Your message dated Sun, 29 Jun 2025 12:20:09 +0000
with message-id <[email protected]>
and subject line Bug#1108046: fixed in clamav 1.4.3+dfsg-1
has caused the Debian Bug report #1108046,
regarding clamav: CVE-2025-20260
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1108046: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108046
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: clamav
Version: 1.4.2+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Control: found -1 1.0.7+dfsg-1~deb12u1
Hi,
The following vulnerability was published for clamav.
CVE-2025-20260[0]:
| A vulnerability in the PDF scanning processes of ClamAV could allow
| an unauthenticated, remote attacker to cause a buffer overflow
| condition, cause a denial of service (DoS) condition, or execute
| arbitrary code on an affected device. This vulnerability exists
| because memory buffers are allocated incorrectly when PDF files are
| processed. An attacker could exploit this vulnerability by
| submitting a crafted PDF file to be scanned by ClamAV on an affected
| device. A successful exploit could allow the attacker to trigger a
| buffer overflow, likely resulting in the termination of the ClamAV
| scanning process and a DoS condition on the affected software.
| Although unproven, there is also a possibility that an attacker
| could leverage the buffer overflow to execute arbitrary code with
| the privileges of the ClamAV process.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-20260
https://www.cve.org/CVERecord?id=CVE-2025-20260
[1] https://blog.clamav.net/2025/06/clamav-143-and-109-security-patch.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: clamav
Source-Version: 1.4.3+dfsg-1
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated clamav
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Jun 2025 12:01:31 +0200
Source: clamav
Architecture: source
Version: 1.4.3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1108045 1108046
Changes:
clamav (1.4.3+dfsg-1) unstable; urgency=medium
.
* Import 1.4.3
- CVE-2025-20234 (Fixed a possible buffer overflow read bug in the UDF
file parser that may write to a temp file and thus disclose information,
or it may crash and cause a denial-of-service (DoS) condition.)
Closes: #1108045
- CVE-2025-20260 (Fixed a possible buffer overflow write bug in the PDF
file parser that could cause a denial-of-service (DoS) condition or
enable remote code execution.) Closes: #1108046
Checksums-Sha1:
a6a8e904105a18f4bdf7712110bd861620bbec69 2906 clamav_1.4.3+dfsg-1.dsc
9de4123ce7c983eb14b3b103f583628e279945a5 33173124 clamav_1.4.3+dfsg.orig.tar.xz
71601f88972d5b6e2467db748143c963dd1c0b0c 504104
clamav_1.4.3+dfsg-1.debian.tar.xz
Checksums-Sha256:
4023358e62af9cdceb3914fc8155f481150431e2b4235b2833db4c1c9d62caaa 2906
clamav_1.4.3+dfsg-1.dsc
438640cfa0558745aac611c13245ebed64796b11bd1716bb9f485f3dc7478e75 33173124
clamav_1.4.3+dfsg.orig.tar.xz
03ba75f8ec0abea73fce8b91b9a5e0a644c82d09167a5c18bc74d3b10b4d18ff 504104
clamav_1.4.3+dfsg-1.debian.tar.xz
Files:
e581f832b45353626a075fcef7802b74 2906 utils optional clamav_1.4.3+dfsg-1.dsc
588610c495c89d975cc4283f7125ec42 33173124 utils optional
clamav_1.4.3+dfsg.orig.tar.xz
f01b6caddea2fe3d2662532839ee52b3 504104 utils optional
clamav_1.4.3+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmhhK8wACgkQBWQfF1cS
+ls74gv/TeCZ8Ynw6N5MxmOx4N6scJ3XzahM0L79BQO9xSQi7ewVhAVLxPOpL/rs
89Wqzr13GlAjOZhzFqd87pklesTKbuqfacF8zcz0ibGqoD8AZW3rAMm82pqhhlmw
8qBCHZq3EfAOKcOUVU+J8VLQV+mFFkQrpJmbIr+Lh03rYSkhuNaMznynf/Ldyx0+
rXhjMFg4cJx9mWrXQ3AJbjK1hj6ovg2WEhMoJUPkKzfHrrKWbTyP+UDJ5vCI0pSH
u2xqGRbnl7AIw1HLZgONZCbqeKvEsfKzKTnHEUxIFL1bBroePxnxfJDmJrtkeNEr
oEG8vJeFv//YqkxEua1YSowzbNAWNy44zV8Dnum3hiI2fETEZQJ2nU8IZ6RWgh4V
OKXBWoaKircjOT7LNNgfPIvTaHyNownRk+C8X3SSjPHUvrWnIXwB18f1resFLMYb
LWWY0eIrVAUWWsnrQROADhH0bNpYEsevtbYvvjNMzNoxCGTXYdk0Gv5kYIImy3cu
KsOtvNUU
=1MqD
-----END PGP SIGNATURE-----
pgpihDdF_ZYGR.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-clamav-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-clamav-devel
