* CVE-2020-3327 Description: "Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash." * CVE-2020-3341 Description: "Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash. Bug found by OSS-Fuzz."
@maintainer(s), please bump to 0.102.3.
0.102.3 is out. will add it to the tree in a bit when at my dev box
commited the version bump as ~arch
Thanks. Please let us know when you are ready for stabilisation, or call yourself.
(In reply to Sam James (sec padawan) from comment #4) > Thanks. Please let us know when you are ready for stabilisation, or call > yourself. How're we looking?
I think it's OK to stabilize.
(In reply to Michael Orlitzky from comment #6) > I think it's OK to stabilize. Great, thanks!
arm stable
ppc stable
amd64 stable
ppc64 stable
x86 stable
arm64 stable ---- @maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=948d05626dc945da43baa24204331dd87fe534fb commit 948d05626dc945da43baa24204331dd87fe534fb Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2020-06-09 01:45:45 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2020-06-09 01:45:45 +0000 app-antivirus/clamav: remove older vulnerable versions. Bug: https://bugs.gentoo.org/722726 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> app-antivirus/clamav/Manifest | 1 - app-antivirus/clamav/clamav-0.102.2-r1.ebuild | 214 -------------------- app-antivirus/clamav/clamav-0.102.2-r3.ebuild | 225 --------------------- .../files/clamav-0.101.2-libxml2_pkgconfig.patch | 78 ------- 4 files changed, 518 deletions(-)