clamav: 2 RCE bugs in ClamAV 0.103 (+ 1.0.0), CVE-2023-20032/CVE-2023-20052

Debian Bug report logs - #1031509
clamav: 2 RCE bugs in ClamAV 0.103 (+ 1.0.0), CVE-2023-20032/CVE-2023-20052

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Robert Waldner <waldner+bug@waldner.priv.at>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: clamav: 2 RCE bugs in ClamAV 0.103 (+ 1.0.0), CVE-2023-20032/CVE-2023-20052

Date: Fri, 17 Feb 2023 14:54:29 +0100

Package: clamav
Version: 0.103.7+dfsg-0+deb11u1
Severity: important

Dear Maintainer,

ClamAV/Cisco have released a security advisory concerning 2 potential-RCE
bugs in ClamAV:
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

According to the the security tracker, all versions currently in Debian
are vulnerable:
https://security-tracker.debian.org/tracker/CVE-2023-20032
https://security-tracker.debian.org/tracker/CVE-2023-20052

Please consider an update. Currently, ClamAV is not suitable for use in a
(quite common) email-scanning setup like with Amavis, but can still be
used (with appropriate care) directly. Thus I think Severity: important fits.

Kind regards,
Robert

-- Package-specific info:
--- configuration ---
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

--- data dir ---
total 226104
-rw-r--r-- 1 clamav clamav    293670 Feb 17 14:46 bytecode.cvd
-rw-r--r-- 1 clamav clamav  60744631 Feb 17 14:44 daily.cvd
-rw-r--r-- 1 clamav clamav        69 Feb 17 14:43 freshclam.dat
-rw-r--r-- 1 clamav clamav 170479789 Feb 17 14:46 main.cvd

-- System Information:
Debian Release: 11.6
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.18.0-0.deb11.4-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages clamav depends on:
ii  clamav-freshclam [clamav-data]  0.103.7+dfsg-0+deb11u1
ii  libc6                           2.31-13+deb11u5
ii  libclamav9                      0.103.7+dfsg-0+deb11u1
ii  libcurl4                        7.74.0-1.3+deb11u3
ii  libjson-c5                      0.15-2
ii  libssl1.1                       1.1.1n-0+deb11u3
ii  zlib1g                          1:1.2.11.dfsg-2+deb11u2

Versions of packages clamav recommends:
ii  clamav-base  0.103.7+dfsg-0+deb11u1

Versions of packages clamav suggests:
pn  clamav-docs   <none>
pn  libclamunrar  <none>

-- no debconf information

Message #16 received at 1031509-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1031509-close@bugs.debian.org

Subject: Bug#1031509: fixed in clamav 1.0.1+dfsg-1

Date: Fri, 17 Feb 2023 19:49:38 +0000

Source: clamav
Source-Version: 1.0.1+dfsg-1
Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1031509@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 17 Feb 2023 20:29:05 +0100
Source: clamav
Architecture: source
Version: 1.0.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Closes: 1031509
Changes:
 clamav (1.0.1+dfsg-1) unstable; urgency=medium
 .
   * Import 1.0.1 (Closes: #1031509)
     - CVE-2023-20032 (Possible RCE in the HFS+ file parser).
     - CVE-2023-20052 (Possible information leak in the DMG file parser).
Checksums-Sha1:
 fec345e5820bc6ea8c8b15a41cf1234e2320ff0e 2829 clamav_1.0.1+dfsg-1.dsc
 fe18edded75204a2b4b4ec0c73c22da14e5235c2 14132600 clamav_1.0.1+dfsg.orig.tar.xz
 2271488d1efe0e9dfb402630c520c36a46af34a8 222848 clamav_1.0.1+dfsg-1.debian.tar.xz
Checksums-Sha256:
 6263eb81b8cdabc605bac140742ba31907a4025a3a4d65ea82e4992aba5486fc 2829 clamav_1.0.1+dfsg-1.dsc
 0f19b43ec26395bb921a03a77a17138b92fde4ddbcee33804da7075e5d709c90 14132600 clamav_1.0.1+dfsg.orig.tar.xz
 4aa0a1529b35cfd795905815ac959b9d717054e35968dfcf1a88ed0cef2d787d 222848 clamav_1.0.1+dfsg-1.debian.tar.xz
Files:
 b3f25cf5947cc8d612a5bf677bfae921 2829 utils optional clamav_1.0.1+dfsg-1.dsc
 5dae77cb4de79e4ead9275f75c90bd20 14132600 utils optional clamav_1.0.1+dfsg.orig.tar.xz
 5d68b02434a4dcb01ed33089f5cdecf1 222848 utils optional clamav_1.0.1+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmPv1d0ACgkQBWQfF1cS
+lv1OQv+PZ78Ke84bICNkMqTqVyN1RAxtF8v6u58hbDwnqjhp1cD2PuHuX67nSMx
WTZgTH4IqzMGfPnPQR7HPXiSFmd0GQt/2LqNy/WKr4C3yeHG0I4I2nHOBxyQRbG1
YZ7WAz8RXbU9gJWcEFZTQZBwcYy+D4ts1Sm67XbIz8WytIaXbl4lM/QCEMuX7Mqn
qyL+utgOW8V575QJo7BwYHIgyvOAWkHqprCGTgX8/PttxzdDxm+jwdH0E/qROCQM
2MpWuD7V87rzyQJZ3amYVXpuCRfaECoWiNb8LEZznMlx10+HzYtJjuJeC1N84JSm
+YyspwtrqiBBUWYVsx/RSp8emfyq7qy8RU1fmR2nEqVtQqwsXstWdZvpO69fBRmV
A+PX9Lp2i8WsX4378NgcLrtbAmxvMHjFXRZRJo76IaXKNZGb/DBgwgE9es0gpPbG
j5D1hW8KwT7WJ55SmgE7yPw6s+i4KLvgdSxviSP/lItdbfgNDpqHGwpVXCuVNFoz
VDYQwsDt
=0Fl8
-----END PGP SIGNATURE-----

Message #27 received at 1031509@bugs.debian.org (full text, mbox, reply):

From: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>

To: "1031509@bugs.debian.org" <1031509@bugs.debian.org>

Subject: clamav: 2 RCE bugs in ClamAV

Date: Sat, 18 Feb 2023 08:58:57 +0000

[Message part 1 (text/plain, inline)]

Dear Maintainer

Could you confirm when the Debian Bullseye updates are due to be uploaded ?

Thanks !

[Message part 2 (text/html, inline)]

Message #32 received at 1031509@bugs.debian.org (full text, mbox, reply):

From: Jochen Pawletta <jochen@hin.de>

To: 1031509@bugs.debian.org

Subject: clamav: 2 RCE bugs in ClamAV 0.103 (+ 1.0.0), CVE-2023-20032/CVE-2023-20052

Date: Sat, 18 Feb 2023 09:50:04 +0100

Helllo

Please also fix stable Release.


Jochen

-- 
ZX81 - C64 - Amiga - x86-Linux - iMac (MacOS)

Message #37 received at 1031509@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

To: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>, Jochen Pawletta <jochen@hin.de>

Cc: 1031509@bugs.debian.org

Subject: Re: [Pkg-clamav-devel] Bug#1031509: clamav: 2 RCE bugs in ClamAV

Date: Sat, 18 Feb 2023 11:03:39 +0100

On 2023-02-18 08:58:57 [+0000], Laura Smith wrote:
> Could you confirm when the Debian Bullseye updates are due to be uploaded ?

	https://bugs.debian.org/1031536

> Thanks !

Sebastian

Send a report that this bug log contains spam.