ClamAV needs updated to reflect security fixes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
clamav (Ubuntu) |
Fix Released
|
High
|
Ubuntu Security Team |
Bug Description
lsb_release -rd
Description: Ubuntu 18.04.3 LTS
Release: 18.04
apt-cache policy clamav
clamav:
Installed: 0.100.3+
Candidate: 0.100.3+
The current version of ClamAV for 18.04.3 LTS is 0.100.3+
CVE-2019-12900 BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
ClamAV 0.101.4 is a security patch release that addresses the following issues.
An out of bounds write was possible within ClamAV's NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900). The issue has been resolved by respecting that limit.
CVE-2019-1798 A vulnerability in the Portable Executable (PE) file scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to a lack of proper input and validation checking mechanisms for PE files sent an affected device. An attacker could exploit this vulnerability by sending malformed PE files to the device running an affected version ClamAV Software. An exploit could allow the attacker to cause an out-of-bounds read condition, resulting in a crash that could result in a denial of service condition on an affected device.
Please see bug report https:/
Request that ClamAV be updated to the latest version 0.101.4
CVE References
Changed in clamav (Ubuntu): | |
importance: | Undecided → High |
tags: | added: server-next |
Status changed to 'Confirmed' because the bug affects multiple users.