[Pkg-clamav-devel] Bug#1093880: clamav: CVE-2025-20128
Moritz Mühlenhoff
jmm at inutil.org
Thu Jan 23 19:00:35 GMT 2025
Source: clamav
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for clamav.
CVE-2025-20128[0]:
| A vulnerability in the Object Linking and Embedding 2 (OLE2)
| decryption routine of ClamAV could allow an unauthenticated, remote
| attacker to cause a denial of service (DoS) condition on an affected
| device. This vulnerability is due to an integer underflow in a
| bounds check that allows for a heap buffer overflow read. An
| attacker could exploit this vulnerability by submitting a crafted
| file containing OLE2 content to be scanned by ClamAV on an affected
| device. A successful exploit could allow the attacker to terminate
| the ClamAV scanning process, resulting in a DoS condition on the
| affected software. For a description of this vulnerability, see the
| . Cisco has released software updates that address this
| vulnerability. There are no workarounds that address this
| vulnerability.
https://blog.clamav.net/2025/01/clamav-142-and-108-security-patch.html
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-20128
https://www.cve.org/CVERecord?id=CVE-2025-20128
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-clamav-devel
mailing list