11891 – ClamAV 0.100.2 has been released

Bug 11891 - ClamAV 0.100.2 has been released

Summary: ClamAV 0.100.2 has been released

Status:	CLOSED FIXED

Alias:	None

Product:	IPFire
Classification:	Unclassified
Component:	--- (show other bugs)
Version:	2
Hardware:	unspecified Unspecified

Importance:	Will affect an average number of users Security
Assignee:	Matthias Fischer
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-10-03 23:50 UTC by Michael Tremer
Modified:	2019-02-10 23:26 UTC (History)
CC List:	0 users

See Also:

Attachments
attachment-14645-0.txt (155 bytes, text/plain) 2018-10-03 23:50 UTC, Michael Tremer	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Tremer 2018-10-03 23:50:08 UTC

Created attachment 634 [details]
attachment-14645-0.txt

https://blog.clamav.net/2018/10/clamav-01002-has-been-released.html

ClamAV 0.100.2 has been released!

ClamAV 0.100.2 is a patch release to address a set of vulnerabilities.


Fixes for the following ClamAV vulnerabilities:
CVE-2018-15378:
Vulnerability in ClamAV's MEW unpacking feature that could allow an
unauthenticated, remote attacker to cause a denial of service (DoS) condition on
an affected device.
Reported by Secunia Research at Flexera.
Fix for a 2-byte buffer over-read bug in ClamAV's PDF parsing code.
Reported by Alex Gaynor.
Fixes for the following vulnerabilities in bundled third-party libraries:
CVE-2018-14680:
An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does
not reject blank CHM filenames.
CVE-2018-14681:
An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack
before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte
overwrite.
CVE-2018-14682:
An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is
an off-by-one error in the TOLOWER() macro for CHM decompression. Additionally,
0.100.2 reverted 0.100.1's patch for CVE-2018-14679, and applied libmspack's
version of the fix in its place
Other changes:
Some users have reported freshclam signature update failures as a result of a
delay between the time the new signature database content is announced and the
time that the content-delivery-network has the content available for download.
To mitigate these errors, this patch release includes some modifications to
freshclam to make it more lenient, and to reduce the time that freshclam will
ignore a mirror when it detects an issue.
On-Access "Extra Scanning", an opt-in minor feature of OnAccess scanning on
Linux systems, has been disabled due to a known issue with resource cleanup
OnAccessExtraScanning will be re-enabled in a future release when the issue is
resolved. In the mean-time, users who enabled the feature in clamd.conf will see
a warning informing them that the feature is not active. For details, see: 
https://bugzilla.clamav.net/show_bug.cgi?id=12048


Thank you to the following ClamAV community members for your code submissions
and bug reports!

- Alex Gaynor
- Hiroya Ito
- Laurent Delosieres, Secunia Research at Flexera

Comment 1 Michael Tremer 2018-10-04 14:17:35 UTC

I tried to create this ticket yesterday, but mailing to Bugzilla was broken.

I already saw the patch being submitted here:

> https://patchwork.ipfire.org/patch/1948/

Comment 2 Matthias Fischer 2019-02-10 23:26:55 UTC

Hi,

=> As you wrote: https://patchwork.ipfire.org/patch/1948/ fixed this.

And in the meantime 'clamav 0.101.1' was shipped with Core 127.

=> https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=lfs/clamav;h=a6e44ebf20b5ece0bf263d6960a63aef295d5d69;hb=refs/heads/core127

Best,
Matthias