[Pkg-clamav-devel] Bug#961439: buster-pu: package clamav/0.102.3+dfsg-0+deb10u1
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Sun May 24 16:47:15 BST 2020
Package: release.debian.org
User: release.debian.org at packages.debian.org
Usertags: pu
Tags: buster
Severity: normal
ClamAV upstream released 0.102.3 fixing two CVEs. From their news:
|ClamAV 0.102.3 is a bug patch release to address the following issues.
|
|- [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
| Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that
| could cause a Denial-of-Service (DoS) condition. Improper bounds checking of
| an unsigned variable results in an out-of-bounds read which causes a crash.
|
| Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ
| parsing vulnerability.
|
|- [CVE-2020-3341](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3341):
| Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that
| could cause a Denial-of-Service (DoS) condition. Improper size checking of
| a buffer used to initialize AES decryption routines results in an out-of-
| bounds read which may cause a crash. Bug found by OSS-Fuzz.
|
|- Fix "Attempt to allocate 0 bytes" error when parsing some PDF documents.
|
|- Fix a couple of minor memory leaks.
The 0.102.3 version is in unstable since 16th and migrated to testing. I
have the Buster version deployed on a machine.
Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clammav_deb10.diff
Type: text/x-diff
Size: 54729 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20200524/7c045149/attachment-0001.diff>
More information about the Pkg-clamav-devel
mailing list