Debian Bug report logs -
#1031509
clamav: 2 RCE bugs in ClamAV 0.103 (+ 1.0.0), CVE-2023-20032/CVE-2023-20052
Reported by: Robert Waldner <waldner+bug@waldner.priv.at>
Date: Fri, 17 Feb 2023 14:03:01 UTC
Severity: serious
Tags: fixed-upstream, security, upstream
Merged with 1031513
Found in versions clamav/1.0.0+dfsg-6, clamav/0.103.7+dfsg-0+deb11u1
Fixed in version clamav/1.0.1+dfsg-1
Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
:
Bug#1031509
; Package clamav
.
(Fri, 17 Feb 2023 14:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Robert Waldner <waldner+bug@waldner.priv.at>
:
New Bug report received and forwarded. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
.
(Fri, 17 Feb 2023 14:03:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: clamav
Version: 0.103.7+dfsg-0+deb11u1
Severity: important
Dear Maintainer,
ClamAV/Cisco have released a security advisory concerning 2 potential-RCE
bugs in ClamAV:
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
According to the the security tracker, all versions currently in Debian
are vulnerable:
https://security-tracker.debian.org/tracker/CVE-2023-20032
https://security-tracker.debian.org/tracker/CVE-2023-20052
Please consider an update. Currently, ClamAV is not suitable for use in a
(quite common) email-scanning setup like with Amavis, but can still be
used (with appropriate care) directly. Thus I think Severity: important fits.
Kind regards,
Robert
-- Package-specific info:
--- configuration ---
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package
DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net
--- data dir ---
total 226104
-rw-r--r-- 1 clamav clamav 293670 Feb 17 14:46 bytecode.cvd
-rw-r--r-- 1 clamav clamav 60744631 Feb 17 14:44 daily.cvd
-rw-r--r-- 1 clamav clamav 69 Feb 17 14:43 freshclam.dat
-rw-r--r-- 1 clamav clamav 170479789 Feb 17 14:46 main.cvd
-- System Information:
Debian Release: 11.6
APT prefers stable
APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.18.0-0.deb11.4-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages clamav depends on:
ii clamav-freshclam [clamav-data] 0.103.7+dfsg-0+deb11u1
ii libc6 2.31-13+deb11u5
ii libclamav9 0.103.7+dfsg-0+deb11u1
ii libcurl4 7.74.0-1.3+deb11u3
ii libjson-c5 0.15-2
ii libssl1.1 1.1.1n-0+deb11u3
ii zlib1g 1:1.2.11.dfsg-2+deb11u2
Versions of packages clamav recommends:
ii clamav-base 0.103.7+dfsg-0+deb11u1
Versions of packages clamav suggests:
pn clamav-docs <none>
pn libclamunrar <none>
-- no debconf information
Merged 1031509 1031513
Request was from Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
to control@bugs.debian.org
.
(Fri, 17 Feb 2023 19:18:04 GMT) (full text, mbox, link).
Severity set to 'serious' from 'important'
Request was from Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
to control@bugs.debian.org
.
(Fri, 17 Feb 2023 19:18:04 GMT) (full text, mbox, link).
Marked as found in versions clamav/1.0.0+dfsg-6.
Request was from Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
to control@bugs.debian.org
.
(Fri, 17 Feb 2023 19:18:05 GMT) (full text, mbox, link).
Reply sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
:
You have taken responsibility.
(Fri, 17 Feb 2023 19:51:03 GMT) (full text, mbox, link).
Notification sent
to Robert Waldner <waldner+bug@waldner.priv.at>
:
Bug acknowledged by developer.
(Fri, 17 Feb 2023 19:51:03 GMT) (full text, mbox, link).
Message #16 received at 1031509-close@bugs.debian.org (full text, mbox, reply):
Source: clamav
Source-Version: 1.0.1+dfsg-1
Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1031509@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated clamav package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 17 Feb 2023 20:29:05 +0100
Source: clamav
Architecture: source
Version: 1.0.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Closes: 1031509
Changes:
clamav (1.0.1+dfsg-1) unstable; urgency=medium
.
* Import 1.0.1 (Closes: #1031509)
- CVE-2023-20032 (Possible RCE in the HFS+ file parser).
- CVE-2023-20052 (Possible information leak in the DMG file parser).
Checksums-Sha1:
fec345e5820bc6ea8c8b15a41cf1234e2320ff0e 2829 clamav_1.0.1+dfsg-1.dsc
fe18edded75204a2b4b4ec0c73c22da14e5235c2 14132600 clamav_1.0.1+dfsg.orig.tar.xz
2271488d1efe0e9dfb402630c520c36a46af34a8 222848 clamav_1.0.1+dfsg-1.debian.tar.xz
Checksums-Sha256:
6263eb81b8cdabc605bac140742ba31907a4025a3a4d65ea82e4992aba5486fc 2829 clamav_1.0.1+dfsg-1.dsc
0f19b43ec26395bb921a03a77a17138b92fde4ddbcee33804da7075e5d709c90 14132600 clamav_1.0.1+dfsg.orig.tar.xz
4aa0a1529b35cfd795905815ac959b9d717054e35968dfcf1a88ed0cef2d787d 222848 clamav_1.0.1+dfsg-1.debian.tar.xz
Files:
b3f25cf5947cc8d612a5bf677bfae921 2829 utils optional clamav_1.0.1+dfsg-1.dsc
5dae77cb4de79e4ead9275f75c90bd20 14132600 utils optional clamav_1.0.1+dfsg.orig.tar.xz
5d68b02434a4dcb01ed33089f5cdecf1 222848 utils optional clamav_1.0.1+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmPv1d0ACgkQBWQfF1cS
+lv1OQv+PZ78Ke84bICNkMqTqVyN1RAxtF8v6u58hbDwnqjhp1cD2PuHuX67nSMx
WTZgTH4IqzMGfPnPQR7HPXiSFmd0GQt/2LqNy/WKr4C3yeHG0I4I2nHOBxyQRbG1
YZ7WAz8RXbU9gJWcEFZTQZBwcYy+D4ts1Sm67XbIz8WytIaXbl4lM/QCEMuX7Mqn
qyL+utgOW8V575QJo7BwYHIgyvOAWkHqprCGTgX8/PttxzdDxm+jwdH0E/qROCQM
2MpWuD7V87rzyQJZ3amYVXpuCRfaECoWiNb8LEZznMlx10+HzYtJjuJeC1N84JSm
+YyspwtrqiBBUWYVsx/RSp8emfyq7qy8RU1fmR2nEqVtQqwsXstWdZvpO69fBRmV
A+PX9Lp2i8WsX4378NgcLrtbAmxvMHjFXRZRJo76IaXKNZGb/DBgwgE9es0gpPbG
j5D1hW8KwT7WJ55SmgE7yPw6s+i4KLvgdSxviSP/lItdbfgNDpqHGwpVXCuVNFoz
VDYQwsDt
=0Fl8
-----END PGP SIGNATURE-----
Reply sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
:
You have taken responsibility.
(Fri, 17 Feb 2023 19:51:04 GMT) (full text, mbox, link).
Notification sent
to Joost van Baal-Ilić <joostvb+debian-bugs@uvt.nl>
:
Bug acknowledged by developer.
(Fri, 17 Feb 2023 19:51:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream, upstream, and security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 17 Feb 2023 20:09:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
:
Bug#1031509
; Package clamav
.
(Sat, 18 Feb 2023 09:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>
:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
.
(Sat, 18 Feb 2023 09:03:03 GMT) (full text, mbox, link).
Message #27 received at 1031509@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Dear Maintainer
Could you confirm when the Debian Bullseye updates are due to be uploaded ?
Thanks !
[Message part 2 (text/html, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
:
Bug#1031509
; Package clamav
.
(Sat, 18 Feb 2023 09:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jochen Pawletta <jochen@hin.de>
:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
.
(Sat, 18 Feb 2023 09:03:04 GMT) (full text, mbox, link).
Message #32 received at 1031509@bugs.debian.org (full text, mbox, reply):
Helllo
Please also fix stable Release.
Jochen
--
ZX81 - C64 - Amiga - x86-Linux - iMac (MacOS)
Information forwarded
to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
:
Bug#1031509
; Package clamav
.
(Sat, 18 Feb 2023 10:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
.
(Sat, 18 Feb 2023 10:06:03 GMT) (full text, mbox, link).
Message #37 received at 1031509@bugs.debian.org (full text, mbox, reply):
On 2023-02-18 08:58:57 [+0000], Laura Smith wrote:
> Could you confirm when the Debian Bullseye updates are due to be uploaded ?
https://bugs.debian.org/1031536
> Thanks !
Sebastian
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Feb 18 13:06:37 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.