Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 649314 (CVE-2018-0202, CVE-2018-1000085) - <app-antivirus/clamav-0.99.4: multiple vulnerabilities (CVE-2018-{0202,1000085})
Summary: <app-antivirus/clamav-0.99.4: multiple vulnerabilities (CVE-2018-{0202,1000085})
Status: RESOLVED FIXED
Alias: CVE-2018-0202, CVE-2018-1000085
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://blog.clamav.net/2018/03/clamav...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on: 649516
Blocks: 623534 625632 CVE-2017-6420 CVE-2017-6418 CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377, CVE-2017-12378, CVE-2017-12379, CVE-2017-12380
  Show dependency tree
 
Reported: 2018-03-02 00:51 UTC by GLSAMaker/CVETool Bot
Modified: 2018-05-26 14:17 UTC (History)
3 users (show)

See Also:
Package list:
app-antivirus/clamav-0.99.4-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-03-02 00:51:41 UTC
CVE-2018-1000085 (https://nvd.nist.gov/vuln/detail/CVE-2018-1000085):
  An out-of-bounds heap read vulnerability was found in XAR parser that leads
  to clamscan crash when invoked on malicious XAR file.


Upstream patch:

https://github.com/Cisco-Talos/clamav-devel/commit/d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6

Reference:

http://www.openwall.com/lists/oss-security/2017/09/29/4


@ Maintainer(s): clamav-0.99.4 contains the fix.
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-03-02 00:58:05 UTC
CVE-2018-0202:
    Two newly reported vulnerabilities in the PDF parsing code.
Comment 2 Thomas Deutschmann gentoo-dev Security 2018-03-02 18:51:25 UTC
@ Arches,

please test and mark stable: =app-antivirus/clamav-0.99.4
Comment 3 Sergei Trofimovich gentoo-dev 2018-03-03 11:40:24 UTC
ia64 stable
Comment 4 Thomas Deutschmann gentoo-dev Security 2018-03-04 01:44:22 UTC
x86 stopped stabilization due to bug 649516.
Comment 5 tomas charvat 2018-03-04 21:05:31 UTC
tested on amd64, scanned 30mil. files, no problem
Comment 6 ernsteiswuerfel 2018-03-20 19:43:04 UTC
ppc

Builds ok, but one test fails (bug #634142).
Comment 7 Larry the Git Cow gentoo-dev 2018-03-29 02:12:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6164b7059e16d9c3f862ba52fd159297c7d2fe0e

commit 6164b7059e16d9c3f862ba52fd159297c7d2fe0e
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-03-29 02:12:36 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-03-29 02:12:36 +0000

    app-antivirus/clamav: amd64 stable
    
    Bug: https://bugs.gentoo.org/649314
    Package-Manager: Portage-2.3.26, Repoman-2.3.7

 app-antivirus/clamav/clamav-0.99.4.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 8 Thomas Deutschmann gentoo-dev Security 2018-03-29 22:44:54 UTC
Restarting stabilization.

Previous arch teams didn't notice the problem because clamav had an automagic on dev-libs/check. Without this package, the test revealing a major problem with zlib, wasn't run.
Comment 9 Larry the Git Cow gentoo-dev 2018-03-30 00:18:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=761684544e0f106bf88eeebd083ac2f8ada95c2c

commit 761684544e0f106bf88eeebd083ac2f8ada95c2c
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-03-30 00:14:54 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-03-30 00:14:54 +0000

    app-antivirus/clamav: amd64 stable
    
    Bug: https://bugs.gentoo.org/649314
    Package-Manager: Portage-2.3.26, Repoman-2.3.7

 app-antivirus/clamav/clamav-0.99.4-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 10 Sergei Trofimovich gentoo-dev 2018-03-30 12:34:47 UTC
ia64 stable
Comment 11 Tobias Klausmann gentoo-dev 2018-03-31 17:53:53 UTC
Stable on alpha.
Comment 12 Thomas Deutschmann gentoo-dev Security 2018-04-05 13:43:21 UTC
x86 stable
Comment 13 Sergei Trofimovich gentoo-dev 2018-04-07 21:58:59 UTC
ppc64 stable
Comment 14 Matt Turner gentoo-dev 2018-04-22 20:19:52 UTC
hppa stable
Comment 15 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-22 21:18:39 UTC
@maintainer(s), please clean vulnerable.

GLSA request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2018-04-22 22:34:39 UTC
This issue was resolved and addressed in
 GLSA 201804-16 at https://security.gentoo.org/glsa/201804-16
by GLSA coordinator Aaron Bauman (b-man).
Comment 17 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2018-04-22 22:35:17 UTC
re-opened for final arch and cleanup.
Comment 18 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-05-26 11:01:03 UTC
ppc stable
Comment 19 Larry the Git Cow gentoo-dev 2018-05-26 14:16:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=587259d7f37f395fb06bb8acd08f71c5c2049dea

commit 587259d7f37f395fb06bb8acd08f71c5c2049dea
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-05-26 14:15:44 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-05-26 14:15:44 +0000

    app-antivirus/clamav: drop vulnerable
    
    Bug: https://bugs.gentoo.org/649314
    Package-Manager: Portage-2.3.40, Repoman-2.3.9

 app-antivirus/clamav/Manifest                |   2 -
 app-antivirus/clamav/clamav-0.99.2-r1.ebuild | 158 --------------------------
 app-antivirus/clamav/clamav-0.99.2-r3.ebuild | 159 --------------------------
 app-antivirus/clamav/clamav-0.99.3-r1.ebuild | 159 --------------------------
 app-antivirus/clamav/clamav-0.99.3-r2.ebuild | 160 ---------------------------
 app-antivirus/clamav/clamav-0.99.4.ebuild    | 156 --------------------------
 6 files changed, 794 deletions(-)