Your message dated Thu, 06 Feb 2025 22:06:05 +0000
with message-id <[email protected]>
and subject line Bug#1093880: fixed in clamav 1.4.2+dfsg-1
has caused the Debian Bug report #1093880,
regarding clamav: CVE-2025-20128
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1093880: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093880
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: clamav
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for clamav.
CVE-2025-20128[0]:
| A vulnerability in the Object Linking and Embedding 2 (OLE2)
| decryption routine of ClamAV could allow an unauthenticated, remote
| attacker to cause a denial of service (DoS) condition on an affected
| device. This vulnerability is due to an integer underflow in a
| bounds check that allows for a heap buffer overflow read. An
| attacker could exploit this vulnerability by submitting a crafted
| file containing OLE2 content to be scanned by ClamAV on an affected
| device. A successful exploit could allow the attacker to terminate
| the ClamAV scanning process, resulting in a DoS condition on the
| affected software. For a description of this vulnerability, see the
| . Cisco has released software updates that address this
| vulnerability. There are no workarounds that address this
| vulnerability.
https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-20128
https://www.cve.org/CVERecord?id=CVE-2025-20128
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: clamav
Source-Version: 1.4.2+dfsg-1
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated clamav
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 06 Feb 2025 21:56:48 +0100
Source: clamav
Architecture: source
Version: 1.4.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1093880
Changes:
clamav (1.4.2+dfsg-1) unstable; urgency=medium
.
* Import 1.4.2 (Closes: #1093880)
- CVE-2025-20128 (buffer overflow read bug in the OLE2 file parser).
Checksums-Sha1:
8d6ebad6b06f40455e697f9115b0e33b42f3a926 3080 clamav_1.4.2+dfsg-1.dsc
d88c337d25bcde23d709ed5cd630da89b952ca8f 33155264 clamav_1.4.2+dfsg.orig.tar.xz
750218385a220b8cfbf9dd9ebf8cc034f46e0ac3 503880
clamav_1.4.2+dfsg-1.debian.tar.xz
Checksums-Sha256:
7b9a931f8a48d215a08b28ce6128cb62342e1864aaf4eae04e3be78dd63ea9b2 3080
clamav_1.4.2+dfsg-1.dsc
863d7b5a0c93949fba3ab760dec8b8af13d3a9e0193edc20baa76fb824c67d4f 33155264
clamav_1.4.2+dfsg.orig.tar.xz
5c6207ea9f62569cb406a4030f69712e21e8f4c4538a4afc29c9782a41346785 503880
clamav_1.4.2+dfsg-1.debian.tar.xz
Files:
60979fd35502dddcde85cfb1bde9c0cb 3080 utils optional clamav_1.4.2+dfsg-1.dsc
0ce5395c6a4bf6307390b536a076cc17 33155264 utils optional
clamav_1.4.2+dfsg.orig.tar.xz
0ccfcd6c7964573a9acad7c837e5c465 503880 utils optional
clamav_1.4.2+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAmelL00ACgkQe5boFiqM
9dFn1w//X3/T9ubuuUBkhCff1D4Ou1czy5sKwZL4OW3pNd+IEnT70fMCygRCfQ+P
CNbXw8HUO3YCLJaj2S4Yzw6RWGxUI+6vTEsFPNnkE0Cc7M/2zD9ddEXTgkSuYnHj
UfmPaYH8Q+US+6v0jTwyw9DSnQFTUHFN4o9DOB6BjOcvAgLHDBKPPpuGf7D/HYdf
87Lr9pW9DungXaY2HiU1Ku248pBnmZ8Xf1zVL0mN+FflbEtKgV1+ihHmWHZC9nD7
1Zsjtj2BYWeONsNUGJrLa+rpapHEwjOCxL7y3XjLP3jIp07DVZZrZrWu96+MvrIu
MN9r2BS4uY1BiyvD9kE2GaiQzHLz+9pgcOE/zG5kRjpPVnVXw5L229hkV2ySKs2C
lUsnsUdf6D1ezA6qb2NWl5p8GNVED+7ZaOCPe7TOCt7ObkAH/30o0LcNzN1XbkJQ
cdcw22LPYOtOnG5s8In9XjPwMaZFAGoYEYRpGkmqDpi9Tim1f3zQ4oC7onlRnDlr
bsEdeFb92FUjHyYyM01CU/N3iKeQCfDBs3+N8DLtGf7EYWgh8NmzNj1g09Bs7+TK
GlRZSU2cS/XWu9zCXifv1beW3ubCC4V65jbtMG/wHNBwYxy46Nh8IY9va3kmvpfL
dl3eM4ZqQk9OdYVTHazAF/QRadsFzDLMiKIAfNoCJ2/HRNBAqZs=
=tE6r
-----END PGP SIGNATURE-----
pgp2E7fZURWaG.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-clamav-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-clamav-devel
