Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 428584 (CVE-2012-1457) - <app-antivirus/clamav-0.97.5-r1: multiple vulnerabilities (CVE-2012-{1457,1458,1459})
Summary: <app-antivirus/clamav-0.97.5-r1: multiple vulnerabilities (CVE-2012-{1457,145...
Status: RESOLVED FIXED
Alias: CVE-2012-1457
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: http://lurker.clamav.net/message/2012...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-30 03:28 UTC by David J Cozatt
Modified: 2012-12-11 17:35 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David J Cozatt 2012-07-30 03:28:58 UTC
commit eb4c1b59ba05b9a228e6e1d420753c9066ffa6bb
Author: Robert Scheck <robert at fedoraproject.org>
Date:   Sun Jul 1 02:11:28 2012 +0200

    - Upgrade to 0.97.5
    - Fix CVE-2012-1419 clamav: specially-crafted POSIX tar files evade detection
    - Fix CVE-2012-1457 clamav: overly long length field in tar files evade detection
    - Fix CVE-2012-1443 clamav: specially-crafted RAR files evade detection
    - Fix CVE-2012-1458 clamav: specially-crafted CHM files evade detection
    - Fix CVE-2012-1459 clamav: specially-crafted length field in tar files evade detection
    - Ship local copy of virus database; it was removed by accident from 0.97.5 tarball

Reproducible: Always
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2012-07-30 23:07:51 UTC
# ChangeLog for app-antivirus/clamav
# Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
# $Header: /var/cvsroot/gentoo-x86/app-antivirus/clamav/ChangeLog,v 1.418 2012/06/24 20:07:37 radhermit Exp $

  24 Jun 2012; Tim Harder <radhermit@gentoo.org> clamav-0.97.5.ebuild:
  Use prune_libtool_files instead of autotools-utils.

*clamav-0.97.5 (24 Jun 2012)

  24 Jun 2012; Hanno Boeck <hanno@gentoo.org> +clamav-0.97.5.ebuild:
  Version bump.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 


ClamAV 0.97.5 is now available. 

0.97.5 
------ 

ClamAV 0.97.5 addresses possible evasion cases in some archive formats 
(CVE-2012-1457, CVE-2012-1458, CVE-2012-1459). It also addresses stability 
issues in portions of the bytecode engine. This release is recommended for 
all 
users.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-07-30 23:35:55 UTC
CVE-2012-1459 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1459):
  The TAR file parser in AhnLab V3 Internet Security 2011.01.18.00, Avira
  AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7, avast! Antivirus 4.8.1351.0
  and 5.0.677.0, AVG Anti-Virus 10.0.0.1190, Bitdefender 7.2, Quick Heal (aka
  Cat QuickHeal) 11.00, ClamAV 0.96.4, Command Antivirus 5.2.11.5, Comodo
  Antivirus 7424, Emsisoft Anti-Malware 5.1.0.1, F-Prot Antivirus 4.6.2.117,
  F-Secure Anti-Virus 9.0.16160.0, Fortinet Antivirus 4.2.254.0, G Data
  AntiVirus 21, Ikarus Virus Utilities T3 Command Line Scanner 1.1.97.0,
  Jiangmin Antivirus 13.0.900, K7 AntiVirus 9.77.3565, Kaspersky Anti-Virus
  7.0.0.125, McAfee Anti-Virus Scanning Engine 5.400.0.1158, McAfee Gateway
  (formerly Webwasher) 2010.1C, Antimalware Engine 1.1.6402.0 in Microsoft
  Security Essentials 2.0, NOD32 Antivirus 5795, Norman Antivirus 6.06.12,
  nProtect Anti-Virus 2011-01-17.01, Panda Antivirus 10.0.2.7, PC Tools
  AntiVirus 7.0.3.5, Rising Antivirus 22.83.00.03, Sophos Anti-Virus 4.61.0,
  AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11, Trend Micro
  AntiVirus 9.120.0.1004, Trend Micro HouseCall 9.120.0.1004, VBA32 3.12.14.2,
  and VirusBuster 13.6.151.0 allows remote attackers to bypass malware
  detection via a TAR archive entry with a length field corresponding to that
  entire entry, plus part of the header of the next entry.  NOTE: this may
  later be SPLIT into multiple CVEs if additional information is published
  showing that the error occurred independently in different TAR parser
  implementations.

CVE-2012-1458 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1458):
  The Microsoft CHM file parser in ClamAV 0.96.4 and Sophos Anti-Virus 4.61.0
  allows remote attackers to bypass malware detection via a crafted reset
  interval in the LZXC header of a CHM file.  NOTE: this may later be SPLIT
  into multiple CVEs if additional information is published showing that the
  error occurred independently in different CHM parser implementations.

CVE-2012-1457 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-1457):
  The TAR file parser in Avira AntiVir 7.11.1.163, Antiy Labs AVL SDK 2.0.3.7,
  avast! Antivirus 4.8.1351.0 and 5.0.677.0, AVG Anti-Virus 10.0.0.1190,
  Bitdefender 7.2, Quick Heal (aka Cat QuickHeal) 11.00, ClamAV 0.96.4,
  Command Antivirus 5.2.11.5, Emsisoft Anti-Malware 5.1.0.1, eSafe 7.0.17.0,
  F-Prot Antivirus 4.6.2.117, G Data AntiVirus 21, Ikarus Virus Utilities T3
  Command Line Scanner 1.1.97.0, Jiangmin Antivirus 13.0.900, K7 AntiVirus
  9.77.3565, Kaspersky Anti-Virus 7.0.0.125, McAfee Anti-Virus Scanning Engine
  5.400.0.1158, McAfee Gateway (formerly Webwasher) 2010.1C, Antimalware
  Engine 1.1.6402.0 in Microsoft Security Essentials 2.0, NOD32 Antivirus
  5795, Norman Antivirus 6.06.12, PC Tools AntiVirus 7.0.3.5, Rising Antivirus
  22.83.00.03, AVEngine 20101.3.0.103 in Symantec Endpoint Protection 11,
  Trend Micro AntiVirus 9.120.0.1004, Trend Micro HouseCall 9.120.0.1004,
  VBA32 3.12.14.2, and VirusBuster 13.6.151.0 allows remote attackers to
  bypass malware detection via a TAR archive entry with a length field that
  exceeds the total TAR file size.  NOTE: this may later be SPLIT into
  multiple CVEs if additional information is published showing that the error
  occurred independently in different TAR parser implementations.
Comment 3 Sean Amoss (RETIRED) gentoo-dev Security 2012-07-30 23:40:00 UTC
Thanks for the report, David.

Maintainers, may we proceed to stabilize =app-antivirus/clamav-0.97.5 ?
Comment 4 Eray Aslan gentoo-dev 2012-08-11 13:17:04 UTC
(In reply to comment #3)
> Maintainers, may we proceed to stabilize =app-antivirus/clamav-0.97.5 ?

@security:  Please go ahead.  You might want to consider stabilizing =app-antivirus/clamav-0.97.5-r1 while at it (fixes missing run directory in init script).
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-08-11 15:56:55 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > Maintainers, may we proceed to stabilize =app-antivirus/clamav-0.97.5 ?
> 
> @security:  Please go ahead.  You might want to consider stabilizing
> =app-antivirus/clamav-0.97.5-r1 while at it (fixes missing run directory in
> init script).

Great, thank you.

Arches, please test and mark stable:
=app-antivirus/clamav-0.97.5-r1
Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2012-08-11 16:10:09 UTC
Stable for HPPA.
Comment 7 Agostino Sarubbo gentoo-dev 2012-08-11 18:36:27 UTC
amd64 stable
Comment 8 Andreas Schürch gentoo-dev 2012-08-17 06:18:49 UTC
x86 stable, thanks.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2012-08-19 14:54:58 UTC
alpha/ia64/sparc stable
Comment 10 Brent Baude (RETIRED) gentoo-dev 2012-08-28 18:52:57 UTC
ppc64 done
Comment 11 Brent Baude (RETIRED) gentoo-dev 2012-10-05 15:48:52 UTC
ppc done
Comment 12 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-12 11:51:52 UTC
Thanks, everyone.

GLSA vote: no.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2012-12-11 17:35:34 UTC
Thanks, folks. GLSA Vote: no too. Closing noglsa.