Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 708424 (CVE-2020-3123) - <app-antivirus/clamav-0.102.2: denial of service condition (CVE-2020-3123)
Summary: <app-antivirus/clamav-0.102.2: denial of service condition (CVE-2020-3123)
Alias: CVE-2020-3123
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa+ cve]
Depends on: 709616
  Show dependency tree
Reported: 2020-02-05 23:10 UTC by filip ambroz
Modified: 2020-03-19 20:50 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description filip ambroz 2020-02-05 23:10:37 UTC
A vulnerability in the Data-Loss-Prevention (DLP) module in Clam AntiVirus (ClamAV) Software versions 0.102.1 and 0.102.0 could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to an out-of-bounds read affecting users that have enabled the optional DLP feature. An attacker could exploit this vulnerability by sending a crafted email file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition.

Comment 1 Larry the Git Cow gentoo-dev 2020-02-06 00:20:38 UTC
The bug has been referenced in the following commit(s):

commit e358b025b6215c284de6047b54dca1e9b981126a
Author:     Michael Orlitzky <>
AuthorDate: 2020-02-06 00:13:31 +0000
Commit:     Michael Orlitzky <>
CommitDate: 2020-02-06 00:16:37 +0000

    app-antivirus/clamav: new security release v0.102.2.
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Michael Orlitzky <>

 app-antivirus/clamav/Manifest              |   1 +
 app-antivirus/clamav/clamav-0.102.2.ebuild | 198 +++++++++++++++++++++++++++++
 2 files changed, 199 insertions(+)
Comment 2 Michael Orlitzky gentoo-dev 2020-02-06 00:21:25 UTC
Ready for stabilization, tests should pass.
Comment 3 Agostino Sarubbo gentoo-dev 2020-02-07 12:50:23 UTC
x86 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-02-07 13:15:30 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-02-11 08:44:49 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-02-11 10:56:28 UTC
ia64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-02-11 11:32:01 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-02-11 11:37:39 UTC
arm stable
Comment 9 Rolf Eike Beer archtester 2020-02-14 19:41:10 UTC
hppa stable
Comment 10 Mart Raudsepp gentoo-dev 2020-03-14 21:14:07 UTC
arm64 blocked on bug 709616
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-19 20:41:43 UTC
arm64 marked stable

New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-03-19 20:50:11 UTC
This issue was resolved and addressed in
 GLSA 202003-46 at
by GLSA coordinator Thomas Deutschmann (whissi).