A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiVirus (ClamAV) Software versions 0.102.1 and 0.102.0 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to an out-of-bounds read affecting users that have enabled the optional DLP feature. An attacker could exploit this vulnerability by sending a crafted email file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition.
The bug has been referenced in the following commit(s):
Author: Michael Orlitzky <email@example.com>
AuthorDate: 2020-02-06 00:13:31 +0000
Commit: Michael Orlitzky <firstname.lastname@example.org>
CommitDate: 2020-02-06 00:16:37 +0000
app-antivirus/clamav: new security release v0.102.2.
Package-Manager: Portage-2.3.84, Repoman-2.3.20
Signed-off-by: Michael Orlitzky <email@example.com>
app-antivirus/clamav/Manifest | 1 +
app-antivirus/clamav/clamav-0.102.2.ebuild | 198 +++++++++++++++++++++++++++++
2 files changed, 199 insertions(+)
Ready for stabilization, tests should pass.
arm64 blocked on bug 709616
arm64 marked stable
New GLSA request filed.
This issue was resolved and addressed in
GLSA 202003-46 at https://security.gentoo.org/glsa/202003-46
by GLSA coordinator Thomas Deutschmann (whissi).