lsb_release -rd
Description: Ubuntu 18.04.3 LTS
Release: 18.04
apt-cache policy clamav
clamav:
Installed: 0.100.3+dfsg-0ubuntu0.18.04.1
Candidate: 0.100.3+dfsg-0ubuntu0.18.04.1
The current version of ClamAV for 18.04.3 LTS is 0.100.3+dfsg-1ubuntu0.18.04.1. The current stable version of ClamAV is 0.101.4. There have been patches released that fix security related bugs as shown below:
CVE-2019-12900 BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
ClamAV 0.101.4 is a security patch release that addresses the following issues.
An out of bounds write was possible within ClamAV's NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900). The issue has been resolved by respecting that limit.
CVE-2019-1798 A vulnerability in the Portable Executable (PE) file scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to a lack of proper input and validation checking mechanisms for PE files sent an affected device. An attacker could exploit this vulnerability by sending malformed PE files to the device running an affected version ClamAV Software. An exploit could allow the attacker to cause an out-of-bounds read condition, resulting in a crash that could result in a denial of service condition on an affected device.
Please see bug report https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1822503 for a listing of other CVEs that apply to versions up to 0.101.2
Request that ClamAV be updated to the latest version 0.101.4
Status changed to 'Confirmed' because the bug affects multiple users.