Your message dated Fri, 11 Oct 2024 11:02:20 +0000
with message-id <[email protected]>
and subject line Bug#1080962: fixed in clamav 1.0.7+dfsg-1~deb12u1
has caused the Debian Bug report #1080962,
regarding clamav: CVE-2024-20505 CVE-2024-20506
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1080962: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080962
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: clamav
Version: 1.3.1+dfsg-5
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.0.5+dfsg-1~deb12u1
Control: found -1 0.103.10+dfsg-0+deb11u1
Hi,
The following vulnerabilities were published for clamav.
CVE-2024-20505[0]:
| A vulnerability in the PDF parsing module of Clam AntiVirus (ClamAV)
| versions 1.4.0, 1.3.2 and prior versions, all 1.2.x versions, 1.0.6
| and prior versions, all 0.105.x versions, all 0.104.x versions, and
| 0.103.11 and all prior versions could allow an unauthenticated,
| remote attacker to cause a denial of service (DoS) condition on an
| affected device. The vulnerability is due to an out of bounds
| read. An attacker could exploit this vulnerability by submitting a
| crafted PDF file to be scanned by ClamAV on an affected device. An
| exploit could allow the attacker to terminate the scanning process.
CVE-2024-20506[1]:
| A vulnerability in the ClamD service module of Clam AntiVirus
| (ClamAV) versions 1.4.0, 1.3.2 and prior versions, all 1.2.x
| versions, 1.0.6 and prior versions, all 0.105.x versions, all
| 0.104.x versions, and 0.103.11 and all prior versions could allow an
| authenticated, local attacker to corrupt critical system files.
| The vulnerability is due to allowing the ClamD process to write to
| its log file while privileged without checking if the logfile has
| been replaced with a symbolic link. An attacker could exploit this
| vulnerability if they replace the ClamD log file with a symlink to a
| critical system file and then find a way to restart the ClamD
| process. An exploit could allow the attacker to corrupt a critical
| system file by appending ClamD log messages after restart.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-20505
https://www.cve.org/CVERecord?id=CVE-2024-20505
[1] https://security-tracker.debian.org/tracker/CVE-2024-20506
https://www.cve.org/CVERecord?id=CVE-2024-20506
[2] https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: clamav
Source-Version: 1.0.7+dfsg-1~deb12u1
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated clamav
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 03 Oct 2024 11:57:45 +0200
Source: clamav
Architecture: source
Version: 1.0.7+dfsg-1~deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: ClamAV Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1080962
Changes:
clamav (1.0.7+dfsg-1~deb12u1) bookworm; urgency=medium
.
* Import 1.0.7 (Closes: #1080962)
- CVE-2024-20506 (Changed the logging module to disable following symlinks
on Linux)
- CVE-2024-20505 (Fixed a possible out-of-bounds read bug in the PDF file
parser).
Checksums-Sha1:
487f5f6d5112acf55a54a97e5ed4dd056da29406 3023 clamav_1.0.7+dfsg-1~deb12u1.dsc
4cf63fac364129314a7c0ca05c548c0eecf74459 27481348 clamav_1.0.7+dfsg.orig.tar.xz
c74cdcc4240465b882bf39fff745eaa1c2a20d2d 226400
clamav_1.0.7+dfsg-1~deb12u1.debian.tar.xz
Checksums-Sha256:
51544b2d49cc8f7279711bd71db4bd64ace66ae71f63cec4c0ba6bafcaa05bdb 3023
clamav_1.0.7+dfsg-1~deb12u1.dsc
15b3421a702cdabeaefb995b5167ad54037fa94469ca3fb2611331969add67fb 27481348
clamav_1.0.7+dfsg.orig.tar.xz
608c52b72fd9508295718d831a8f0e072abb021a9c8bc4c51deb93440401e20e 226400
clamav_1.0.7+dfsg-1~deb12u1.debian.tar.xz
Files:
5585666b61f8b6e5ff8435261b7bb22d 3023 utils optional
clamav_1.0.7+dfsg-1~deb12u1.dsc
65aa56e3d352a8ce527ab8ad1f16aad8 27481348 utils optional
clamav_1.0.7+dfsg.orig.tar.xz
528966848435f867959fc877df07dd28 226400 utils optional
clamav_1.0.7+dfsg-1~deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAmb+hhEACgkQe5boFiqM
9dEbow//f6D9RU05wLemlB1tycbffQCk66b1ssWI522HxbGcdDcyYANMRFj4Zc4m
ypGKiZ6M9eZLEpeOC6H0HQH32eWC8776n/0JTNoy9RyboWh8YXKDotB9bu9ciEM7
6NETHrfz/aRtb+BJuO9K39K0ITk2fQcwZKpOgxpHhRa8B+1Hd0W0OjkVqYHY5kqh
xM125F6ry/uIrJ3XljbgFBmGVDWhOMUdV7Vz+Aj91ZGUTN6uHul3aRXqzgdbsQ0f
yReS+1UZHFJ2nfwAdBI8ma9O8PI7KWSpKp1/7xd0eFyy7limnwsDN3EMjmM6QLH0
R336PDT9dRIGaxOMvsd5738lADDJzlEFmnmT1YKl1vRi0mCMSm4Vnl1+gIIH8kfX
a/bsNzChp1DWkkIqF9hWoTHSSyey0W0DoJ33Ig3Z60evGnYjYRTugBeaFPIOcF5b
x1ijAoPfszuxVXMn+SkhhaMYNvxCaU+0mlu7B4szmp7eDPch5odPzlXnuf4nqIc+
vW5zBQvcH2/g4+Gz/X9eHbLH2jheR8YyP1Rnv7cY+l661ME/dLDp5V3mfBdqhGQo
j0zEdODtYFpScWpgd0v4oGXkJ7qKRHGONi8hKMPCuH7fHWBYvh4SFVHY82Kp9h8m
EamfuMEXwtTJ8AwZVCefaYdJrQSMRsAM2qlZAkQfTojzV3iKLD4=
=GVwF
-----END PGP SIGNATURE-----
pgpzjbB7cMnZx.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-clamav-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-clamav-devel
