Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 831083 (CVE-2022-20698) - <app-antivirus/clamav-{0.103.5,0.104.2}: invalid pointer read
Summary: <app-antivirus/clamav-{0.103.5,0.104.2}: invalid pointer read
Status: IN_PROGRESS
Alias: CVE-2022-20698
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa?]
Keywords:
Depends on: 831281
Blocks:
  Show dependency tree
 
Reported: 2022-01-12 20:53 UTC by Thomas Raschbacher
Modified: 2022-02-03 01:19 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Raschbacher gentoo-dev 2022-01-12 20:53:31 UTC
As mentioned in https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698

Working on adding the new versions as we speak.
Comment 1 Larry the Git Cow gentoo-dev 2022-01-12 21:22:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b942e8883e4a2d6d3a863701d453c60c6a1ee02

commit 6b942e8883e4a2d6d3a863701d453c60c6a1ee02
Author:     Thomas Raschbacher <lordvan@gentoo.org>
AuthorDate: 2022-01-12 21:19:19 +0000
Commit:     Thomas Raschbacher <lordvan@gentoo.org>
CommitDate: 2022-01-12 21:22:03 +0000

    app-antivirus/clamav: new upstream security release v0.104.2.
    
    Bug: https://bugs.gentoo.org/831083
    Closes: https://bugs.gentoo.org/819216
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Thomas Raschbacher <lordvan@gentoo.org>

 app-antivirus/clamav/Manifest                 |   2 -
 app-antivirus/clamav/clamav-0.104.0-r1.ebuild | 219 --------------------------
 app-antivirus/clamav/clamav-0.104.1.ebuild    | 215 -------------------------
 app-antivirus/clamav/clamav-0.104.2.ebuild    |   4 +-
 4 files changed, 2 insertions(+), 438 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3c15e9c20273d48f6437163ee57a48b8ba07a2d6

commit 3c15e9c20273d48f6437163ee57a48b8ba07a2d6
Author:     Thomas Raschbacher <lordvan@gentoo.org>
AuthorDate: 2022-01-12 21:09:10 +0000
Commit:     Thomas Raschbacher <lordvan@gentoo.org>
CommitDate: 2022-01-12 21:20:07 +0000

    app-antivirus/clamav: new upstream security release
    
    Bug: https://bugs.gentoo.org/831083
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Thomas Raschbacher <lordvan@gentoo.org>

 app-antivirus/clamav/Manifest              |   1 +
 app-antivirus/clamav/clamav-0.104.2.ebuild | 215 +++++++++++++++++++++++++++++
 2 files changed, 216 insertions(+)
Comment 2 Thomas Raschbacher gentoo-dev 2022-01-12 21:23:47 UTC
mjo already added 0.103.5 already: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=669ac0a9ae4134b20e228f544229ff6a50b79965

rest is up to security team
Comment 3 Thomas Raschbacher gentoo-dev 2022-01-12 21:25:46 UTC
Also fixed a config file defaults bug and removed vulnerable non-stable versions already.
Comment 4 John Helmert III gentoo-dev Security 2022-01-12 21:53:39 UTC
CVE-2022-20698:

"Fix for invalid pointer read that may cause a crash. This issue affects 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) is enabled.

Cisco would like to thank Laurent Delosieres of ManoMano for reporting this vulnerability."

Thanks guys! Please stabilize a fixed version when ready.
Comment 5 Larry the Git Cow gentoo-dev 2022-02-02 14:39:53 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1259a46e77e330738303cf3d703156301c35961e

commit 1259a46e77e330738303cf3d703156301c35961e
Author:     Michael Orlitzky <mjo@gentoo.org>
AuthorDate: 2022-02-02 13:50:45 +0000
Commit:     Michael Orlitzky <mjo@gentoo.org>
CommitDate: 2022-02-02 13:50:45 +0000

    app-antivirus/clamav: remove vulnerable v0.103.4.
    
    Bug: https://bugs.gentoo.org/831083
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Michael Orlitzky <mjo@gentoo.org>

 app-antivirus/clamav/Manifest              |   1 -
 app-antivirus/clamav/clamav-0.103.4.ebuild | 239 -----------------------------
 2 files changed, 240 deletions(-)
Comment 6 John Helmert III gentoo-dev Security 2022-02-03 01:19:30 UTC
Thanks!