Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 702010 (CVE-2019-15961) - <app-antivirus/clamav-0.102.1: long scanning time of specially crafted email file leads to denial of service (CVE-2019-15961)
Summary: <app-antivirus/clamav-0.102.1: long scanning time of specially crafted email ...
Status: RESOLVED FIXED
Alias: CVE-2019-15961
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://blog.clamav.net/2019/11/clama...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on: 709616
Blocks:
  Show dependency tree
 
Reported: 2019-12-05 02:14 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-19 20:49 UTC (History)
2 users (show)

See Also:
Package list:
app-antivirus/clamav-0.102.1-r3
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-12-05 02:14:38 UTC
CVE-2019-15961 (https://nvd.nist.gov/vuln/detail/CVE-2019-15961):
  A Denial-of-Service (DoS) vulnerability may occur when scanning a specially
  crafted email file as a result of excessively long scan times. The issue is
  resolved by implementing several maximums in parsing MIME messages and by
  optimizing use of memory allocation.
Comment 1 Agostino Sarubbo gentoo-dev 2020-01-24 15:57:19 UTC
amd64 stable
Comment 2 Thomas Deutschmann gentoo-dev Security 2020-01-26 20:57:08 UTC
x86 stable
Comment 3 Sergei Trofimovich gentoo-dev 2020-01-27 10:30:43 UTC
ia64/ppc/ppc64 stable
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2020-01-27 11:39:46 UTC
arm stable
Comment 5 Sergei Trofimovich gentoo-dev 2020-02-06 12:18:17 UTC
hppa stable
Comment 6 Mart Raudsepp gentoo-dev 2020-03-17 14:15:12 UTC
this one blocked on bug 709616 as well for arm64, as it's supposed to be a simple fix to at least avoid build failures..
Comment 7 Michael Orlitzky gentoo-dev 2020-03-17 16:44:35 UTC
(In reply to Mart Raudsepp from comment #6)
> this one blocked on bug 709616 as well for arm64, as it's supposed to be a
> simple fix to at least avoid build failures..

The upstream autoconf scripts are broken, and check for libcurl even when "libclamav" only is set (whose main purpose is to eliminate the dependency on curl). It probably won't be fixed until the next upstream release because these autoconf checks are a tangled mess of if this and not that and this then optionally that.

In the meantime, we can tell people not to set USE=libclamav-only, or to "emerge -1 curl" as a workaround.
Comment 8 Mart Raudsepp gentoo-dev 2020-03-18 09:22:34 UTC
No, in the meantime you can add a curl dep (possibly build-time only if it's not actually linked to or used at runtime) for this case as well.
Comment 9 Larry the Git Cow gentoo-dev 2020-03-19 20:40:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8601e1fc186ccfca22e2f13a970168f9968b1090

commit 8601e1fc186ccfca22e2f13a970168f9968b1090
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-19 20:39:43 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-19 20:39:57 +0000

    app-antivirus/clamav: security cleanup (bug #702010)
    
    Bug: https://bugs.gentoo.org/702010
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-antivirus/clamav/Manifest                 |   3 -
 app-antivirus/clamav/clamav-0.101.2-r1.ebuild | 176 -----------------------
 app-antivirus/clamav/clamav-0.101.4.ebuild    | 176 -----------------------
 app-antivirus/clamav/clamav-0.102.1-r3.ebuild | 197 --------------------------
 4 files changed, 552 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66fddd21b881edb4d02301d53dd33d0b7d850e42

commit 66fddd21b881edb4d02301d53dd33d0b7d850e42
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-19 20:38:27 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-19 20:39:56 +0000

    app-antivirus/clamav: mark arm64 stable (bug #702010)
    
    Bug: https://bugs.gentoo.org/702010
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 app-antivirus/clamav/clamav-0.102.1-r3.ebuild | 2 +-
 app-antivirus/clamav/clamav-0.102.2.ebuild    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
Comment 10 Thomas Deutschmann gentoo-dev Security 2020-03-19 20:42:13 UTC
Added to an existing GLSA.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2020-03-19 20:49:56 UTC
This issue was resolved and addressed in
 GLSA 202003-46 at https://security.gentoo.org/glsa/202003-46
by GLSA coordinator Thomas Deutschmann (whissi).