
<div dir="auto">Please unsubscribe me from your mailing list<div dir="auto"><a href="mailto:nick.mortel@gmail.com">nick.mortel@gmail.com</a> </div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 3 Oct 2024, 13:10 Debian Bug Tracking System, <<a href="mailto:owner@bugs.debian.org">owner@bugs.debian.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Your message dated Thu, 03 Oct 2024 12:05:39 +0000<br>

with message-id <<a href="mailto:E1swKaR-00Awch-P5@fasolo.debian.org" target="_blank" rel="noreferrer">E1swKaR-00Awch-P5@fasolo.debian.org</a>><br>

and subject line Bug#1080962: fixed in clamav 1.4.1+dfsg-1<br>

has caused the Debian Bug report #1080962,<br>

regarding clamav: CVE-2024-20505 CVE-2024-20506<br>

to be marked as done.<br>

<br>

This means that you claim that the problem has been dealt with.<br>

If this is not the case it is now your responsibility to reopen the<br>

Bug report if necessary, and/or fix the problem forthwith.<br>

<br>

(NB: If you are a system administrator and have no idea what this<br>

message is talking about, this may indicate a serious mail system<br>

misconfiguration somewhere. Please contact <a href="mailto:owner@bugs.debian.org" target="_blank" rel="noreferrer">owner@bugs.debian.org</a><br>

immediately.)<br>

<br>

<br>

-- <br>

1080962: <a href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080962" rel="noreferrer noreferrer" target="_blank">https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080962</a><br>

Debian Bug Tracking System<br>

Contact <a href="mailto:owner@bugs.debian.org" target="_blank" rel="noreferrer">owner@bugs.debian.org</a> with problems<br>

<br><br><br>---------- Forwarded message ----------<br>From: Salvatore Bonaccorso <<a href="mailto:carnil@debian.org" target="_blank" rel="noreferrer">carnil@debian.org</a>><br>To: Debian Bug Tracking System <<a href="mailto:submit@bugs.debian.org" target="_blank" rel="noreferrer">submit@bugs.debian.org</a>><br>Cc: <br>Bcc: <br>Date: Fri, 06 Sep 2024 00:05:05 +0200<br>Subject: clamav: CVE-2024-20505 CVE-2024-20506<br>Source: clamav<br>

Version: 1.3.1+dfsg-5<br>

Severity: grave<br>

Tags: security upstream<br>

X-Debbugs-Cc: <a href="mailto:carnil@debian.org" target="_blank" rel="noreferrer">carnil@debian.org</a>, Debian Security Team <<a href="mailto:team@security.debian.org" target="_blank" rel="noreferrer">team@security.debian.org</a>><br>

Control: found -1 1.0.5+dfsg-1~deb12u1<br>

Control: found -1 0.103.10+dfsg-0+deb11u1<br>

<br>

Hi,<br>

<br>

The following vulnerabilities were published for clamav.<br>

<br>

CVE-2024-20505[0]:<br>

| A vulnerability in the PDF parsing module of Clam AntiVirus (ClamAV)<br>

| versions 1.4.0, 1.3.2 and prior versions, all 1.2.x versions, 1.0.6<br>

| and prior versions, all 0.105.x versions, all 0.104.x versions, and<br>

| 0.103.11 and all prior versions could allow an unauthenticated,<br>

| remote attacker to cause a denial of service (DoS) condition on an<br>

| affected device.    The vulnerability is due to an out of bounds<br>

| read. An attacker could exploit this vulnerability by submitting a<br>

| crafted PDF file to be scanned by ClamAV on an affected device. An<br>

| exploit could allow the attacker to terminate the scanning process.<br>

<br>

<br>

CVE-2024-20506[1]:<br>

| A vulnerability in the ClamD service module of Clam AntiVirus<br>

| (ClamAV) versions 1.4.0, 1.3.2 and prior versions, all 1.2.x<br>

| versions, 1.0.6 and prior versions, all 0.105.x versions, all<br>

| 0.104.x versions, and 0.103.11 and all prior versions could allow an<br>

| authenticated, local attacker to corrupt critical system files.<br>

| The vulnerability is due to allowing the ClamD process to write to<br>

| its log file while privileged without checking if the logfile has<br>

| been replaced with a symbolic link. An attacker could exploit this<br>

| vulnerability if they replace the ClamD log file with a symlink to a<br>

| critical system file and then find a way to restart the ClamD<br>

| process. An exploit could allow the attacker to corrupt a critical<br>

| system file by appending ClamD log messages after restart.<br>

<br>

<br>

If you fix the vulnerabilities please also make sure to include the<br>

CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.<br>

<br>

For further information see:<br>

<br>

[0] <a href="https://security-tracker.debian.org/tracker/CVE-2024-20505" rel="noreferrer noreferrer" target="_blank">https://security-tracker.debian.org/tracker/CVE-2024-20505</a><br>

    <a href="https://www.cve.org/CVERecord?id=CVE-2024-20505" rel="noreferrer noreferrer" target="_blank">https://www.cve.org/CVERecord?id=CVE-2024-20505</a><br>

[1] <a href="https://security-tracker.debian.org/tracker/CVE-2024-20506" rel="noreferrer noreferrer" target="_blank">https://security-tracker.debian.org/tracker/CVE-2024-20506</a><br>

    <a href="https://www.cve.org/CVERecord?id=CVE-2024-20506" rel="noreferrer noreferrer" target="_blank">https://www.cve.org/CVERecord?id=CVE-2024-20506</a><br>

[2] <a href="https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html" rel="noreferrer noreferrer" target="_blank">https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html</a><br>

<br>

Regards,<br>

Salvatore<br>

<br><br><br>---------- Forwarded message ----------<br>From: Debian FTP Masters <<a href="mailto:ftpmaster@ftp-master.debian.org" target="_blank" rel="noreferrer">ftpmaster@ftp-master.debian.org</a>><br>To: <a href="mailto:1080962-close@bugs.debian.org" target="_blank" rel="noreferrer">1080962-close@bugs.debian.org</a><br>Cc: <br>Bcc: <br>Date: Thu, 03 Oct 2024 12:05:39 +0000<br>Subject: Bug#1080962: fixed in clamav 1.4.1+dfsg-1<br>Source: clamav<br>

Source-Version: 1.4.1+dfsg-1<br>

Done: Sebastian Andrzej Siewior <<a href="mailto:sebastian@breakpoint.cc" target="_blank" rel="noreferrer">sebastian@breakpoint.cc</a>><br>

<br>

We believe that the bug you reported is fixed in the latest version of<br>

clamav, which is due to be installed in the Debian FTP archive.<br>

<br>

A summary of the changes between this version and the previous one is<br>

attached.<br>

<br>

Thank you for reporting the bug, which will now be closed.  If you<br>

have further comments please address them to <a href="mailto:1080962@bugs.debian.org" target="_blank" rel="noreferrer">1080962@bugs.debian.org</a>,<br>

and the maintainer will reopen the bug report if appropriate.<br>

<br>

Debian distribution maintenance software<br>

pp.<br>

Sebastian Andrzej Siewior <<a href="mailto:sebastian@breakpoint.cc" target="_blank" rel="noreferrer">sebastian@breakpoint.cc</a>> (supplier of updated clamav package)<br>

<br>

(This message was generated automatically at their request; if you<br>

believe that there is a problem with it please contact the archive<br>

administrators by mailing <a href="mailto:ftpmaster@ftp-master.debian.org" target="_blank" rel="noreferrer">ftpmaster@ftp-master.debian.org</a>)<br>

<br>

<br>

-----BEGIN PGP SIGNED MESSAGE-----<br>

Hash: SHA512<br>

<br>

Format: 1.8<br>

Date: Thu, 03 Oct 2024 10:51:50 +0200<br>

Source: clamav<br>

Architecture: source<br>

Version: 1.4.1+dfsg-1<br>

Distribution: unstable<br>

Urgency: medium<br>

Maintainer: ClamAV Team <<a href="mailto:pkg-clamav-devel@lists.alioth.debian.org" target="_blank" rel="noreferrer">pkg-clamav-devel@lists.alioth.debian.org</a>><br>

Changed-By: Sebastian Andrzej Siewior <<a href="mailto:sebastian@breakpoint.cc" target="_blank" rel="noreferrer">sebastian@breakpoint.cc</a>><br>

Closes: 1080962<br>

Changes:<br>

 clamav (1.4.1+dfsg-1) unstable; urgency=medium<br>

 .<br>

   * Import 1.4.1 (Closes: #1080962)<br>

     - CVE-2024-20506 (Changed the logging module to disable following symlinks<br>

       on Linux)<br>

     - CVE-2024-20505 (Fixed a possible out-of-bounds read bug in the PDF file<br>

       parser).<br>

Checksums-Sha1:<br>

 7917b33188d4e2d7693c4f33a07c2a5660528072 3080 clamav_1.4.1+dfsg-1.dsc<br>

 587f15fe0a3863030a4b698b8a5e0bef7b93d68c 33150848 clamav_1.4.1+dfsg.orig.tar.xz<br>

 c033266e899948ad3f5ff76e0fdbb4245cce79ba 503988 clamav_1.4.1+dfsg-1.debian.tar.xz<br>

Checksums-Sha256:<br>

 288144b3649f1dc686f0ebb96b60dae69d37445eac77f6303e26a6fb81359ab6 3080 clamav_1.4.1+dfsg-1.dsc<br>

 9a994a41d0110a874be7183b3410c91f53c0a6c2eb9dc94c47d47ae0d4a62d0f 33150848 clamav_1.4.1+dfsg.orig.tar.xz<br>

 fecf245f7cf6ee469138376a96ae935221624fdc4d347eda0c85806d1ce3e998 503988 clamav_1.4.1+dfsg-1.debian.tar.xz<br>

Files:<br>

 070b175efeb30509b34678ac00010653 3080 utils optional clamav_1.4.1+dfsg-1.dsc<br>

 88d72153305c1c8f0dda1d3380e82c94 33150848 utils optional clamav_1.4.1+dfsg.orig.tar.xz<br>

 0f092e2022314304f9f3c3b419417538 503988 utils optional clamav_1.4.1+dfsg-1.debian.tar.xz<br>

<br>

-----BEGIN PGP SIGNATURE-----<br>

<br>

iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAmb+hhEACgkQe5boFiqM<br>

9dFpIhAAkbSGkY1fP7+U0RChljv4nNd7OIL2y7cEutkKpTc6z1cQb01aHmVHVsrC<br>

vu1ePM+n3KSy/+5wQ5WRZ1YZpGgiqqWgrXgcFnDl4vgBccqvot6sBaB4HhGFPW8f<br>

37fRPSrQhhEayos9MSc6R1kGPbbo7Xnv06KJC1IZ4jtkUTsR7OGBdEr5hx/lfYkB<br>

prmmyd02dF4eRODUGD/rfVT6IJRj9RbOqgGZWOBIsPkXS+tTO/1vtTFYlh44BM8B<br>

I7VEN+l4FrbrxahFBVqaEu9qqsWB1MeoOG7nT2DVmIH5fqhiS0MqS1YN+gmEdwYA<br>

41E40IacZeLct6G0SF0+u/JW9LVNphxga+rBW8fSAQ3z32kOnYipgHgCMMlUUUZK<br>

zfqZyk/+0JCseHA4v7Z5HecSVMMe3fhJWhLQWWh+j0ft6vv0fMFJWcYjNqvN+1SV<br>

UGh1kPdp2l8dr4ezVqht4i1WDNcU0liSK+CHBLJoJuWyI0sSuthDkgfsa5PWdyaq<br>

ZouCwnjEIyT7NMwcFBiaeyJpUmAJDoflyfFqTXBwzcfhFzZ5nC6aGpPERyGKvbxq<br>

WumdcTv+KQsjAa/ujCgA+J1lZHwQv8X1dh/4eyM0G/QJM5ySDuEImYMVjunU1JIN<br>

VJKmcrTQbjQ3AoFy3iJyR1nEZMDgEtMfE3FKgk8aVCJyCaE8S4M=<br>

=6JQk<br>

-----END PGP SIGNATURE-----<br>

<br>

</blockquote></div>