[Pkg-clamav-devel] Bug#961440: stretch-pu: package clamav/0.102.3+dfsg-0~deb9u1

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Sun May 24 16:47:31 BST 2020


Package: release.debian.org
User: release.debian.org at packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

ClamAV upstream released 0.102.3 fixing two CVEs. From their news:

|ClamAV 0.102.3 is a bug patch release to address the following issues.
|
|- [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
|  Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that
|  could cause a Denial-of-Service (DoS) condition. Improper bounds checking of
|  an unsigned variable results in an out-of-bounds read which causes a crash.
|
|  Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ
|  parsing vulnerability.
|
|- [CVE-2020-3341](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3341):
|  Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that
|  could cause a Denial-of-Service (DoS) condition. Improper size checking of
|  a buffer used to initialize AES decryption routines results in an out-of-
|  bounds read which may cause a crash. Bug found by OSS-Fuzz.
|
|- Fix "Attempt to allocate 0 bytes" error when parsing some PDF documents.
|
|- Fix a couple of minor memory leaks.

The 0.102.3 version is in unstable since 16th and migrated to testing.

Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clammav_deb9.diff
Type: text/x-diff
Size: 55448 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20200524/90e4872e/attachment-0001.diff>


More information about the Pkg-clamav-devel mailing list