Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 780894 (CVE-2021-1405) - <app-antivirus/clamav-0.103.2: null pointer deref in mail parsing
Summary: <app-antivirus/clamav-0.103.2: null pointer deref in mail parsing
Status: RESOLVED FIXED
Alias: CVE-2021-1405
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://blog.clamav.net/2021/04/clama...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-07 20:37 UTC by Thomas Raschbacher
Modified: 2021-05-01 00:02 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Raschbacher gentoo-dev 2021-04-07 20:37:25 UTC 
this release fixes several CVEs one affecting current stable version: 
https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html

copy paste of CVE info:

CVE-2021-1386: Fix for UnRAR DLL load privilege escalation. Affects 0.103.1 and prior on Windows only.
CVE-2021-1252: Fix for Excel XLM parser infinite loop. Affects 0.103.0 and 0.103.1 only.
CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash. Affects 0.103.0 and 0.103.1 only.
CVE-2021-1405: Fix for mail parser NULL-dereference crash. Affects 0.103.1 and prior.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2021-04-08 00:26:09 UTC 
x86 stable
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-09 22:14:55 UTC 
arm done
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-09 22:18:23 UTC 
arm64 done
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-09 22:21:01 UTC 
ppc64 done
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-09 22:23:42 UTC 
amd64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-04-10 04:25:34 UTC 
ppc done

all arches done
Comment 7 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-04-10 15:36:47 UTC 
Please cleanup
Comment 8 Larry the Git Cow gentoo-dev 2021-04-16 21:37:41 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=efb776cfc91e76c5c747aebf897a09cb1cd82e1a

commit efb776cfc91e76c5c747aebf897a09cb1cd82e1a
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2021-04-16 21:33:13 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2021-04-16 21:37:16 +0000

    app-antivirus/clamav: remove old clamav-0.102.4.ebuild.
    
    Bug: https://bugs.gentoo.org/780894
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 app-antivirus/clamav/Manifest              |   1 -
 app-antivirus/clamav/clamav-0.102.4.ebuild | 222 -----------------------------
 2 files changed, 223 deletions(-)
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2021-04-30 23:39:39 UTC 
New GLSA request filed.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-05-01 00:02:08 UTC 
This issue was resolved and addressed in
 GLSA 202104-07 at https://security.gentoo.org/glsa/202104-07
by GLSA coordinator Thomas Deutschmann (whissi).