Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

clamav: CVE-2018-15378: denial-of-service in MEW unpacking feature

Related Vulnerabilities: CVE-2018-15378  

Source

Debian Bug report logs - #910430
clamav: CVE-2018-15378: denial-of-service in MEW unpacking feature

version graph

Package: src:clamav; Maintainer for src:clamav is ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Sat, 6 Oct 2018 07:21:02 UTC

Severity: important

Tags: security, upstream

Found in versions clamav/0.100.1+dfsg-1, clamav/0.100.1+dfsg-0+deb9u1, clamav/0.98.3+dfsg-1

Fixed in versions clamav/0.100.2+dfsg-1, clamav/0.100.2+dfsg-0+deb9u1

Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#910430; Package src:clamav. (Sat, 06 Oct 2018 07:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>. (Sat, 06 Oct 2018 07:21:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: clamav: CVE-2018-15378: denial-of-service in MEW unpacking feature
Date: Sat, 06 Oct 2018 09:16:39 +0200
Source: clamav
Version: 0.100.1+dfsg-1
Severity: grave
Tags: security upstream
Control: found -1 0.100.1+dfsg-0+deb9u1

Hi,

The following vulnerability was published for clamav.

CVE-2018-15378[0]:
denial-of-service in MEW unpacking feature

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-15378
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15378
[1] https://blog.clamav.net/2018/10/clamav-01002-has-been-released.html
[2] http://lists.clamav.net/pipermail/clamav-announce/2018/000033.html

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Marked as found in versions clamav/0.100.1+dfsg-0+deb9u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Sat, 06 Oct 2018 07:21:05 GMT) (full text, mbox, link).

Severity set to 'important' from 'grave' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 06 Oct 2018 07:33:03 GMT) (full text, mbox, link).

Marked as found in versions clamav/0.98.3+dfsg-1. Request was from Sebastian Andrzej Siewior <sebastian@breakpoint.cc> to control@bugs.debian.org. (Tue, 09 Oct 2018 22:21:02 GMT) (full text, mbox, link).

Reply sent to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
You have taken responsibility. (Tue, 09 Oct 2018 22:51:13 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 09 Oct 2018 22:51:14 GMT) (full text, mbox, link).

Message #16 received at 910430-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
To: 910430-close@bugs.debian.org
Subject: Bug#910430: fixed in clamav 0.100.2+dfsg-1
Date: Tue, 09 Oct 2018 22:48:58 +0000
Source: clamav
Source-Version: 0.100.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 910430@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 10 Oct 2018 00:15:02 +0200
Source: clamav
Binary: clamav-base clamav-docs clamav libclamav-dev libclamav7 clamav-daemon clamdscan clamav-testfiles clamav-freshclam clamav-milter
Architecture: source
Version: 0.100.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Description:
 clamav     - anti-virus utility for Unix - command-line interface
 clamav-base - anti-virus utility for Unix - base package
 clamav-daemon - anti-virus utility for Unix - scanner daemon
 clamav-docs - anti-virus utility for Unix - documentation
 clamav-freshclam - anti-virus utility for Unix - virus database update utility
 clamav-milter - anti-virus utility for Unix - sendmail integration
 clamav-testfiles - anti-virus utility for Unix - test files
 clamdscan  - anti-virus utility for Unix - scanner client
 libclamav-dev - anti-virus utility for Unix - development files
 libclamav7 - anti-virus utility for Unix - library
Closes: 905044 910430
Changes:
 clamav (0.100.2+dfsg-1) unstable; urgency=medium
 .
   * Import new upstream
     - Bump symbol version due to new version.
     - CVE-2018-15378 (Closes: #910430).
   * add NEWS.md and README.md from upstream
   * Fix infinite loop in dpkg-reconfigure, Patch by Santiago Ruano Rincón
     (Closes: #905044).
Checksums-Sha1:
 958ea312a14feafd0398c859fc4f8eadbde84680 2964 clamav_0.100.2+dfsg-1.dsc
 5732f4ae7213045e3680a483417b6891f3b6e84a 5303356 clamav_0.100.2+dfsg.orig.tar.xz
 fee217816ccd97c358cf208c7b398da244b7dbc2 216728 clamav_0.100.2+dfsg-1.debian.tar.xz
 7f6459a92c9e1a58a9d67448dd6168c812af6f65 7102 clamav_0.100.2+dfsg-1_source.buildinfo
Checksums-Sha256:
 12dd478e04db70bc798c99839a0558e95cfae796ecec66f2cd9b3be5240d9f62 2964 clamav_0.100.2+dfsg-1.dsc
 db0d34a8c15c9697857c7d689d837ed5e7efee97508340d1aae770cabbd693a7 5303356 clamav_0.100.2+dfsg.orig.tar.xz
 aa1fbc7f9b66d56900eb8cc3a480ace9014c311555fd67eb6f2c13daa28f778e 216728 clamav_0.100.2+dfsg-1.debian.tar.xz
 7b3eee11e47749fb5c82f7d33584d4bcd8b33e056a76fd9296bd39cc4f59de26 7102 clamav_0.100.2+dfsg-1_source.buildinfo
Files:
 e77bb22bb2b87de023bab428701caa4f 2964 utils optional clamav_0.100.2+dfsg-1.dsc
 bbfe21e55f86524f6cf98271a19440ae 5303356 utils optional clamav_0.100.2+dfsg.orig.tar.xz
 bc69486a5265d8688683a49598fd2775 216728 utils optional clamav_0.100.2+dfsg-1.debian.tar.xz
 3058fad335b95d3b4f33de7c339f13f3 7102 utils optional clamav_0.100.2+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAlu9K4MACgkQe5boFiqM
9dGQvhAAjqAUPo+WD+Wu0nuhfGxgWN6jNOx6c0J+n/fFDNWV11P59CvSN1MyF5V7
i5moXVKbr9nWbprV9nUCopoTo2VpUp4nVXIaYLYf1YQmJkfxFURiwNfwxsOq+Q8l
mkQELKdsOtfqNlS4NYGHguC1zM8z9M4oUa+ApSIbMkBpsYpjbqHoFDlRR0U4/Puc
uU+TuQJ8ziQBUyus8iOJPT08sg/VlZZzgUzCwhVCNzPHMFzwT/dSwOxgLmhGqJQz
TDXl3+thQZ4gRRb5l0M45oesRFRE8Tuy+tbQfRIXRszk659xhSX3P4Z2Pj/lEBZ2
1aRskiDrZw/XokISTXPPQ9wPHfCB4CR+EEhNSZWM8pnnjkpW5/h5thVaFbcobPrg
tvN1tTVkWMfLbzJH/OEG4K1XmsSGGRB+jYExHeht+n3qCYzTlKa3RN5ehE9efcQL
EKva0+sJgJJEoDRn/0ZHOgBgLQplrfCT+dn3B/1DhYCd/NjcKE0ZnIdIyV+zABtV
jkCYaiRy2TCOly02rtg8n2RCiCOTkD5SVLZSrpeKwQhGaJLACW87zm8fgnqzoLrY
XDlTRIJCMCdVVaIetjM3B+yhlMgxGPY2iofKx4uBUbHi2ZCXw6ba7e4GXeS1lRjA
Cb5jeS3nJTaZtmSDtiNkPuRETEz3OcMdBoHzonKFqrlVbsrln9U=
=wuFY
-----END PGP SIGNATURE-----

Reply sent to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
You have taken responsibility. (Sat, 20 Oct 2018 11:03:17 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 20 Oct 2018 11:03:18 GMT) (full text, mbox, link).

Message #21 received at 910430-close@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
To: 910430-close@bugs.debian.org
Subject: Bug#910430: fixed in clamav 0.100.2+dfsg-0+deb9u1
Date: Sat, 20 Oct 2018 11:02:07 +0000
Source: clamav
Source-Version: 0.100.2+dfsg-0+deb9u1

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 910430@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 12 Oct 2018 23:44:44 +0200
Source: clamav
Binary: clamav-base clamav-docs clamav libclamav-dev libclamav7 clamav-daemon clamdscan clamav-testfiles clamav-freshclam clamav-milter
Architecture: source
Version: 0.100.2+dfsg-0+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Description:
 clamav     - anti-virus utility for Unix - command-line interface
 clamav-base - anti-virus utility for Unix - base package
 clamav-daemon - anti-virus utility for Unix - scanner daemon
 clamav-docs - anti-virus utility for Unix - documentation
 clamav-freshclam - anti-virus utility for Unix - virus database update utility
 clamav-milter - anti-virus utility for Unix - sendmail integration
 clamav-testfiles - anti-virus utility for Unix - test files
 clamdscan  - anti-virus utility for Unix - scanner client
 libclamav-dev - anti-virus utility for Unix - development files
 libclamav7 - anti-virus utility for Unix - library
Closes: 905044 910430
Changes:
 clamav (0.100.2+dfsg-0+deb9u1) stretch; urgency=medium
 .
   * Import new upstream
     - Bump symbol version due to new version.
     - CVE-2018-15378 (Closes: #910430).
   * add NEWS.md and README.md from upstream
   * Fix infinite loop in dpkg-reconfigure, Patch by Santiago Ruano Rincón
     (Closes: #905044).
Checksums-Sha1:
 777adae2cd68cb1bd0093fc15284e7c9d9e19a5f 3067 clamav_0.100.2+dfsg-0+deb9u1.dsc
 5732f4ae7213045e3680a483417b6891f3b6e84a 5303356 clamav_0.100.2+dfsg.orig.tar.xz
 197dc3eff04ec1fa921b942ab96e4ff41b5a69b4 217984 clamav_0.100.2+dfsg-0+deb9u1.debian.tar.xz
 47c3a24ccd2b0c979e67854b75157604bcd905bc 7105 clamav_0.100.2+dfsg-0+deb9u1_source.buildinfo
Checksums-Sha256:
 3ebbebaacfbaabd5bec2f6e9fdccb4d5c704772c6f63f2979714cd375b3a4d9c 3067 clamav_0.100.2+dfsg-0+deb9u1.dsc
 db0d34a8c15c9697857c7d689d837ed5e7efee97508340d1aae770cabbd693a7 5303356 clamav_0.100.2+dfsg.orig.tar.xz
 4f1b0d44142310c206ca1c5154a31fded5b3f949352fe999bb4e5d07f504ea37 217984 clamav_0.100.2+dfsg-0+deb9u1.debian.tar.xz
 6dd3fd0beebf128690c7618eeccf26a4129ec038aa944f914b4095ed26648d95 7105 clamav_0.100.2+dfsg-0+deb9u1_source.buildinfo
Files:
 3ce40bb3645084f3e53d0ca89419205d 3067 utils optional clamav_0.100.2+dfsg-0+deb9u1.dsc
 bbfe21e55f86524f6cf98271a19440ae 5303356 utils optional clamav_0.100.2+dfsg.orig.tar.xz
 805fbdfcee15502362097978161f1b71 217984 utils optional clamav_0.100.2+dfsg-0+deb9u1.debian.tar.xz
 39bb01b3b009094ed4905808b8abb574 7105 utils optional clamav_0.100.2+dfsg-0+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAlvGZZ4ACgkQe5boFiqM
9dHCvRAAuowM7K/bkrY9OwpB/m2bznCm2f1vnDICZSHCf5s6ttmFVTFDeP/GE5cg
LodJ06RGln3OsHbI/G0GDaO1BTyGcZJ3XYFFABDc1RbTB98mybv47ujkubCbR/y8
BWbWGjUy3aR3wij9/GkbvNeDFRTInN1riN4dnpOFWXeCIUwfeHNyDCj3k+Wh5/K8
3EAfczOh8XXGah5TZ7Xfl0AVeVlOC/2fn61kSShM7yc0DM2E84O7eWISErCHovac
4R8CCdm2vgUQoKmvO/IH8VoU+UPb2uZ3hCtK+lE8KY/pc8zCiIUoMWnZuRh4sa01
CZw3TcEFO8CQHg0hGFMvd4NvcTB1O2ogVm36KwHHGRRV1rOE1r2j5K8QPudZYuFF
Uy+OHFZvuotcvvEoxqN2pFmqLKqLn1MytRqoxs0snN/H6qGq2goKjSh4UC2CB4Cl
V86ZQu/WcRTcGkBvhPmZ2zK/JVV0KDnJz9zmd9nVJcxlIU1XH36qW7BcuLbHjprh
u+16dVLhZZJhnt59P5519aSJec54tCh9VxJduUG2jmNX+5ej/+fWkJEheBcWEkAk
Z67X8d4/CdbLSIV93a4p2Utx8ds/q55QoU2XhpbMWdKSaID4O4AmO+U31QSbSWj/
fmwiPAPQfLxVT93ttOxF1iX7XKrhyFu404BuuIyX1JfrJQOPH5o=
=LFV0
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 18 Nov 2018 07:26:41 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 18:07:26 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started