Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 681840 (CVE-2019-1785, CVE-2019-1786, CVE-2019-1787, CVE-2019-1788, CVE-2019-1789, CVE-2019-1798) - <app-antivirus/clamav-0.101.2: multiple vulnerabilities (CVE-2019-{1785,1786,1787,1788,1789,1798})
Summary: <app-antivirus/clamav-0.101.2: multiple vulnerabilities (CVE-2019-{1785,1786,...
Alias: CVE-2019-1785, CVE-2019-1786, CVE-2019-1787, CVE-2019-1788, CVE-2019-1789, CVE-2019-1798
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa+ cve]
Depends on:
Reported: 2019-03-27 09:16 UTC by GLSAMaker/CVETool Bot
Modified: 2019-04-13 03:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-03-27 09:16:53 UTC
Incoming details.
Comment 1 Thomas Deutschmann (RETIRED) gentoo-dev 2019-03-27 09:18:53 UTC

ClamAV 0.101.2 is a patch release to address a handful of security related bugs.

This patch release is being released alongside the 0.100.3 patch so that users
who are unable to upgrade to 0.101 due to libclamav API changes are protected.

This release includes 3 extra security related bug fixes that do not apply to
prior versions.  In addition, it includes a number of minor bug fixes and

- Fixes for the following vulnerabilities affecting 0.101.1 and prior:
  - CVE-2019-1787:
    An out-of-bounds heap read condition may occur when scanning PDF
    documents. The defect is a failure to correctly keep track of the number
    of bytes remaining in a buffer when indexing file data.
  - CVE-2019-1789:
    An out-of-bounds heap read condition may occur when scanning PE files
    (i.e. Windows EXE and DLL files) that have been packed using Aspack as a
    result of inadequate bound-checking.
  - CVE-2019-1788:
    An out-of-bounds heap write condition may occur when scanning OLE2 files
    such as Microsoft Office 97-2003 documents. The invalid write happens when
    an invalid pointer is mistakenly used to initialize a 32bit integer to
    zero. This is likely to crash the application.

- Fixes for the following vulnerabilities affecting 0.101.1 and 0.101.0 only:
  - CVE-2019-1786:
    An out-of-bounds heap read condition may occur when scanning malformed PDF
    documents as a result of improper bounds-checking.
  - CVE-2019-1785:
    A path-traversal write condition may occur as a result of improper input
    validation when scanning RAR archives. Issue reported by aCaB.
  - CVE-2019-1798:
    A use-after-free condition may occur as a result of improper error
    handling when scanning nested RAR archives. Issue reported by David L.

- Fixes for the following assorted bugs:
  - Added checks to prevent shifts from causing undefined behavior in HTML
    normalizer, UPX unpacker, ARJ extractor, CPIO extractor, OLE2 parser,
    LZW decompressor used in the PDF parser, Xz decompressor, and UTF-16 to
    ASCII transcoder.
  - Added checks to prevent integer overflow in UPX unpacker.
  - Fix for minor memory leak in OLE2 parser.
  - Fix to speed up PDF parser when handling truncated (or malformed) PDFs.
  - Fix for memory leak in ARJ decoder failure condition.
  - Fix for potential memory and file descriptor leak in HTML normalization code.

- Removed use of problematic feature that converted file descriptors to
  file paths. The feature was intended to improve performance when scanning
  file types, notably RAR archives, for which the API requires a file path.
  This feature caused issues in environments where the ClamAV engine is run
  in a low-permissions or sandboxed process. RAR archives are still supported
  with this change, but performance may suffer slightly if the file path is not
  provided in calls to `cl_scandesc_callback()`.
  - Added filename and tempfile names to scandesc calls in clamd.
  - Added general scan option `CL_SCAN_GENERAL_UNPRIVILEGED` to treat the scan
    engine as unprivileged, meaning that the scan engine will not have read
    access to the file. Provided file paths are for logging purposes only.
  - Added ability to create a temp file when scanning RAR archives when the
    process does not have read access to the file path provided (i.e.
    unprivileged is set, or an access check fails).
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-03-28 02:38:39 UTC
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.

In Tree. please advise when ready to stabilize. This is a B2 (10 Day).
Comment 3 Thomas Raschbacher gentoo-dev 2019-03-29 20:44:06 UTC
@whissy: thanks for the quick action. I was too busy to notice this until earlier today.
I just did a few tests myself and so far it seems to work just fine.
So I think stabilization should be ok, but please advise arch teams to maybe do a few extra test runs just in case since I did not have time to test a lot myself yet.
Comment 4 Thomas Raschbacher gentoo-dev 2019-03-29 20:48:09 UTC
@security: i would appreciate if you could do me the favour of adding the STABLEREQ this time as I am quite busy right now
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2019-03-29 20:57:59 UTC
@arches, please stabilize.
Comment 6 Agostino Sarubbo gentoo-dev 2019-03-30 10:47:25 UTC
amd64 stable
Comment 7 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-03-30 19:10:36 UTC
arm stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2019-04-01 17:22:10 UTC
x86 stable
Comment 9 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:39:24 UTC
hppa stable
Comment 10 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:44:45 UTC
ia64 stable
Comment 11 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-07 21:53:28 UTC
ppc64 stable
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2019-04-08 06:20:11 UTC
ppc stable
Comment 13 Aaron Bauman (RETIRED) gentoo-dev 2019-04-08 13:43:17 UTC
@maintainer(s), please drop vulnerable.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2019-04-08 15:23:57 UTC
This issue was resolved and addressed in
 GLSA 201904-12 at
by GLSA coordinator Aaron Bauman (b-man).
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2019-04-08 15:27:57 UTC
re-opened to track alpha...

@alpha, can this be keyworded and stabled?
Comment 16 Matt Turner gentoo-dev 2019-04-13 03:54:03 UTC
alpha stable