Debian Bug report logs -
#986622
ClamAV 0.103.2 security patch release
Reported by: Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>
Date: Thu, 8 Apr 2021 08:27:02 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Merged with 986790
Found in version clamav/0.103.0+dfsg-3.1
Fixed in version clamav/0.103.2+dfsg-1
Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#986622; Package clamav.
(Thu, 08 Apr 2021 08:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>:
New Bug report received and forwarded. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>.
(Thu, 08 Apr 2021 08:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: clamav
Version: 0.103.0+dfsg-3.1
ClamAV 0.103.2 is a security patch release with the following fixes:
CVE-2021-1252 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1252>:
Fix for Excel XLM parser infinite loop. Affects 0.103.0 and 0.103.1 only.
CVE-2021-1404 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1404>:
Fix for PDF parser buffer over-read; possible crash. Affects 0.103.0 and 0.103.1 only.
CVE-2021-1405 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1405>:
Fix for mail parser NULL-dereference crash. Affects 0.103.1 and prior.
CVE-2021-1386 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1386>:
Fix for UnRAR DLL load privilege escalation. Affects 0.103.1 and prior on Windows only.
Added tag(s) security.
Request was from Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>
to control@bugs.debian.org.
(Thu, 08 Apr 2021 14:33:05 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>
to control@bugs.debian.org.
(Thu, 08 Apr 2021 14:33:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#986622; Package clamav.
(Sat, 10 Apr 2021 13:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Matus UHLAR - fantomas <uhlar@fantomas.sk>:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>.
(Sat, 10 Apr 2021 13:21:03 GMT) (full text, mbox, link).
Message #14 received at 986622@bugs.debian.org (full text, mbox, reply):
Hello,
I just wanted to note that clamav 0.103.2 fixes[1] all issues currently open
at security tracker[2]
CVE-2021-1252
CVE-2021-1404
CVE-2021-1405
It also makes freshclam more efficient for work with clamav mirrors, which
is desired for clamav infrastructure that has problems with older
versions[3] [4] [5].
[1]
https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html
[2]
https://security-tracker.debian.org/tracker/source-package/clamav
[3]
https://lists.clamav.net/pipermail/clamav-users/2021-March/010544.html
[4]
https://lists.clamav.net/pipermail/clamav-users/2021-March/010578.html
[5]
https://lists.clamav.net/pipermail/clamav-users/2021-April/011043.html
--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
Information forwarded
to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#986622; Package clamav.
(Sun, 11 Apr 2021 10:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Damian Lukowski <debian-bugs@arcsin.de>:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>.
(Sun, 11 Apr 2021 10:48:03 GMT) (full text, mbox, link).
Message #19 received at 986622@bugs.debian.org (full text, mbox, reply):
> CVE-2021-1252 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1252>:
> Fix for Excel XLM parser infinite loop. Affects 0.103.0 and 0.103.1 only.
Debian's security tracker claims that stretch and buster are vulnerable. According to the clamav announcement and CVE they
shouldn't be.
> CVE-2021-1405 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1405>:
> Fix for mail parser NULL-dereference crash. Affects 0.103.1 and prior.
The clamav announcement and CVE are inconsistent whether 0.102 is affected.
Information forwarded
to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#986622; Package clamav.
(Sun, 11 Apr 2021 21:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>.
(Sun, 11 Apr 2021 21:21:04 GMT) (full text, mbox, link).
Message #24 received at 986622@bugs.debian.org (full text, mbox, reply):
On 2021-04-10 15:10:36 [+0200], Matus UHLAR - fantomas wrote:
> Hello,
Hi,
> I just wanted to note that clamav 0.103.2 fixes[1] all issues currently open
> at security tracker[2]
>
> CVE-2021-1252
> CVE-2021-1404
> CVE-2021-1405
Everyone wondering, yes I am aware but not as fast as I would like to.
My plan is to get 103.2 into Buster after I spent the day today to look
what should be backported and what not.
Sebastian
Added tag(s) upstream.
Request was from Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
to control@bugs.debian.org.
(Mon, 12 Apr 2021 19:00:02 GMT) (full text, mbox, link).
Merged 986622 986790
Request was from Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
to control@bugs.debian.org.
(Mon, 12 Apr 2021 19:00:04 GMT) (full text, mbox, link).
Severity set to 'grave' from 'normal'
Request was from Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
to control@bugs.debian.org.
(Mon, 12 Apr 2021 19:03:04 GMT) (full text, mbox, link).
Reply sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
You have taken responsibility.
(Mon, 12 Apr 2021 19:51:05 GMT) (full text, mbox, link).
Notification sent
to Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>:
Bug acknowledged by developer.
(Mon, 12 Apr 2021 19:51:05 GMT) (full text, mbox, link).
Message #35 received at 986622-close@bugs.debian.org (full text, mbox, reply):
Source: clamav
Source-Version: 0.103.2+dfsg-1
Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 986622@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated clamav package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 12 Apr 2021 21:31:08 +0200
Source: clamav
Architecture: source
Version: 0.103.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Closes: 986622
Changes:
clamav (0.103.2+dfsg-1) unstable; urgency=medium
.
* Import 0.103.2
- CVE-2021-1252 (Fix for Excel XLM parser infinite loop.)
- CVE-2021-1404 (Fix for PDF parser buffer over-read; possible crash.)
- CVE-2021-1405 (Fix for mail parser NULL-dereference crash.)
- Update symbol file.
(Closes: #986622).
Checksums-Sha1:
ec6abbe689364881025ef8980c3b37015eb996d2 2777 clamav_0.103.2+dfsg-1.dsc
461ec3a7b45851e31a1cd9a4458473f9b4dc2677 5123788 clamav_0.103.2+dfsg.orig.tar.xz
2f6896bb20cb32b31edd03dae496e821ac239d06 220248 clamav_0.103.2+dfsg-1.debian.tar.xz
Checksums-Sha256:
8754a64602d698ba82d80b673933fb3141ad42e33335966ad688b12a3f269a78 2777 clamav_0.103.2+dfsg-1.dsc
1f5d08342552f4b011521f44dd25e732dc79531ed2b54db385f8520496026371 5123788 clamav_0.103.2+dfsg.orig.tar.xz
9a6827ee763c6734da59277d97514a5a018d307c4976ea5ab44ded6a4479046b 220248 clamav_0.103.2+dfsg-1.debian.tar.xz
Files:
6348840ef9cf8b0069d26cb0adf61d93 2777 utils optional clamav_0.103.2+dfsg-1.dsc
246d43d86d170e5aad57d512f4b0f6f8 5123788 utils optional clamav_0.103.2+dfsg.orig.tar.xz
c1548d055b0400ed1ae6ad769620a568 220248 utils optional clamav_0.103.2+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmB0oh0ACgkQBWQfF1cS
+lttKQv+OrFkvYOTM0NzFTs7GstLJQNDgcDIIpoCzp7J+EzYqwVL0hiygyjCnEdZ
fJGZkZGDFFpS8QEkJTgAOh9Y4dMSEIxpCHCUiz6YmXVdDA6Yp5flBJ5pxXveZP6O
67QMN6Y7V6Q7EERjZ8G+ZImWG/9beZNfCWHV0qHodf3QstpBC5r78539F/rLgA3B
TJj06Epq7bTwRQ1i63F/HsVUI2I997JrbSqxX1WPqIKqLjh4akFMhZfMPILDfD/i
TkhMCgbbltm5VdpyYIMyPBV9G+rhhamOwcNKkZjNNbLP4WLx4uriwwK/vHelOu8x
L4Jvfvv9Vh46+3JpRKyadJuuJ9wV8EfNXQzKv0Vra9/mdBmBFdUXYWiQFaeqNgvX
NYvOqxKlQnBcwBP14DqMMpVOtewdjBxmHOeXTHM7I4kUfAo+RURMoN7/j/ryw9GC
cuhRsbXxLQwf/zyyFKFqyKr1701l3VXQALWleSqXDsarK8bktHZSzqwYZOlUlDtD
RsyyNYc/
=6Ng6
-----END PGP SIGNATURE-----
Reply sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
You have taken responsibility.
(Mon, 12 Apr 2021 19:51:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 12 Apr 2021 19:51:06 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Tue Apr 13 08:06:33 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon