Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 529728 (CVE-2014-9050) - <app-antivirus/clamav-0.98.5: multiple vulnerabilities (CVE-2014-9050)
Summary: <app-antivirus/clamav-0.98.5: multiple vulnerabilities (CVE-2014-9050)
Alias: CVE-2014-9050
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2014-11-18 23:05 UTC by Hanno Böck
Modified: 2015-02-05 15:17 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2014-11-18 23:05:45 UTC
From Changelog:
Security fix for ClamAV crash when using 'clamscan -a'. This issue was identified by Kurt Siefried of Red Hat. 
Security fix for ClamAV crash when scanning maliciously crafted yoda's crypter files. This issue, as well as several other bugs fixed in this release, were identified by Damien Millescamp of Oppida.

No more details yet.
Comment 1 Hanno Böck gentoo-dev 2014-11-21 12:02:04 UTC
This sounds more severe:
Please update as soon as possible.
Comment 2 Thomas Raschbacher gentoo-dev 2014-11-27 08:33:54 UTC
Thanks for reminding me Hanno. I am guilty of seeing the release mail for 0.98.5 but not reading it (therefore I hadn't noticed the security fix)

Looking at it now (just deciding what to do about the new feature which requires libjson-c)
Comment 3 Thomas Raschbacher gentoo-dev 2014-11-27 09:34:34 UTC
I assume you want it stabilized asap but leaving the rest to Security Team.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2014-11-27 20:02:34 UTC
Maintainer(s): Please let us know when the ebuild is ready for  stabilization, or call for stabilization.

Notes on compromise:
A heap buffer overflow was reported in [1] in ClamAV when scanning a specially crafted y0da Crypter obfuscated PE file.
Note that this is remotely exploitable when ClamAV is used as a mail gateway scanner.
Comment 5 Thomas Raschbacher gentoo-dev 2014-11-28 09:55:27 UTC
Works for me on 2 machines so afaik ok -> STABLEREQ + CC Arch teams

no extensive tests yet but compiles and runs for me -- amd64
Comment 6 Agostino Sarubbo gentoo-dev 2014-11-28 13:51:35 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-11-28 13:52:04 UTC
x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2014-11-29 13:08:07 UTC
Stable for HPPA.
Comment 9 Agostino Sarubbo gentoo-dev 2014-11-29 13:29:53 UTC
ppc64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-12-01 09:18:27 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-12-02 11:58:22 UTC
alpha stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-12-03 09:59:09 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-12-06 16:49:19 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-12-07 19:52:53 UTC
CVE-2014-9050 (
  Heap-based buffer overflow in the cli_scanpe function in libclamav/pe.c in
  ClamAV before 0.95.4 allows remote attackers to cause a denial of service
  (crash) via a crafted y0da Crypter PE file.
Comment 15 Yury German Gentoo Infrastructure gentoo-dev 2014-12-07 19:56:43 UTC
Arches, Thank you for your work
Maintainer(s), please drop the vulnerable version(s).

New GLSA Request filed.
Comment 16 Sergey Popov gentoo-dev 2014-12-09 12:53:12 UTC
+  09 Dec 2014; Sergey Popov <> package.mask:
+  Mask vulnerable versions of app-antivirus/clamav
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-12-10 11:39:23 UTC
This issue was resolved and addressed in
 GLSA 201412-05 at
by GLSA coordinator Mikle Kolyada (Zlogene).
Comment 18 Thomas Raschbacher gentoo-dev 2015-02-05 15:17:40 UTC
removed old versions after waiting a bit in case there were some issues/complaints.