CVE-2024-20506: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files. This issue affects all currently supported versions. It will be fixed in: 1.4.1 1.3.2 1.0.7 0.103.12 Thank you to Detlef for identifying this issue. CVE-2024-20505: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service (DoS) condition. This issue affects all currently supported versions. It will be fixed in: 1.4.1 1.3.2 1.0.7 0.103.12 Thank you to OSS-Fuzz for identifying this issue.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=71557910e46822fea0d51122c20f6d3a1bd9ac2a commit 71557910e46822fea0d51122c20f6d3a1bd9ac2a Author: Matt Jolly <kangie@gentoo.org> AuthorDate: 2024-09-23 10:52:06 +0000 Commit: Matt Jolly <kangie@gentoo.org> CommitDate: 2024-09-23 11:11:56 +0000 app-antivirus/clamav: drop vulnerable These versions of clamav have been superseded and are vulnerable to CVE-2024-20505 and CVE-2024-20506. Bug: https://bugs.gentoo.org/940140 Signed-off-by: Matt Jolly <kangie@gentoo.org> app-antivirus/clamav/Manifest | 50 +--- app-antivirus/clamav/clamav-1.0.6.ebuild | 400 --------------------------- app-antivirus/clamav/clamav-1.2.3.ebuild | 394 -------------------------- app-antivirus/clamav/clamav-1.3.1-r2.ebuild | 408 --------------------------- app-antivirus/clamav/clamav-1.3.1.ebuild | 397 -------------------------- app-antivirus/clamav/clamav-1.4.0.ebuild | 414 ---------------------------- 6 files changed, 1 insertion(+), 2062 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6091414aa294862a44a98047c7a0f738b845d4cd commit 6091414aa294862a44a98047c7a0f738b845d4cd Author: Matt Jolly <kangie@gentoo.org> AuthorDate: 2024-09-23 11:09:13 +0000 Commit: Matt Jolly <kangie@gentoo.org> CommitDate: 2024-09-23 11:11:56 +0000 app-antivirus/clamav: add 1.0.7 Bug: https://bugs.gentoo.org/940140 Signed-off-by: Matt Jolly <kangie@gentoo.org> app-antivirus/clamav/clamav-1.0.7.ebuild | 404 +++++++++++++++++++++ .../files/clamav-1.0.7-cmake-python-version.patch | 51 +++ 2 files changed, 455 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9f29d4c4ad7418acd552a813068c4e1428d1462e commit 9f29d4c4ad7418acd552a813068c4e1428d1462e Author: Matt Jolly <kangie@gentoo.org> AuthorDate: 2024-09-23 10:46:38 +0000 Commit: Matt Jolly <kangie@gentoo.org> CommitDate: 2024-09-23 11:11:55 +0000 app-antivirus/clamav: add 1.4.1 Bug: https://bugs.gentoo.org/940140 Signed-off-by: Matt Jolly <kangie@gentoo.org> app-antivirus/clamav/Manifest | 1 + app-antivirus/clamav/clamav-1.4.1.ebuild | 413 +++++++++++++++++++++++++++++++ 2 files changed, 414 insertions(+)