[Pkg-clamav-devel] Bug#1063621: bookworm-pu: package clamav/clamav_1.0.5+dfsg-1~deb12u1
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Fri Feb 9 22:12:18 GMT 2024
Package: release.debian.org
Control: affects -1 + src:clamav
X-Debbugs-Cc: clamav at packages.debian.org
User: release.debian.org at packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal
This is an update to the latest clamav release in the 1.0.x series. This
update closes two CVEs:
- CVE-2024-20290: Fixed a possible heap overflow read bug in the OLE2 file
parser that could cause a denial-of-service (DoS) condition.
- CVE-2024-20328: Fixed a possible command injection vulnerability in the
"VirusEvent" feature of ClamAV's ClamD service.
To fix this issue, we disabled the '%f' format string parameter. ClamD
administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment
variable, instead of '%f'. But you should do so only from within an
executable, such as a Python script, and not directly in the clamd.conf
"VirusEvent" command.
Announcement by upstream:
https://blog.clamav.net/2023/11/clamav-130-122-105-released.html
The previous 1.0.4 release was in unstable since 2024-01-20 and migrated
to testing on 2024-01-22. The 1.0.5 release is in unstable since
2024-02-08 and I have reports of issues so far.
The attached debdiff is against the current version in Bookworm and has
the libclamav_rust/.cargo/ folder omitted. Otherwise the diff grows to
over 100MiB.
Sebastian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: clamav_1.0.3_to_1.0.5.diff
Type: text/x-diff
Size: 121646 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20240209/8ed6ab2c/attachment-0001.diff>
More information about the Pkg-clamav-devel
mailing list