
Comment 6 Thomas Deutschmann gentoo-dev Security 2018-01-26 15:13:51 UTC
I'll push -r1 to fix a fd leak problem in cli scanner.
Comment 8 Thomas Deutschmann gentoo-dev Security 2018-01-26 15:57:21 UTC
New GLSA request filed.
Comment 9 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-01-26 16:09:58 UTC
amd64 stable
Comment 10 Thomas Deutschmann gentoo-dev Security 2018-01-26 16:13:40 UTC
x86 stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2018-01-26 16:19:06 UTC
This issue was resolved and addressed in
 GLSA 201801-19 at https://security.gentoo.org/glsa/201801-19
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 12 Thomas Deutschmann gentoo-dev Security 2018-01-26 16:19:45 UTC
Re-opening for remaining architectures.
Comment 13 Thomas Raschbacher gentoo-dev 2018-01-26 17:38:53 UTC
Thanks for adding 0.99.3 - I just got home a bit earlier and was going to have a go at it, but looks like you saved me some work ;)
Comment 14 tomas charvat 2018-01-26 18:11:08 UTC
I have tested  0.99.3-r1 and problem with hang on daily.cvd signatures is gone. Its working well.
Comment 15 Sergei Trofimovich gentoo-dev 2018-01-28 12:14:45 UTC
ia64 stable
Comment 16 Sergei Trofimovich gentoo-dev 2018-01-28 18:00:45 UTC
ppc stable
Comment 17 Sergei Trofimovich gentoo-dev 2018-02-10 19:22:26 UTC
hppa stable
Comment 18 Thomas Deutschmann gentoo-dev Security 2018-03-02 18:53:34 UTC
Superseded by bug 649314.
Comment 19 Tobias Klausmann gentoo-dev 2018-03-04 17:08:27 UTC
Stable on alpha.
Comment 20 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-22 21:46:23 UTC
Cleanup will happen with GLSA release.