Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 708424 (CVE-2020-3123) - <app-antivirus/clamav-0.102.2: denial of service condition (CVE-2020-3123)
Summary: <app-antivirus/clamav-0.102.2: denial of service condition (CVE-2020-3123)
Status: RESOLVED FIXED
Alias: CVE-2020-3123
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://cve.mitre.org/cgi-bin/cvename...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on: 709616
Blocks:
  Show dependency tree
 
Reported: 2020-02-05 23:10 UTC by filip ambroz
Modified: 2020-03-19 20:50 UTC (History)
1 user (show)

See Also:
Package list:
=app-antivirus/clamav-0.102.2
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-05 23:10:37 UTC
A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiVirus (ClamAV) Software versions 0.102.1 and 0.102.0 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to an out-of-bounds read affecting users that have enabled the optional DLP feature. An attacker could exploit this vulnerability by sending a crafted email file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123
https://nvd.nist.gov/vuln/detail/CVE-2020-3123
Comment 1 Larry the Git Cow gentoo-dev 2020-02-06 00:20:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e358b025b6215c284de6047b54dca1e9b981126a

commit e358b025b6215c284de6047b54dca1e9b981126a
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2020-02-06 00:13:31 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2020-02-06 00:16:37 +0000

    app-antivirus/clamav: new security release v0.102.2.
    
    Bug: https://bugs.gentoo.org/708424
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 app-antivirus/clamav/Manifest              |   1 +
 app-antivirus/clamav/clamav-0.102.2.ebuild | 198 +++++++++++++++++++++++++++++
 2 files changed, 199 insertions(+)
Comment 2 Michael Orlitzky gentoo-dev 2020-02-06 00:21:25 UTC
Ready for stabilization, tests should pass.
Comment 3 Agostino Sarubbo gentoo-dev 2020-02-07 12:50:23 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-02-07 13:15:30 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-02-11 08:44:49 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-02-11 10:56:28 UTC
ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-02-11 11:32:01 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-02-11 11:37:39 UTC
arm stable
Comment 9 Rolf Eike Beer 2020-02-14 19:41:10 UTC
hppa stable
Comment 10 Mart Raudsepp gentoo-dev 2020-03-14 21:14:07 UTC
arm64 blocked on bug 709616
Comment 11 Thomas Deutschmann gentoo-dev Security 2020-03-19 20:41:43 UTC
arm64 marked stable

New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-03-19 20:50:11 UTC
This issue was resolved and addressed in
 GLSA 202003-46 at https://security.gentoo.org/glsa/202003-46
by GLSA coordinator Thomas Deutschmann (whissi).