[Pkg-clamav-devel] Bug#1031509: clamav: 2 RCE bugs in ClamAV 0.103 (+ 1.0.0), CVE-2023-20032/CVE-2023-20052

Robert Waldner waldner+bug at waldner.priv.at
Fri Feb 17 13:54:29 GMT 2023 

Package: clamav
Version: 0.103.7+dfsg-0+deb11u1
Severity: important

Dear Maintainer,

ClamAV/Cisco have released a security advisory concerning 2 potential-RCE
bugs in ClamAV:
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

According to the the security tracker, all versions currently in Debian
are vulnerable:
https://security-tracker.debian.org/tracker/CVE-2023-20032
https://security-tracker.debian.org/tracker/CVE-2023-20052

Please consider an update. Currently, ClamAV is not suitable for use in a
(quite common) email-scanning setup like with Amavis, but can still be
used (with appropriate care) directly. Thus I think Severity: important fits.

Kind regards,
Robert

-- Package-specific info:
--- configuration ---
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

--- data dir ---
total 226104
-rw-r--r-- 1 clamav clamav    293670 Feb 17 14:46 bytecode.cvd
-rw-r--r-- 1 clamav clamav  60744631 Feb 17 14:44 daily.cvd
-rw-r--r-- 1 clamav clamav        69 Feb 17 14:43 freshclam.dat
-rw-r--r-- 1 clamav clamav 170479789 Feb 17 14:46 main.cvd

-- System Information:
Debian Release: 11.6
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.18.0-0.deb11.4-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages clamav depends on:
ii  clamav-freshclam [clamav-data]  0.103.7+dfsg-0+deb11u1
ii  libc6                           2.31-13+deb11u5
ii  libclamav9                      0.103.7+dfsg-0+deb11u1
ii  libcurl4                        7.74.0-1.3+deb11u3
ii  libjson-c5                      0.15-2
ii  libssl1.1                       1.1.1n-0+deb11u3
ii  zlib1g                          1:1.2.11.dfsg-2+deb11u2

Versions of packages clamav recommends:
ii  clamav-base  0.103.7+dfsg-0+deb11u1

Versions of packages clamav suggests:
pn  clamav-docs   <none>
pn  libclamunrar  <none>

-- no debconf information

More information about the Pkg-clamav-devel mailing list