CVE-2019-15961 (https://nvd.nist.gov/vuln/detail/CVE-2019-15961): A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation.
amd64 stable
x86 stable
ia64/ppc/ppc64 stable
arm stable
hppa stable
this one blocked on bug 709616 as well for arm64, as it's supposed to be a simple fix to at least avoid build failures..
(In reply to Mart Raudsepp from comment #6) > this one blocked on bug 709616 as well for arm64, as it's supposed to be a > simple fix to at least avoid build failures.. The upstream autoconf scripts are broken, and check for libcurl even when "libclamav" only is set (whose main purpose is to eliminate the dependency on curl). It probably won't be fixed until the next upstream release because these autoconf checks are a tangled mess of if this and not that and this then optionally that. In the meantime, we can tell people not to set USE=libclamav-only, or to "emerge -1 curl" as a workaround.
No, in the meantime you can add a curl dep (possibly build-time only if it's not actually linked to or used at runtime) for this case as well.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8601e1fc186ccfca22e2f13a970168f9968b1090 commit 8601e1fc186ccfca22e2f13a970168f9968b1090 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-19 20:39:43 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-19 20:39:57 +0000 app-antivirus/clamav: security cleanup (bug #702010) Bug: https://bugs.gentoo.org/702010 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-antivirus/clamav/Manifest | 3 - app-antivirus/clamav/clamav-0.101.2-r1.ebuild | 176 ----------------------- app-antivirus/clamav/clamav-0.101.4.ebuild | 176 ----------------------- app-antivirus/clamav/clamav-0.102.1-r3.ebuild | 197 -------------------------- 4 files changed, 552 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66fddd21b881edb4d02301d53dd33d0b7d850e42 commit 66fddd21b881edb4d02301d53dd33d0b7d850e42 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-03-19 20:38:27 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-03-19 20:39:56 +0000 app-antivirus/clamav: mark arm64 stable (bug #702010) Bug: https://bugs.gentoo.org/702010 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> app-antivirus/clamav/clamav-0.102.1-r3.ebuild | 2 +- app-antivirus/clamav/clamav-0.102.2.ebuild | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
Added to an existing GLSA.
This issue was resolved and addressed in GLSA 202003-46 at https://security.gentoo.org/glsa/202003-46 by GLSA coordinator Thomas Deutschmann (whissi).