clamav version bellow 0.99.3 is subject to CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380 And probably some more that do not have CVE yet. Additional reason to version bump is fact, that since new clamav release, content of daily.cvd cause clamav 0.99.2 to crash Reproducible: Always Steps to Reproduce: 1. freshclam 2. reload clamd database 3. see clam log file Actual Results: LibClamAV Error: cli_scanscript: could not map file /tmp/clamav-4f44363190ef9da19b58fe176ee5e22d.tmp LibClamAV Error: cli_scanscript: could not map file /tmp/clamav-92bc8f14fbf93f57e5ac90379c0c3ae3.tmp Expected Results: clean log file To fix clamd errors, which prevent clamd working you can delete daily.cvd and stop freshclam. Im not sure whenever clamav 0.99.3 will fix this, however there are other reasons to version bump and it could also fix problem with daily.cvd.
@ tomas: Please do not add version information to summary when you report vulnerabilities. Thank you.
*** Bug 645806 has been marked as a duplicate of this bug. ***
0.99.3 is not in the Gentoo repository yet. Please do not put the version in the summary until an unaffected ebuild is committed.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f2ba0e7dfb1e0e5290366cef02a553c3e56120b9 commit f2ba0e7dfb1e0e5290366cef02a553c3e56120b9 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-01-26 14:46:05 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-01-26 14:52:33 +0000 app-antivirus/clamav: bump, fixes multiple vulnerabilites Bug: https://bugs.gentoo.org/645794 Package-Manager: Portage-2.3.20, Repoman-2.3.6 app-antivirus/clamav/Manifest | 1 + app-antivirus/clamav/clamav-0.99.3.ebuild | 158 ++++++++++++++++++++++++++++++ 2 files changed, 159 insertions(+)}
@ Arches, please test and mark stable: =app-antivirus/clamav-0.99.3
I'll push -r1 to fix a fd leak problem in cli scanner.
Pushed, https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=194c79e18139961a9411a22566eb29d764081ef2
New GLSA request filed.
amd64 stable
x86 stable
This issue was resolved and addressed in GLSA 201801-19 at https://security.gentoo.org/glsa/201801-19 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening for remaining architectures.
Thanks for adding 0.99.3 - I just got home a bit earlier and was going to have a go at it, but looks like you saved me some work ;)
I have tested 0.99.3-r1 and problem with hang on daily.cvd signatures is gone. Its working well.
ia64 stable
ppc stable
hppa stable
Superseded by bug 649314.
Stable on alpha.
Cleanup will happen with GLSA release.
