Sync clamav 0.103.2+dfsg-1 (main) from Debian unstable (main)

Bug #1923831 reported by Utkarsh Gupta
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Critical
Utkarsh Gupta

Bug Description

Please sync clamav 0.103.2+dfsg-1 (main) from Debian unstable (main).
The update fixes 3 new vulnerabilities and some other misc fixes.
IOW: it's probably important to update the package and hence the sync request

Changelog entries since current hirsute version 0.103.0+dfsg-3.1:

clamav (0.103.2+dfsg-1) unstable; urgency=medium

  * Import 0.103.2
    - CVE-2021-1252 (Fix for Excel XLM parser infinite loop.)
    - CVE-2021-1404 (Fix for PDF parser buffer over-read; possible crash.)
    - CVE-2021-1405 (Fix for mail parser NULL-dereference crash.)
    - Update symbol file.
   (Closes: #986622).

 -- Sebastian Andrzej Siewior <email address hidden> Mon, 12 Apr 2021 21:31:08 +0200

CVE References

Revision history for this message
Utkarsh Gupta (utkarsh) wrote :
Changed in clamav (Ubuntu):
importance: Undecided → Wishlist
importance: Wishlist → Critical
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

I agree that the CVEs will be needed.

But 103.2 also includes the next step in disabling safe browsing
=> https://blog.clamav.net/2020/06/the-future-of-clamav-safebrowsing.html
That might be ok as upstream can't provide the data anyway, but still worth to think.

Also a bunch of other changes, but all fixes.

But we shouldn't miss that this also includes all of
https://blog.clamav.net/search/label/0.103.1

That added a few features (none dropped gladly), and much more fixes.

Now on a normal package I'd say "that seems too much for a late sync".
But we have to take into account that clamav isn't normal.
Security does regularly full version sync/backports to the former Ubuntu versions.

So if it is ok to push all these post-release, then I see no blocker in fetching all these good changes now - even if it is late. If it fails to complete/build/migrate it will still be pushed to all supported releases a bit later.

I hope you all can follow my agrumentation ... syncing it now.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Source clamav -> hirsute/Proposed: current version 0.103.0+dfsg-3.1, new version 0.103.2+dfsg-1
New changes:
clamav (0.103.2+dfsg-1) unstable; urgency=medium

  * Import 0.103.2
    - CVE-2021-1252 (Fix for Excel XLM parser infinite loop.)
    - CVE-2021-1404 (Fix for PDF parser buffer over-read; possible crash.)
    - CVE-2021-1405 (Fix for mail parser NULL-dereference crash.)
    - Update symbol file.
   (Closes: #986622).

 -- Sebastian Andrzej Siewior <email address hidden> Mon, 12 Apr 2021 21:31:08 +0200
Sync this package [y|N]? y

@utkarsh if you colud watch and if needed help package build&migration please?

Changed in clamav (Ubuntu):
status: New → Fix Committed
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :

Hi Christian,

Thanks for syncing.

> @utkarsh if you colud watch and if needed help package
> build&migration please?

Absolutely; shall do.

Changed in clamav (Ubuntu):
assignee: nobody → Utkarsh Gupta (utkarsh)
Revision history for this message
Utkarsh Gupta (utkarsh) wrote :
Changed in clamav (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers