Your message dated Sat, 05 Jul 2025 16:17:08 +0000
with message-id <[email protected]>
and subject line Bug#1093880: fixed in clamav 1.0.9+dfsg-1~deb12u1
has caused the Debian Bug report #1093880,
regarding clamav: CVE-2025-20128
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1093880: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093880
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: clamav
X-Debbugs-CC: [email protected]
Severity: grave
Tags: security
Hi,
The following vulnerability was published for clamav.
CVE-2025-20128[0]:
| A vulnerability in the Object Linking and Embedding 2 (OLE2)
| decryption routine of ClamAV could allow an unauthenticated, remote
| attacker to cause a denial of service (DoS) condition on an affected
| device. This vulnerability is due to an integer underflow in a
| bounds check that allows for a heap buffer overflow read. An
| attacker could exploit this vulnerability by submitting a crafted
| file containing OLE2 content to be scanned by ClamAV on an affected
| device. A successful exploit could allow the attacker to terminate
| the ClamAV scanning process, resulting in a DoS condition on the
| affected software. For a description of this vulnerability, see the
| . Cisco has released software updates that address this
| vulnerability. There are no workarounds that address this
| vulnerability.
https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-20128
https://www.cve.org/CVERecord?id=CVE-2025-20128
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: clamav
Source-Version: 1.0.9+dfsg-1~deb12u1
Done: Sebastian Andrzej Siewior <[email protected]>
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated clamav
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 29 Jun 2025 21:57:41 +0200
Source: clamav
Architecture: source
Version: 1.0.9+dfsg-1~deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: ClamAV Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1093880 1108046
Changes:
clamav (1.0.9+dfsg-1~deb12u1) bookworm; urgency=medium
.
* Import 1.0.9
- CVE-2025-20128 (Fixed a possible buffer overflow read bug in the OLE2
file parser that could cause a denial-of-service (DoS) condition)
Closes: #1093880
- CVE-2025-20260 (Fixed a possible buffer overflow write bug in the PDF
file parser that could cause a denial-of-service (DoS) condition or
enable remote code execution.) Closes: #1108046
Checksums-Sha1:
bc1e65131277d4e77f48fbb10140c77f10542ba6 2849 clamav_1.0.9+dfsg-1~deb12u1.dsc
044b5d62c82594650e9a6951cc2e96dbfa8d68d8 27490160 clamav_1.0.9+dfsg.orig.tar.xz
f82085c1a6ab7ba56313e9237293b9f9f3f38ed3 218980
clamav_1.0.9+dfsg-1~deb12u1.debian.tar.xz
Checksums-Sha256:
06b89a8131c79a796c7447e26597cb9276ba0f40a12a261f15f474d985e6b1a3 2849
clamav_1.0.9+dfsg-1~deb12u1.dsc
125bbfb3ccc7032f0c903de9143b262288f49281ae56a71ebdff834b1c72982a 27490160
clamav_1.0.9+dfsg.orig.tar.xz
01e7ee1eccfecdb471ea9c31ced0d030fdeb6f5f9542b44c55474be3f229cd03 218980
clamav_1.0.9+dfsg-1~deb12u1.debian.tar.xz
Files:
51ddd6e8886c797eeff8f6b33e333a37 2849 utils optional
clamav_1.0.9+dfsg-1~deb12u1.dsc
da36f12802547799f2fee66ea9e74380 27490160 utils optional
clamav_1.0.9+dfsg.orig.tar.xz
26a4a92868f51c68d1828990cdb0dc79 218980 utils optional
clamav_1.0.9+dfsg-1~deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmhhrpQACgkQBWQfF1cS
+lt5lAv9ECvwbqaqHnLoqrWok8ooFA1F8u7CnKrqYX64848mx5WnlG/LKfrClPb0
H0wqX1wS8lkRrs/u1GSvgymL4zxIyvdNsFGLx7oROfx0iKBMZDX7nH3+I3IYlEvd
HP9k/6cL+rwRPqkIr6t7QSCbVAv9TeYY6VGRBjl47a0lLuJVhZ1yTiK+iCLUzcm5
+q16HeQEumeF2HxBWWqxqQJAtlLZ5VYvkquVTQQraSoAm1qZAx2sbtErYKjNff15
ATyawpkgBWuF2zCampnolJBN0DnqetGgDVtECKo3bTJK7edxwUilq6zsQaxsMDnu
tMKnVpgt/WXjrkiWAjGeduQbMLxW3jC2jo385WzrrNa4nmpFD4v0B4J4RRQgV6zs
Oj7Nxj4/pbn+79hZ4txS8QOkfx0ss3Or6MjnKbEa7FXPxsQQve8FZVFrn5XJmpQx
P+zpupvBR8FQHEgDQPYvVH2B/A/6nkoIzuzMivYyi/SuT8jYuak9MtqxDkAkTbhb
QwCIBheY
=TAiM
-----END PGP SIGNATURE-----
pgpzxG7kV_xKO.pgp
Description: PGP signature
--- End Message ---
_______________________________________________
Pkg-clamav-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-clamav-devel
