UVFe for clamav 0.90.2

Bug #106357 reported by Scott Kitterman on 2007-04-13
2
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Undecided
MOTU Release Team

Bug Description

Binary package hint: clamav

Not in Debian yet. From the upstream changelog:

  V 0.90.2
  * Bugfixes:
    - libclamav/chmunpack.c: fix fd leak in chm_decompress_stream
      (CVE-2007-1745)
    - libclamav/cab.c: fix buffer overflow, reported through iDefense
      Vulnerability Contributor Program (CVE-2007-1997)
    - shared/cfgparser.c: multiple Clamuko*Path were not being handled properly
      (bb#420)
    - shared/misc.c: minor fixes to daemonize() (bb#319), thanks to Reinhard Max
    - clamconf, clamdscan: add -I$(top_srcdir) to Makefile.am (bb#404)
    - freshclam/manager.c: fix log message (bb#411)
    - freshclam: release dbdir write-lock before notifying clamd (bb#401)
    - freshclam/manager.c: fix error handling in --no-dns mode (bb#418)
    - freshclam/manager.c: close and re-open client socket for each connect
      attempt (bb#413), patch from Andy Fiddaman
    - freshclam/mirman.c: fix --list-mirrors on Solaris/64 (bb#414),
      thanks to Andy Fiddaman
    - configure.in: use -lthr instead of -pthread on FreeBSD 6.x
    - libclamav/pdf.c: Fix fd leak on empty objects. Scan in user memory
    - libclamav/pdf.c: When flatedecoder fails point out that the encoder
      was to blame for getting the length wrong, not clamAV
    - libclamav/lockdb.c: fix fd leak on EACCES/EAGAIN (bb#400)
    - libclamav: improve backward compatibility (bb#393)
    - libclamav/matcher-ac.c: fix incorrect calculation of maxshift in some
      cases (bb#390)
    - contrib/entitynorm/: fix entity list generator to support more entities,
      including & (bb #391)
    - libclamav/entitylist.h: new entitylist generated using
      contrib/entitynorm/generate_entitylist (bb #391)
    - libclamav/mbox.c: Include the clamAV version in the HTTP request
    - libclamav/htmlnorm.c: ampersands were missed in URLs. (bb #377)
    - libclamav/htmlnorm.c: Better handling for empty charset in meta tag.
    - libclamav/mbox.c: Fix bug 255 and 402

Related branches

Scott Kitterman (kitterman) wrote :

diffstat

Scott Kitterman (kitterman) wrote :

Debs for all packages built and installed on i386. Tested clamav-base, clamav-daemon, and freshclam with Klamav with no issues.

Changed in clamav:
assignee: nobody → motu-uvf
Scott Kitterman (kitterman) wrote :

Correction and update.... Klamav uses clamav, not clamav daemon. libclamav2 also gets used. The Klamav test succesfully found the test files included with the clamav package.

Have now built the package on a second Feisty i386 computer and run clamv (libclamav2, clamav-base, freshclam, and clamav-daemon) with clamsmtp successfully.

Daniel T Chen (crimsun) wrote :

I think this would be a good idea for Feisty. What does the security team (Kees?) think?

Daniel T Chen (crimsun) wrote :

Sorry, meant "Feisty" above to be Feisty backports.

Scott Kitterman (kitterman) wrote :

If you want to hold this for backports, then I think someone (other than me because I don't know enough) needs to look at patching our 0.90.1 packages for the two CVEs fixeD

Scott Kitterman (kitterman) wrote :

Stupid Treo truncates the response....

... for the two CVEs fixed in 0.90.2. At this point I think it's probably lower risk to take their entire (tested) 0.90.2 release than to try an cherry pick out the fixes for the two CVEs. Either way I'm glad I'm not the one that has to decide.

Andrew Mitchell (ajmitch) wrote :

+1 from me, based on it being a bug fix release, and that upstream will disable support for 0.90.1 (http://lurker.clamav.net/message/20070413.012951.1d50edff.en.html)

Daniel T Chen (crimsun) wrote :

Ok, in light of the information above regarding support for 0.90.1 being disabled on 16 Apr '07, let's move immediately on this.

+1.

Changed in clamav:
status: Unconfirmed → Confirmed
Luke Yelavich (themuso) wrote :

Please mark as fix released once the package has successfully built.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 14 Apr 2007 05:24:09 -0400
Source: clamav
Binary: clamav libclamav-dev clamav-dbg clamav-milter clamav-base clamav-freshclam clamav-testfiles clamav-daemon libclamav2 clamav-docs
Architecture: source
Version: 0.90.2-0ubuntu1
Distribution: feisty
Urgency: low
Maintainer: Ubuntu MOTU Developers <email address hidden>
Changed-By: Scott Kitterman <email address hidden>
Description:
 clamav - antivirus scanner for Unix
 clamav-base - base package for clamav, an anti-virus utility for Unix
 clamav-daemon - antivirus scanner daemon
 clamav-dbg - debug symbols for clamav
 clamav-docs - documentation package for clamav, an anti-virus utility for Unix
 clamav-freshclam - downloads clamav virus databases from the Internet
 clamav-milter - antivirus scanner for sendmail
 clamav-testfiles - use these files to test that your Antivirus program works
 libclamav-dev - clam Antivirus library development files
 libclamav2 - virus scanner library
Launchpad-Bugs-Fixed: 106357
Changes:
 clamav (0.90.2-0ubuntu1) feisty; urgency=low
 .
   * New upstream release not in Debian yet.
     - Current patchset still applies
   * No /debian changes.
   * UVF Exception granted (LP: #106357)
     - Upstream is disabling virus definition support for 0.90.0/1 will
       be disabled starting on April 16 2007.
Files:
 9e30e08d19ce97bf9ae5d9a85be347b2 965 utils optional clamav_0.90.2-0ubuntu1.dsc
 39d1f07a399b551b55096b6ec7325c33 12062886 utils optional clamav_0.90.2.orig.tar.gz
 c5c8820dc3fbb5409f8f0c317f68f826 204456 utils optional clamav_0.90.2-0ubuntu1.diff.gz
Original-Maintainer: Stephen Gran <email address hidden>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGIKbwjVefwtBjIM4RAlgnAJ9ZmP+GWlWexYWg2LcbE0AANzBebgCcCeEe
/EkPO/VFDM5pg7Li8qIREOQ=
=fTtZ
-----END PGP SIGNATURE-----

Changed in clamav:
status: Confirmed → Fix Committed
Luke Yelavich (themuso) on 2007-04-14
Changed in clamav:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments