clamav: CVE-2024-20290 CVE-2024-20328

Debian Bug report logs - #1063479
clamav: CVE-2024-20290 CVE-2024-20328

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: clamav: CVE-2024-20290 CVE-2024-20328

Date: Thu, 08 Feb 2024 20:22:48 +0100

Source: clamav
Version: 1.0.4+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 1.0.3+dfsg-1~deb12u1

Hi,

The following vulnerabilities were published for clamav.

CVE-2024-20290[0]:
| A vulnerability in the OLE2 file format parser of ClamAV could allow
| an unauthenticated, remote attacker to cause a denial of service
| (DoS) condition on an affected device.    This vulnerability is due
| to an incorrect check for end-of-string values during scanning,
| which may result in a heap buffer over-read. An attacker could
| exploit this vulnerability by submitting a crafted file containing
| OLE2 content to be scanned by ClamAV on an affected device. A
| successful exploit could allow the attacker to cause the ClamAV
| scanning process to terminate, resulting in a DoS condition on the
| affected software and consuming available system resources.    For a
| description of this vulnerability, see the ClamAV blog .


CVE-2024-20328[1]:
| Fixed a possible command injection vulnerability in the "VirusEvent"
| feature of ClamAV's ClamD service.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-20290
    https://www.cve.org/CVERecord?id=CVE-2024-20290
[1] https://security-tracker.debian.org/tracker/CVE-2024-20328
    https://www.cve.org/CVERecord?id=CVE-2024-20328
[2] https://blog.clamav.net/2023/11/clamav-130-122-105-released.html

Regards,
Salvatore

Message #12 received at 1063479-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 1063479-close@bugs.debian.org

Subject: Bug#1063479: fixed in clamav 1.0.5+dfsg-1

Date: Thu, 08 Feb 2024 20:48:21 +0000

Source: clamav
Source-Version: 1.0.5+dfsg-1
Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1063479@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 08 Feb 2024 21:38:51 +0100
Source: clamav
Architecture: source
Version: 1.0.5+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Closes: 1063479
Changes:
 clamav (1.0.5+dfsg-1) unstable; urgency=medium
 .
   * Import 1.0.4 (Closes: #1063479).
     - Update symbols.
     - CVE-2024-20290 (Fixed a possible heap overflow read bug in the OLE2 file
       parser that could cause a denial-of-service (DoS) condition.)
     - CVE-2024-20328 (Fixed a possible command injection vulnerability in the
       "VirusEvent" feature of ClamAV's ClamD service.
Checksums-Sha1:
 6a658d199a21e723eacd1a018e0cab78a83da780 2830 clamav_1.0.5+dfsg-1.dsc
 f4f5016ce9ff75ad1db40f3475c100dc5fd87243 25821000 clamav_1.0.5+dfsg.orig.tar.xz
 abaf76f7eb334ee33c27077e2dcfc61f7728799e 226420 clamav_1.0.5+dfsg-1.debian.tar.xz
Checksums-Sha256:
 a9c3354a514f7170b89902b3b2ddbb533c5608ce0cb9ab0cfc1bf9150a1bef34 2830 clamav_1.0.5+dfsg-1.dsc
 b9c98462e0747f20178fff61ca4f823d97e4f599b919610ce64f65d1aeb4d807 25821000 clamav_1.0.5+dfsg.orig.tar.xz
 1cc5ab6b477bf49143716700ebf0cda381c3c15e5775344a8c1cbf845535693e 226420 clamav_1.0.5+dfsg-1.debian.tar.xz
Files:
 57faa8398921f30a720b5cc060ccdd86 2830 utils optional clamav_1.0.5+dfsg-1.dsc
 93f486687a7b4031e686b1c33dcfdc9c 25821000 utils optional clamav_1.0.5+dfsg.orig.tar.xz
 c1a9f262eb253239b0ba31ebe9a3757d 226420 utils optional clamav_1.0.5+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmXFPAMACgkQBWQfF1cS
+lvRmgwAjRZys8WTo011cx+jfah7kKPUjthJJhM9YHrG0Nw+j5Yq2j3kpspLx1oa
T8c2AH0JExwuXQGmcOmu9R4tUl1zvJI21I0nylqq8T+AkNysJHd1iRS88ynY4zcs
BKQARXGpHlWT/P03YiEDTVIBmEaPV602hAQPzNjQJiqOPZkuUrLQiYL+hR0Ktor6
YniGqAOtzKzaViiD7NYrv6BJsiDVkXA27YS7NDvTBtdg1yoOjo5ufXHn4xkYo9SD
yNmBjaZvqbPlj2MKQbx9gNEXb/TI5yYHjnvqAIbd6SpDRIBWUalcxBQmIiylzpOd
uSTXnaJoIiq1xQopjgmNJD7jFXzNWFHgWoCjBSbrH+CoMKUzuFrbca9Y5PYbH4OT
+h4lDqri9ReUN/ELsYT77h7YEH+gkGQ5XCAAGWW2pUESEQ0k44GJR1bo6dT0/ZPm
MV0JdcXTqBhIAOAkly0CfSdiYzOlbFbxkFp/KQ53NHYP0j4LLkCjtuJcEZPjPn7b
DJAT+fcW
=N/7L
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.