[Pkg-clamav-devel] Bug#1031513: clamav: new upstream security release, CVE-2023-20032

Joost van Baal-Ilić joostvb+debian-bugs at uvt.nl
Fri Feb 17 15:32:12 GMT 2023


Package: clamav
Severity: grave

Hi,

As you'll likely know there is
https://security-tracker.debian.org/tracker/CVE-2023-20032 and
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

"CVE-2023-20032: Fixed a possible remote code execution vulnerability in the
HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and
earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting
this issue."

Upstream released fixed tarballs for all their supported branches.  I've
managed to build 0.103.8+dfsg-0+deb10u1~uvt0 for Debian 10/buster from that,
it's available from https://non-gnu.uvt.nl/debian/buster/clamav/ (including
sources).

We are now running this build on the Tilburg University mail infrastructure,
it might work for others too.

Anybody working on a proper Debian supplied fix: feel free to contact me (via
IRC, e.g.)

HTH, Bye,

Joost

-- 
Joost van Baal-Ilić                       http://abramowitz.uvt.nl/
                                                 Tilburg University
mailto:joostvb.uvt.nl                               The Netherlands
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20230217/04b35af9/attachment.sig>


More information about the Pkg-clamav-devel mailing list