ClamAV needs updated to reflect security fixes

Bug #1841281 reported by chris pollock
270
This bug affects 3 people
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Fix Released
High
Ubuntu Security Team

Bug Description

lsb_release -rd
Description: Ubuntu 18.04.3 LTS
Release: 18.04

apt-cache policy clamav
clamav:
  Installed: 0.100.3+dfsg-0ubuntu0.18.04.1
  Candidate: 0.100.3+dfsg-0ubuntu0.18.04.1

The current version of ClamAV for 18.04.3 LTS is 0.100.3+dfsg-1ubuntu0.18.04.1. The current stable version of ClamAV is 0.101.4. There have been patches released that fix security related bugs as shown below:

CVE-2019-12900 BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
ClamAV 0.101.4 is a security patch release that addresses the following issues.
 An out of bounds write was possible within ClamAV's NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900). The issue has been resolved by respecting that limit.

CVE-2019-1798 A vulnerability in the Portable Executable (PE) file scanning functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to a lack of proper input and validation checking mechanisms for PE files sent an affected device. An attacker could exploit this vulnerability by sending malformed PE files to the device running an affected version ClamAV Software. An exploit could allow the attacker to cause an out-of-bounds read condition, resulting in a crash that could result in a denial of service condition on an affected device.

Please see bug report https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1822503 for a listing of other CVEs that apply to versions up to 0.101.2

Request that ClamAV be updated to the latest version 0.101.4

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in clamav (Ubuntu):
status: New → Confirmed
Bryce Harrington (bryce)
Changed in clamav (Ubuntu):
importance: Undecided → High
tags: added: server-next
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Thanks, looks like clamav has bzip2 vendored in, in libclamav/nsis/bzlib.c (or at least bits of bzip2), and was missed in the CVE 2019-12900 bzip2 fix (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-12900.html)

I flagged the bug as public security, and contacted the security team.

information type: Public → Public Security
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

eoan has 0.101.4+dfsg-1ubuntu1 and has the fix.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

To make it clear I assigned and subscribed ubuntu-security

Changed in clamav (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
tags: removed: server-next
Revision history for this message
Alex Murray (alexmurray) wrote :

This was fixed in clamav 0.101.4+dfsg-0ubuntu0.YY.MM.1 for each corresponding Ubuntu release.

Changed in clamav (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.