[Git][security-tracker-team/security-tracker][master] Track clamav as well under CVE-2019-12900

Tue Aug 27 16:01:13 BST 2019


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2e9de154 by Salvatore Bonaccorso at 2019-08-27T15:00:55Z
Track clamav as well under CVE-2019-12900

	< bigeasy> clamav uses libbz2 but for some reasons the "nsis" scanner/decompressor has a decompress.c from bzip2
	< bigeasy> I just learnt about that while reading the release notes
	< bigeasy> well, and looking at the diff of course

Thanks: Sebastian A. Siewior

- - - - -


3 changed files:

- data/CVE/list
- data/next-oldstable-point-update.txt
- data/next-point-update.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -8910,6 +8910,9 @@ CVE-2019-12900 (BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out
 	{DLA-1833-1}
 	- bzip2 1.0.6-9.1 (bug #930886)
 	[stretch] - bzip2 <no-dsa> (Not exploitable; potential dangerous parts already guarded)
+	- clamav 0.101.4+dfsg-1 (bug #934359)
+	[buster] - clamav <no-dsa> (ClamAV is updated via -updates)
+	[stretch] - clamav <no-dsa> (ClamAV is updated via -updates)
 	NOTE: https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc
 	NOTE: The original fix introduces regressions when extracting certain lbzip2 files
 	NOTE: which were created with a buggy libzip2: https://bugs.debian.org/931278
@@ -8917,6 +8920,8 @@ CVE-2019-12900 (BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out
 	NOTE: explaining as well why, whilst the issue described by CVE-2019-12900 is definitvely
 	NOTE: an issue, it was not exploitable in the first place.
 	NOTE: Regression fix: https://sourceware.org/git/?p=bzip2.git;a=commit;h=b07b105d1b66e32760095e3602261738443b9e13
+	NOTE: Clamav: https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
+	NOTE: clamav uses libbz2 but the "nsis" scanner/decompressor has a decompress.c from bzip2
 CVE-2019-12899 (Delta Electronics DeviceNet Builder 2.04 has a User Mode Write AV star ...)
 	NOT-FOR-US: Delta Electronics DeviceNet Builder
 CVE-2019-12898 (Delta Electronics DeviceNet Builder 2.04 has a User Mode Write AV star ...)


=====================================
data/next-oldstable-point-update.txt
=====================================
@@ -226,3 +226,5 @@ CVE-2019-13118
 	[stretch] - libxslt 1.1.29-2.1+deb9u1
 CVE-2019-12625
 	[stretch] - clamav 0.101.4+dfsg-0+deb9u1
+CVE-2019-12900
+	[stretch] - clamav 0.101.4+dfsg-0+deb9u1


=====================================
data/next-point-update.txt
=====================================
@@ -40,6 +40,8 @@ CVE-2019-14267
 	[buster] - pdfresurrect 0.15-2+deb10u1
 CVE-2019-12625
 	[buster] - clamav 0.101.4+dfsg-0+deb10u1
+CVE-2019-12900
+	[buster] - clamav 0.101.4+dfsg-0+deb10u1
 CVE-2019-1020014
 	[buster] - golang-github-docker-docker-credential-helpers 0.6.1-2+deb10u1
 CVE-2019-2737



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e9de1548fe41ff63391069641ab732d84f93f79

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/2e9de1548fe41ff63391069641ab732d84f93f79
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190827/faaff6e8/attachment.html>
