clamav: Security release 0.99.3 available (CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380)

Debian Bug report logs - #888484
clamav: Security release 0.99.3 available (CVE-2017-12374 CVE-2017-12375 CVE-2017-12376 CVE-2017-12377 CVE-2017-12378 CVE-2017-12379 CVE-2017-12380)

Toggle useless messages

---

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: clamav
Version: 0.99.2+dfsg-0+deb8u2
Severity: important

0.99.3 has been released, see http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html.

This fixed a number of overflow bugs, each of which has assigned CVE numbers
due to the potential for denial of service.

We've have started seeing unexpected clamd crashes on a high-traffic mail
system today, though I've been unable to isolate a test case. It's seems like
too much of a coincidence that these crashes start happening the day after a
security release was announced. We've implemented mitigations but an updated
package would be even better.

Cheers!
Rob N.


-- Package-specific info:
--- configuration ---
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamav.log"
StatsHostID = "auto"
StatsEnabled disabled
StatsPEDisabled = "yes"
StatsTimeout = "10"
LogFileUnlock disabled
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogClean disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
ExtendedDetectionInfo = "yes"
PidFile disabled
TemporaryDirectory disabled
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "15"
StreamMaxLength = "26214400"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "12"
ReadTimeout = "180"
CommandReadTimeout = "5"
SendBufTimeout = "200"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "3600"
DisableCache disabled
VirusEvent disabled
ExitOnOOM disabled
AllowAllMatchScan = "yes"
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamav"
AllowSupplementaryGroups disabled
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "60000"
BytecodeUnsigned disabled
BytecodeMode = "Auto"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
AlgorithmicDetection = "yes"
ScanPE = "yes"
ScanELF = "yes"
DetectBrokenExecutables disabled
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
PhishingAlwaysBlockCloak disabled
PhishingAlwaysBlockSSLMismatch disabled
PartitionIntersection disabled
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
OLE2BlockMacros disabled
ScanPDF = "yes"
ScanSWF = "yes"
ScanXMLDOCS = "yes"
ScanHWP3 = "yes"
ScanArchive = "yes"
ArchiveBlockEncrypted disabled
ForceToDisk disabled
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxFiles = "10000"
MaxEmbeddedPE = "10485760"
MaxHTMLNormalize = "10485760"
MaxHTMLNoTags = "2097152"
MaxScriptNormalize = "5242880"
MaxZipTypeRcg = "1048576"
MaxPartitions = "50"
MaxIconsPE = "100"
MaxRecHWP3 = "16"
PCREMatchLimit = "10000"
PCRERecMatchLimit = "5000"
PCREMaxFileSize = "26214400"
ScanOnAccess disabled
OnAccessMountPath disabled
OnAccessIncludePath disabled
OnAccessExcludePath disabled
OnAccessExcludeUID disabled
OnAccessMaxFileSize = "5242880"
OnAccessDisableDDD disabled
OnAccessPrevention disabled
OnAccessExtraScanning disabled
DevACOnly disabled
DevACDepth disabled
DevPerformance disabled
DevLiblog disabled
DisableCertCheck disabled

Config file: freshclam.conf
---------------------------
StatsHostID disabled
StatsEnabled disabled
StatsTimeout disabled
LogFileMaxSize = "4294967295"
LogTime = "yes"
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
LogRotate = "yes"
PidFile disabled
DatabaseDirectory = "/var/lib/clamav"
Foreground disabled
Debug disabled
AllowSupplementaryGroups disabled
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseOwner = "clamav"
Checks = "24"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
PrivateMirror disabled
MaxAttempts = "5"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
DatabaseCustomURL disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamav/clamd.conf"
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "30"
ReceiveTimeout = "30"
SubmitDetectionStats disabled
DetectionStatsCountry disabled
DetectionStatsHostID disabled
SafeBrowsing disabled
Bytecode = "yes"

clamav-milter.conf not found

Software settings
-----------------
Version: 0.99.2
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 LIBXML2 PCRE ICONV JSON RAR JIT

Database information
--------------------
Database directory: /var/lib/clamav
bytecode.cld: version 283, sigs: 53, built on Thu Jun 23 15:01:37 2016
daily.cld: version 22385, sigs: 730021, built on Tue Oct 18 05:56:58 2016
main.cvd: version 57, sigs: 4218790, built on Wed Mar 16 23:17:06 2016
Total number of signatures: 4948864

Platform information
--------------------
uname: Linux 4.9.37-fm64 #1 SMP Fri Jul 14 10:59:57 UTC 2017 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
Full OS version: Debian GNU/Linux 8.8 (jessie)
zlib version: 1.2.8 (1.2.8), compile flags: a9
Triple: x86_64-pc-linux-gnu
CPU: corei7, Little-endian
platform id: 0x0a2152520804090201040902

Build information
-----------------
GNU C: 4.9.2 (4.9.2)
GNU C++: 4.9.2 (4.9.2)
CPPFLAGS: -D_FORTIFY_SOURCE=2
CFLAGS: -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64 -fno-strict-aliasing  -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
CXXFLAGS: 
LDFLAGS: -fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed
Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=/usr/lib/clamav' '--disable-maintainer-mode' '--disable-dependency-tracking' 'CFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CXXFLAGS=-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wall -D_FILE_OFFSET_BITS=64' 'LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now -Wl,--as-needed' '--with-dbdir=/var/lib/clamav' '--sysconfdir=/etc/clamav' '--disable-clamav' '--disable-unrar' '--enable-milter' '--enable-dns-fix' '--with-libjson' '--with-gnu-ld' '-with-system-llvm=/usr/bin/llvm-config' '--with-llvm-linking=dynamic' '--with-systemdsystemunitdir=/lib/systemd/system' 'build_alias=x86_64-linux-gnu'
sizeof(void*) = 8
Engine flevel: 82, dconf: 82

--- data dir ---
total 154708
-rw-r--r-- 1 sshd clamav    446464 Jun 23  2016 bytecode.cld
-rw-r--r-- 1 sshd clamav  48823808 Oct 18  2016 daily.cld
-rw-r--r-- 1 sshd clamav 109143933 Apr  8  2016 main.cvd
-rw------- 1 sshd clamav       936 Oct 18  2016 mirrors.dat

-- System Information:
Debian Release: 8.8
  APT prefers oldstable
  APT policy: (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.37-fm64 (SMP w/16 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Init: sysvinit (via /sbin/init)

Versions of packages clamav depends on:
ii  clamav-freshclam [clamav-data]  0.99.2+dfsg-0+deb8u2
ii  libc6                           2.19-18+deb8u9
ii  libclamav7                      0.99.2+dfsg-0+deb8u2
ii  libcurl3                        7.38.0-4+deb8u8
ii  libssl1.0.0                     1.0.1t-1+deb8u6
ii  zlib1g                          1:1.2.8.dfsg-2+b1

Versions of packages clamav recommends:
ii  clamav-base  0.99.2+dfsg-0+deb8u2

Versions of packages clamav suggests:
pn  clamav-docs  <none>

-- no debconf information

---

Message #10 received at 888484@bugs.debian.org (full text, mbox, reply):

Control: tags -1 security
Control: severity -1 grave

On Fri, Jan 26, 2018 at 09:35:25AM +0000, Rob N wrote:
> Package: clamav
> Version: 0.99.2+dfsg-0+deb8u2
> Severity: important
> 
> 0.99.3 has been released, see http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html.
> 
> This fixed a number of overflow bugs, each of which has assigned CVE numbers
> due to the potential for denial of service.
> 
> We've have started seeing unexpected clamd crashes on a high-traffic mail
> system today, though I've been unable to isolate a test case. It's seems like
> too much of a coincidence that these crashes start happening the day after a
> security release was announced. We've implemented mitigations but an updated
> package would be even better.

Indeed. There are tons of reports of ClamAV installations suddently
getting wedged, see
http://lists.clamav.net/pipermail/clamav-users/2018-January/thread.html#5658
. It is a bit unclear whether 0.99.3 does fix this issue (which seems to
be caused by a recent signature update), but other news sites claim that
at least CVE-2017-12376 is getting actively exploited.

Bernhard

---

Message #29 received at 888484@bugs.debian.org (full text, mbox, reply):

control: fixed -1  0.99.3~beta2+dfsg-1

On 2018-01-26 09:35:25 [+0000], Rob N wrote:
> Package: clamav
> Version: 0.99.2+dfsg-0+deb8u2
> Severity: important
> 
> 0.99.3 has been released, see http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html.
> 
> This fixed a number of overflow bugs, each of which has assigned CVE numbers
> due to the potential for denial of service.
> 
> We've have started seeing unexpected clamd crashes on a high-traffic mail
> system today, though I've been unable to isolate a test case. It's seems like
> too much of a coincidence that these crashes start happening the day after a
> security release was announced. We've implemented mitigations but an updated
> package would be even better.

I *think* the crashes you obsereved might be due to FD desc issue. This
was fixed in Stretch by chance but not in Jessie. However the remaining
CVEs were not addressed yet and I'm looking into it…

[0] http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html

> Cheers!
> Rob N.

Sebastian

---

Message #36 received at 888484@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Sat, Jan 27, 2018, at 11:08 AM, Sebastian Andrzej Siewior wrote:
> I **think** the crashes you obsereved might be due to FD desc
> issue. This> was fixed in Stretch by chance but not in Jessie. However the
> remaining> CVEs were not addressed yet and I'm looking into it…

Yes, I found this too after reviewing discussion on clamav-users. I've
been running the latest daily.cvd on a test server this morning without
issue, which is a good enough solution for me at the moment.
I will of course be watching for updated packages, but it's definitiely
no long urgent.
Thanks you all for the pointers; I appreciate the assist :)

Rob N.

[Message part 2 (text/html, inline)]

---

Message #41 received at 888484@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Control: unfixed 888484 0.99.3~beta2+dfsg-1
Control: fixed 888511 0.99.3~beta2+dfsg-1

Hi 

>> 
>> We've have started seeing unexpected clamd crashes on a high-traffic mail
>> system today, though I've been unable to isolate a test case. It's seems like
>> too much of a coincidence that these crashes start happening the day after a
>> security release was announced. We've implemented mitigations but an updated
>> package would be even better.
> 
> I *think* the crashes you obsereved might be due to FD desc issue. This
> was fixed in Stretch by chance but not in Jessie. However the remaining
> CVEs were not addressed yet and I'm looking into it…
> 
> [0] http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html

Indeed. There is a separate Bug#888511 for that, I have migrated the fixed Version above to avoid confusion.

Are you sure about the Stretch thing? Stretch contains 0.99.2 which should be affected by this bug. But I’m not 100% sure, as all my high traffic mail gateways are still running Jessie.

According to reports 0.99.3~beta2 was indeed not affected by the signature bug, so Buster/Sid where fine. What makes things even more confusing is that 0.99.3 does not contain this fix, because 0.99.3 is 0.99.2+security fixes, while 0.99.3~beta was a development tree that is now called 0.100 :-(

http://blog.clamav.net/2018/01/clamav-version-number-adjustment.html

Upstream announcement suggests you cannot do a clean switch from 0.99.3~beta to 0.99.3

As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, you will need to completely uninstall it and do a fresh install with the production version of 0.99.3 as there are significant code differences


Bernhard

[Message part 2 (text/html, inline)]

---

Message #48 received at 888484@bugs.debian.org (full text, mbox, reply):

fixed 888484 0.99.3~beta2+dfsg-1

Everyone:

Please leave the status of this bug to the package maintainers.  We've checked and all the security issues in the new 0.99.3 release were previously addressed in the beta that's in testing/unstable.

If you think this is incorrect, provide specific information about why (i.e. point to the code).  Don't change the status of the bug.  You aren't helping.

Scott K

On January 27, 2018 10:19:15 AM UTC, Salvatore Bonaccorso <carnil@debian.org> wrote:
>notfixed 888484 0.99.3~beta2+dfsg-1
>thanks
>
>Assuming the following was the intention:
>
>On Sat, Jan 27, 2018 at 02:12:08AM +0000, Debian Bug Tracking System
>wrote:
>> Processing control commands:
>> 
>> > unfixed 888484 0.99.3~beta2+dfsg-1
>> Unknown command or malformed arguments to command.
>
>_______________________________________________
>Pkg-clamav-devel mailing list
>Pkg-clamav-devel@lists.alioth.debian.org
>http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

---

Message #55 received at 888484@bugs.debian.org (full text, mbox, reply):

Hi Scott,

On Sat, Jan 27, 2018 at 02:05:59PM +0000, Scott Kitterman wrote:
> fixed 888484 0.99.3~beta2+dfsg-1
> 
> Everyone:
> 
> Please leave the status of this bug to the package maintainers.
> We've checked and all the security issues in the new 0.99.3 release
> were previously addressed in the beta that's in testing/unstable.
> 
> If you think this is incorrect, provide specific information about
> why (i.e. point to the code).  Don't change the status of the bug.
> You aren't helping.

This though was not clear at all from
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#29 where the
bug was marked fixed in 0.99.3~beta2+dfsg-1, were Sebastian did wrote:

> I *think* the crashes you obsereved might be due to FD desc issue. This
> was fixed in Stretch by chance but not in Jessie. However the remaining
> CVEs were not addressed yet and I'm looking into it…
> 
> [0] http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html

So "the remaining CVEs were not address yet" part.

I take your last email as confirmation that they indeed *are* fixed in
0.99.3~beta2+dfsg-1 and have updated the security-tracker information
as such.

Regards,
Salvatore

---

Message #60 received at 888484@bugs.debian.org (full text, mbox, reply):

On January 27, 2018 2:30:45 PM UTC, Salvatore Bonaccorso <carnil@debian.org> wrote:
>Hi Scott,
>
>On Sat, Jan 27, 2018 at 02:05:59PM +0000, Scott Kitterman wrote:
>> fixed 888484 0.99.3~beta2+dfsg-1
>> 
>> Everyone:
>> 
>> Please leave the status of this bug to the package maintainers.
>> We've checked and all the security issues in the new 0.99.3 release
>> were previously addressed in the beta that's in testing/unstable.
>> 
>> If you think this is incorrect, provide specific information about
>> why (i.e. point to the code).  Don't change the status of the bug.
>> You aren't helping.
>
>This though was not clear at all from
>https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#29 where the
>bug was marked fixed in 0.99.3~beta2+dfsg-1, were Sebastian did wrote:
>
>> I *think* the crashes you obsereved might be due to FD desc issue.
>This
>> was fixed in Stretch by chance but not in Jessie. However the
>remaining
>> CVEs were not addressed yet and I'm looking into it…
>> 
>> [0]
>http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html
>
>So "the remaining CVEs were not address yet" part.
>
>I take your last email as confirmation that they indeed *are* fixed in
>0.99.3~beta2+dfsg-1 and have updated the security-tracker information
>as such.

Thanks.  This is a bit of a confusing mess (thanks upstream).  My understanding is that the remaining ones are ones that are addressed in the beta in unstable/testing, but not the new release.  If I find out different, I'll be sure to update the tracker.

Scott K

---

Message #65 received at 888484@bugs.debian.org (full text, mbox, reply):

Scott,

Thank you.

On Sat, Jan 27, 2018 at 03:12:31PM +0000, Scott Kitterman wrote:
> 
> 
> On January 27, 2018 2:30:45 PM UTC, Salvatore Bonaccorso <carnil@debian.org> wrote:
> >Hi Scott,
> >
> >On Sat, Jan 27, 2018 at 02:05:59PM +0000, Scott Kitterman wrote:
> >> fixed 888484 0.99.3~beta2+dfsg-1
> >> 
> >> Everyone:
> >> 
> >> Please leave the status of this bug to the package maintainers.
> >> We've checked and all the security issues in the new 0.99.3 release
> >> were previously addressed in the beta that's in testing/unstable.
> >> 
> >> If you think this is incorrect, provide specific information about
> >> why (i.e. point to the code).  Don't change the status of the bug.
> >> You aren't helping.
> >
> >This though was not clear at all from
> >https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#29 where the
> >bug was marked fixed in 0.99.3~beta2+dfsg-1, were Sebastian did wrote:
> >
> >> I *think* the crashes you obsereved might be due to FD desc issue.
> >This
> >> was fixed in Stretch by chance but not in Jessie. However the
> >remaining
> >> CVEs were not addressed yet and I'm looking into it…
> >> 
> >> [0]
> >http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html
> >
> >So "the remaining CVEs were not address yet" part.
> >
> >I take your last email as confirmation that they indeed *are* fixed in
> >0.99.3~beta2+dfsg-1 and have updated the security-tracker information
> >as such.
> 
> Thanks.  This is a bit of a confusing mess (thanks upstream).  My
> understanding is that the remaining ones are ones that are addressed
> in the beta in unstable/testing, but not the new release.  If I find
> out different, I'll be sure to update the tracker.

Btw, I did expand the tracker CVE entries now with the respective
upstream bugs (they are now open) and the respective commits. And it
looks indeed that all of those are present in the "Import
clamav_0.99.3~beta2+dfsg.orig.tar.xz" of Sebastian Andrzej Siewior, in
the packaging repo done back in december 2017.

Thanks for your work!

Salvatore

---

Message #70 received at 888484@bugs.debian.org (full text, mbox, reply):

On 27 January 2018 15:30:45 CET, Salvatore Bonaccorso <carnil@debian.org> wrote:
>So "the remaining CVEs were not address yet" part.
>
I was referring to the Stretch release. The fd bug is fixed but not the CVEs.
In the meantime I opened pu bugs for stable and oldstable.


Sebastian

---

Message #75 received at 888484@bugs.debian.org (full text, mbox, reply):

Hey there,

I do not want to stress, but does it have any reasons, why it takes so
long to patch clamav with severity "grave"? Can you guys may tell me how
long you still need to fix clamav in current debian stable (stretch)?
ATM clamav is running on our systems for spam mail protection. If you
still need some time (> 12h), I'm forced to disable clamav as long as
it's not fixed. < 0.99.3 is vulnerable for code execution...

Kindest regards

---

Message #80 received at 888484@bugs.debian.org (full text, mbox, reply):

On Sunday, January 28, 2018 12:14:36 AM Ninos Ego wrote:
> Hey there,
> 
> I do not want to stress, but does it have any reasons, why it takes so
> long to patch clamav with severity "grave"? Can you guys may tell me how
> long you still need to fix clamav in current debian stable (stretch)?
> ATM clamav is running on our systems for spam mail protection. If you
> still need some time (> 12h), I'm forced to disable clamav as long as
> it's not fixed. < 0.99.3 is vulnerable for code execution...

We're currently waiting on approval from a stable release manager to upload 
the fix:

https://bugs.debian.org/888552
https://bugs.debian.org/888553

Clamav is not supported through the normal Debian security release process 
because of the general necessity of updating clamav in complete upstream 
releases that carry much more than security fixes.  As a result, it takes a 
little longer.

If you know how to build a Debian package (and honestly, if you are 
administering Debian systems, you should), then you can grab the stable source 
package, apply the patch from the bug, and build a local package for use until 
we get this approved and uploaded.

Scott K

---

Message #85 received at 888484-close@bugs.debian.org (full text, mbox, reply):

Source: clamav
Source-Version: 0.99.2+dfsg-6+deb9u1

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888484@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Jan 2018 00:33:28 +0100
Source: clamav
Binary: clamav-base clamav-docs clamav libclamav-dev libclamav7 clamav-daemon clamdscan clamav-testfiles clamav-freshclam clamav-milter
Architecture: source
Version: 0.99.2+dfsg-6+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Description:
 clamav     - anti-virus utility for Unix - command-line interface
 clamav-base - anti-virus utility for Unix - base package
 clamav-daemon - anti-virus utility for Unix - scanner daemon
 clamav-docs - anti-virus utility for Unix - documentation
 clamav-freshclam - anti-virus utility for Unix - virus database update utility
 clamav-milter - anti-virus utility for Unix - sendmail integration
 clamav-testfiles - anti-virus utility for Unix - test files
 clamdscan  - anti-virus utility for Unix - scanner client
 libclamav-dev - anti-virus utility for Unix - development files
 libclamav7 - anti-virus utility for Unix - library
Closes: 888484
Changes:
 clamav (0.99.2+dfsg-6+deb9u1) stretch; urgency=medium
 .
   * Apply security patches from 0.99.3 (Closes: #888484):
     - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
       CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
       CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
    * Bump symbol version of cl_retflevel because CL_FLEVEL changed.
Checksums-Sha1:
 42c9fe9fe0b0bf1de1269d6cffd61a18146131a4 3108 clamav_0.99.2+dfsg-6+deb9u1.dsc
 9de4fa0ecc630d1b3bab68faa647dbcf066ea59d 262460 clamav_0.99.2+dfsg-6+deb9u1.debian.tar.xz
 450a86a2529f137073373ef23a52924e931dcbf3 7239 clamav_0.99.2+dfsg-6+deb9u1_source.buildinfo
Checksums-Sha256:
 a7bbe43cc4d09628d8f21512a0ef23d51f97987e7dbbd89750fffe50d27d0884 3108 clamav_0.99.2+dfsg-6+deb9u1.dsc
 8cb95ed5b5a71c660d7f9ea41c2701bd2d2c343ee8016daf84725d6d6df8cf50 262460 clamav_0.99.2+dfsg-6+deb9u1.debian.tar.xz
 5118ec13ba1dab8bcab2e6217c2bd5eef37314c4227ecacb1fe89f6f49d8393f 7239 clamav_0.99.2+dfsg-6+deb9u1_source.buildinfo
Files:
 f296a7da0ee9a0e1ffcbcd72d275c83e 3108 utils optional clamav_0.99.2+dfsg-6+deb9u1.dsc
 2182b1c6d632fe0f30f2288c5bd05590 262460 utils optional clamav_0.99.2+dfsg-6+deb9u1.debian.tar.xz
 4b51928085468a6b8564157ef1db7d38 7239 utils optional clamav_0.99.2+dfsg-6+deb9u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJMBAEBCgA2FiEErHvQgQWZUb1RregAT+XjJihy5MwFAlpuLFMYHHNlYmFzdGlh
bkBicmVha3BvaW50LmNjAAoJEE/l4yYocuTM/tsQAIu/HiZbZaRBtjLV7fl6StEU
cee6MnuEqiDeZPR+l9Dj5A9EXDuwXg/7kB+Fr9aNfBiBohv7PnZhOWG1ax3TpKWM
bRPN7SVOeHCuCXPfrvQSVTX30learrYZ3MOQSaMPvI8shaOSxzG+LXHZvXTW3mgz
MaJPza8Sb1AwQbP4pcDsy8wm1Q4kyKh4VosbLiR5cvDajnztVsfvgaTezqq/PVex
CzDUHV1QH0sUG6s8HoKUnj6/jooJv4TqXHo6gcjxdZtqMKed1k7tAzrqbiO6qpLD
9N5rIdAlswbXXu9rC4fChLqDGN42J7Gia3FDvZ9kME9/1IqsktA3mLbZQwZCPW8B
fl885bJyJvTNj5WLAkdktlWkBVM1szIUftx7LSRPQO5NS/r0OrlfFd32xdbgtpQs
WFVaFQX4OlQI1RBdPYxKQrLD7mgbY+ONzKgucu+mrBEaNfRIOI1XNPmnoUPDC1n6
J3f6t5EHzme7THaaYx5MdwB3/RDVVM1zu22WQ3Iq7eXfaMqoRY4DZUZLyNEebSOE
KDztZwRrxniEGffV/6nV31AvBRiyZZBRIdqJzxGArHoHau2Y9ze76mTR30qGB2Yr
2clgHPwE8SXC+5PIKYkCaWZE24PYMfccWf5VRwDMhWS8kqrakKKYpcIsaz4tEGn8
W4XAXhDsoZtBT/L+Qak3
=yKvy
-----END PGP SIGNATURE-----

---

Message #90 received at 888484-close@bugs.debian.org (full text, mbox, reply):

Source: clamav
Source-Version: 0.99.2+dfsg-0+deb8u3

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888484@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Jan 2018 01:29:24 +0100
Source: clamav
Binary: clamav-base clamav-docs clamav-dbg clamav libclamav-dev libclamav7 clamav-daemon clamdscan clamav-testfiles clamav-freshclam clamav-milter
Architecture: source all
Version: 0.99.2+dfsg-0+deb8u3
Distribution: jessie
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Description:
 clamav     - anti-virus utility for Unix - command-line interface
 clamav-base - anti-virus utility for Unix - base package
 clamav-daemon - anti-virus utility for Unix - scanner daemon
 clamav-dbg - debug symbols for ClamAV
 clamav-docs - anti-virus utility for Unix - documentation
 clamav-freshclam - anti-virus utility for Unix - virus database update utility
 clamav-milter - anti-virus utility for Unix - sendmail integration
 clamav-testfiles - anti-virus utility for Unix - test files
 clamdscan  - anti-virus utility for Unix - scanner client
 libclamav-dev - anti-virus utility for Unix - development files
 libclamav7 - anti-virus utility for Unix - library
Closes: 824196 888484
Changes:
 clamav (0.99.2+dfsg-0+deb8u3) jessie; urgency=medium
 .
   * Apply security patches from 0.99.3 (Closes: #888484):
     - fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
       CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
       CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
   * Bump symbol version of cl_retflevel because CL_FLEVEL changed.
   * Cherry-pick patch from bb11549 to fix a temp file cleanup issue
     (Closes: #824196).
Checksums-Sha1:
 306b5b194320cbf1c84bd282b2806e1b48bd4791 3171 clamav_0.99.2+dfsg-0+deb8u3.dsc
 d895d2fc72d0901604e020599d26b7828878e03f 253312 clamav_0.99.2+dfsg-0+deb8u3.debian.tar.xz
 25f01c884d64a9bf4e6b812aa9427835d1aa78a0 294012 clamav-base_0.99.2+dfsg-0+deb8u3_all.deb
 b56878f326e64524e2ce813e2d43df0d54759d2c 1233618 clamav-docs_0.99.2+dfsg-0+deb8u3_all.deb
 d3bbd38e4106fb0b61fa54c5f714eb81ccd9958d 3110356 clamav-testfiles_0.99.2+dfsg-0+deb8u3_all.deb
Checksums-Sha256:
 be7e2dcafac27e7ab96c155e233919049b706020bc4da8dc9c16b8c72468c751 3171 clamav_0.99.2+dfsg-0+deb8u3.dsc
 ebfe0205e9802d1ba3a4b2e878dd80c77eac553e3bfcbc0934f113fc9c796dee 253312 clamav_0.99.2+dfsg-0+deb8u3.debian.tar.xz
 476cf149ccda3f3e768f6980a231d540272f37189e97a6f0751e18f7448f890c 294012 clamav-base_0.99.2+dfsg-0+deb8u3_all.deb
 4fcc5f7feb2b77fb04bfe1a1ae476a8a8b07d79378c0f3ed52a55530b2a38e6d 1233618 clamav-docs_0.99.2+dfsg-0+deb8u3_all.deb
 a2395d73f05097c772ec5d974eda3e9864913033fb4e2b6ea8c7c97d7297b2cb 3110356 clamav-testfiles_0.99.2+dfsg-0+deb8u3_all.deb
Files:
 dc4ceee773f0b57043282b1478ff0524 3171 utils optional clamav_0.99.2+dfsg-0+deb8u3.dsc
 0e0c3c3b3eafd43bb5bcf0a221cdcd1b 253312 utils optional clamav_0.99.2+dfsg-0+deb8u3.debian.tar.xz
 be6b4f6df49db0277d8d0c8ce0b7b085 294012 utils optional clamav-base_0.99.2+dfsg-0+deb8u3_all.deb
 88a95966b1fddef9c51cabc24e30ebbd 1233618 doc optional clamav-docs_0.99.2+dfsg-0+deb8u3_all.deb
 c30168e3211d0a2bfe177fb8db5642e8 3110356 utils optional clamav-testfiles_0.99.2+dfsg-0+deb8u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQJMBAEBCgA2FiEErHvQgQWZUb1RregAT+XjJihy5MwFAlpuMOMYHHNlYmFzdGlh
bkBicmVha3BvaW50LmNjAAoJEE/l4yYocuTMpUsP/3xjJSyyCjetHZ3+Qg2YJ3HA
W8RjM9Q3V+kNCWohCBANIkyeFASmDjiA/V9sKKQsfMpUrZPGYl99VcDTfqEXu7yj
chPYyCCglKCb16p8XEtOcKj66Aod5cqj8KjIN+TDJK7RUPRIw+eMHNqTDPOe+UCN
1YPrB13Y7L3EAi24ongt38r7J0KlV0Cv7N/jMMAIGuesfPU+neyQtF8EVx0zUWPo
lx5a7bmc6wBnfQP+tt4TIvdH8Yy/FCTGEuwH112AOKkVSw0fzPZIt2NLd/+7ySfG
whh4iUSpP4g1qEeWYQcJvYywrAsGc0RPr6aObt8T/zPAbkpFfuVN5YCnd7ufSjBE
1efWW7x0as12S9JN7pCBAB08IyczOmD5gBHtra9fo7xPkFp55oSiMZowO7Wd+D6q
eE9hR9CmDY1Cs8J1YXe56/S9y+l3cbushx5ZNWRPlrlbpXBTTq4JG8/pNmQKrwHD
zJWQ1sY0SodgZlvG34QcVrfV+c3KZ+aic48IwuoR1gzjxLPCnGOAh65vITixmRW6
aNtS2cA4sqBW4FCcOHwui0frRSo197MGqNshtjdYQpOkkk98Y2KyrMSQ/06LBoiG
v/t+JAH73AesUsBEUiUntnfg1BpEvt7DnxbrUNggS8l9DCuQHNuG5YZnfDtbOf3T
VblAqqz8bBwq906xTdZ8
=FgIj
-----END PGP SIGNATURE-----

---

Message #95 received at 888484@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi everybody,

 
The fixed versions seem not to be available at https://packages.debian.org/search?keywords=clamav&searchon=names&suite=all&section=all         .

Why does it take so long for such a critical bug. This means DOS and remote code execution vulnerability for a whole lot of mail gateways, which might expose communication, abuse those systems for spam or use them to get into trusted networks. The vulnerability is already actively used. The answer cannot be to compile a new version on our own. This is not the reason for having a long term support distribution, maybe with a small footprint without a compiler. It took already more than 72h while the patch was available.

The open source world usually does a great job on fast security updates and I’m sure you guys do too.

 
Could you please provide this update as soon as any possible or give us some information how long it will take?

 
Thanks,

Fared

[Message part 2 (text/html, inline)]

---

Message #100 received at 888484@bugs.debian.org (full text, mbox, reply):

On Mon, Jan 29, 2018 at 02:30:01PM +0100, Fared Ghijas wrote:
> 
>    The fixed versions seem not to be available at
>    [1]https://packages.debian.org/search?keywords=clamav&searchon=names&suite=all&section=all        
>    .
> 
It should be shortly.

>    Why does it take so long for such a critical bug.

Because Debian has a process for issuing both security and non-security
updates. That process involves the review of multiple parties. In the
case of ClamAV, the updates are frequent enough that they are handled
via the proposed-updates mechanism, which requires the review and
approval of a release manager. This is explained in the discussion
history of this bug.

>    This means DOS and
>    remote code execution vulnerability for a whole lot of mail gateways,
>    which might expose communication, abuse those systems for spam or use them
>    to get into trusted networks. The vulnerability is already actively used.

Everybody involved is well aware of this.

>    The answer cannot be to compile a new version on our own. This is not the
>    reason for having a long term support distribution, maybe with a small
>    footprint without a compiler. It took already more than 72h while the
>    patch was available.
> 
I cannot tell if you are serious or if you are trolling here. Debian is
in use on hundreds of thousands, if not millions, of systems worldwide.
It helps nobody to have patches rushed out without proper testing and
review. Additionally, much of the work on Debian is being done by
unpaid volunteers in their spare time.

Additionally, the manner in which upstream made the release involved
changing the version numbering of a release that was already planned,
which complicated matters a bit.

If you are so dependent on having updates in a particular time frame,
then you should consider developing the ability to build your own
security updates (yes, compiling the updates for yourself can certainly
be a valid answer). If that is not possible or desirable for you, then
you should contract with a commercial entity that can provide that
support. There are numerous individuals and companies, including quite
a few Debian developers, who would be more than happy to furnish you a
support contract with a specified service level agreement response time.

>    The open source world usually does a great job on fast security updates
>    and I’m sure you guys do too.
> 
I am not convinced that you understand and appreciate the amount of
effort involved.

>    Could you please provide this update as soon as any possible or give us
>    some information how long it will take?
> 
If you look at the messages recorded in the bug history prior to your
message, the packages for jessie and stretch were uploaded about 15
hours prior to you sending your message. It takes some time for
packages to be built for all supported architectures and then to be
distributed across the worldwide archive mirror network. The stretch
packages have all been built for a few hours now and should show up in
the archive mirrors within a few hours.

Regards,

-Roberto

-- 
Roberto C. Sánchez

---

Message #105 received at 888484@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Roberto,

thank you for your explanation. I was not aware on some aspects you mentioned about the process and distribution. Usually I’m not that concerned on a security update as in this case. I couldn’t find any work around information from clamav, like disabling the scan of pdf mail attachments or anything else.

Thanks,

Fared

[Message part 2 (text/html, inline)]

---

Message #110 received at 888484@bugs.debian.org (full text, mbox, reply):

Hi,

is there a special reason why the updates are not published through the 
"security" repositories of Debian Stretch/Jessie?

- on Debian 7, the update is in "wheezy" (via security)
- on Debian 8, the update is in "jessie-updates"
- on Debian 9, the update is in "stretch-updates"

With regard of the severity of the bug, I can't understand this release 
strategy. Or am I just too impatient?

Many "sources.list" files do not contain the "-updates" repository, for 
example unmodified Xen instances created with "xen-create-image".

So I suggest to push this update also into debian-security.

Thanks for your efforts & best regards

   -Klaus

---

Message #115 received at 888484@bugs.debian.org (full text, mbox, reply):

On Wed, 31 Jan 2018, at 12:52, Klaus Keppler wrote:

> Many "sources.list" files do not contain the "-updates" repository

Even more so: I do source -updates, however, only now I see why the 
update was not yet installed automagically:

# apt-cache policy clamav
clamav:
  Installed: 0.99.2+dfsg-0+deb8u2
  Candidate: 0.99.2+dfsg-0+deb8u2
  Version table:
     0.99.2+dfsg-0+deb8u3 0
        500 http://ftp2.de.debian.org/debian/ jessie-updates/main amd64 Packages
 *** 0.99.2+dfsg-0+deb8u2 0
        990 http://ftp2.de.debian.org/debian/ jessie/main amd64 Packages
        100 /var/lib/dpkg/status

-- 
-- Andreas

---

Message #120 received at 888484@bugs.debian.org (full text, mbox, reply):

nor does debian security tracker list the updates as available for jessie/stretch:
https://security-tracker.debian.org/tracker/source-package/clamav

(security-tracked does say in hover text that jessie 
"gets updated via -updates", so it should pick that up)

it correctly reports wheezy, buster and sid as fixed.

for example, see also https://security-tracker.debian.org/tracker/CVE-2017-12376

this looks to me also like something that should be fixed (somewhere)?

---

Message #125 received at 888484@bugs.debian.org (full text, mbox, reply):

On Thursday, February 01, 2018 01:03:29 AM Matija Nalis wrote:
> nor does debian security tracker list the updates as available for
> jessie/stretch:
> https://security-tracker.debian.org/tracker/source-package/clamav
> 
> (security-tracked does say in hover text that jessie
> "gets updated via -updates", so it should pick that up)
> 
> it correctly reports wheezy, buster and sid as fixed.
> 
> for example, see also
> https://security-tracker.debian.org/tracker/CVE-2017-12376
> 
> this looks to me also like something that should be fixed (somewhere)?

By design, the security tracker doesn't consider things 'fixed' in stable via 
updates until after it's included in a Debian point release.  I agree it's not 
totally clear, but the way it's working is what the security team intends.

Scott K

---

Message #130 received at 888484@bugs.debian.org (full text, mbox, reply):

On Wednesday, January 31, 2018 12:52:35 PM Klaus Keppler wrote:
> Hi,
> 
> is there a special reason why the updates are not published through the
> "security" repositories of Debian Stretch/Jessie?
> 
> - on Debian 7, the update is in "wheezy" (via security)
> - on Debian 8, the update is in "jessie-updates"
> - on Debian 9, the update is in "stretch-updates"
> 
> With regard of the severity of the bug, I can't understand this release
> strategy. Or am I just too impatient?
> 
> Many "sources.list" files do not contain the "-updates" repository, for
> example unmodified Xen instances created with "xen-create-image".
> 
> So I suggest to push this update also into debian-security.
> 
> Thanks for your efforts & best regards

The reason is that typically clamav updates include much more than just 
security fixes (as far as I can recall in roughly a decade of clamav 
maintenance this is the first time it's happened), so are not considered 
suitable for the security repository.

We believe that keeping clamav up to date so that, as a package that provides 
a security service, it is always kept as capable as possible is of overriding 
importance for clamav.

Wheezy is done through 'security' because it's no longer supported by the 
Debian project, but by the Long Term Support team.  The LTS team publishes ALL 
updates (security or not) via the security repository.  For Debian supported 
releases, clamav will always go via updates.

If you are just discovering this now, you've been missing out of clamav 
updates for a long time.  Debian started publishing Stable Update 
Announcements in March, 2011.  The very first clamav stable update 
announcement was published that same month[1].  These clamav updates virtually 
always include security relevant fixes.

Scott K


[1] https://lists.debian.org/debian-stable-announce/2011/03/msg00003.html

---

Message #135 received at 888484@bugs.debian.org (full text, mbox, reply):

Hi Scott,

On Wed, Jan 31, 2018 at 10:57:30PM -0500, Scott Kitterman wrote:
> On Thursday, February 01, 2018 01:03:29 AM Matija Nalis wrote:
> > nor does debian security tracker list the updates as available for
> > jessie/stretch:
> > https://security-tracker.debian.org/tracker/source-package/clamav
> > 
> > (security-tracked does say in hover text that jessie
> > "gets updated via -updates", so it should pick that up)
> > 
> > it correctly reports wheezy, buster and sid as fixed.
> > 
> > for example, see also
> > https://security-tracker.debian.org/tracker/CVE-2017-12376
> > 
> > this looks to me also like something that should be fixed (somewhere)?
> 
> By design, the security tracker doesn't consider things 'fixed' in stable via 
> updates until after it's included in a Debian point release.  I agree it's not 
> totally clear, but the way it's working is what the security team intends.

JFTR, yes that's correct. As a side node, we might need to look into
starting -updates and consider what is there to be 'accepted' for
stable (oldstable) already by the stable release managers. This would
need some work on the security-tracker side which would not support
that yet. Will think about it.

Regards,
Salvatore

---

Message #140 received at 888484@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

I have the same Problem

Hans

[Message part 2 (text/html, inline)]

---

Send a report that this bug log contains spam.

---

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 12:58:42 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.