Bug #360502 “Fix relevant security bugs from 0.95.1 in earlier r...” : Bugs : clamav package : Ubuntu

Revision history for this message

Scott Kitterman (kitterman) wrote on 2009-04-13:

#1

Fixed in Jaunty

visibility:	private → public
Changed in clamav (Ubuntu):
importance:	Undecided → High
status:	New → Fix Released
Changed in clamav (Ubuntu Intrepid):
assignee:	nobody → kitterman
importance:	Undecided → High
status:	New → In Progress

Revision history for this message

Scott Kitterman (kitterman) wrote on 2009-04-13:

#2

Intrepid Edit (3.7 KiB, text/plain)

Fix for Intrepid.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-04-13:

#3

Thanks Scott. I uploaded this and it is building now.

Changed in clamav (Ubuntu Intrepid):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-04-13:

#4

This bug was fixed in the package clamav - 0.94.dfsg.2-1ubuntu0.3

---------------
clamav (0.94.dfsg.2-1ubuntu0.3) intrepid-security; urgency=high

  * SECURITY UPDATE: (LP: #360502)
  * References
  * libclamav/others.h: harden CLI_ISCONTAINED macro (bb#1552) (Denial of
    service)
  * Note: clamav-milter bugs such as 1499, 1522, 1524, and 1531 are not
    relevant to clamav 0.94.2 and earlier versions
  * Note: The code related to clamav bug 1553 was substantially rewritten in
    0.95, so it is also not relevant to clamav 0.94.2 and earlier versions
  * Bump CL_FLEVEL_DCONF to 0.95.1 level since relevant security patches are
    applied
  * Added CVE references for 0.94.dfsg.2-1ubuntu0.2 now that they've been
    assigned

-- Scott Kitterman <email address hidden> Mon, 13 Apr 2009 09:34:33 -0400

Changed in clamav (Ubuntu Intrepid):
status:	Fix Committed → Fix Released

Scott Kitterman (kitterman) on 2009-04-13

Changed in hardy-backports:
status:	New → Fix Released

Revision history for this message

Scott Kitterman (kitterman) wrote on 2009-04-13:

#5

Gutsy wontfix due to near EOL.

Changed in dapper-backports:
status:	New → Fix Released
Changed in clamav (Ubuntu Gutsy):
status:	New → Won't Fix

Scott Kitterman (kitterman) on 2009-04-28

Changed in clamav (Ubuntu Hardy):
status:	New → In Progress
Changed in clamav (Ubuntu Dapper):
status:	New → In Progress

Jamie Strandboge (jdstrand) on 2009-05-01

Changed in clamav (Ubuntu Dapper):
status:	In Progress → Fix Committed
Changed in clamav (Ubuntu Hardy):
status:	In Progress → Fix Committed

Revision history for this message

Launchpad Janitor (janitor) wrote on 2009-05-04:

#6

Download full text (9.8 KiB)

This bug was fixed in the package clamav - 0.94.dfsg.2-1ubuntu0.3~hardy4

---------------
clamav (0.94.dfsg.2-1ubuntu0.3~hardy4) hardy-security; urgency=low

* No change rebuild from backports for use with ClamAV 0.94

clamav (0.94.dfsg.2-1ubuntu0.3~hardy3) hardy-backports; urgency=low

* Update Hardy backport to include the latest apparmor profile fixes from
Jaunty development

clamav (0.94.dfsg.2-1ubuntu0.3~hardy2) hardy-backports; urgency=low

* Drop deny rule in freshclam apparmor profile since deny is not supported
in Hardy's apparmor (LP: #360919)

clamav (0.94.dfsg.2-1ubuntu0.3~hardy1) hardy-backports; urgency=low

  * Source backport for Hardy (lsb-base not present in sufficient version)
    (LP: #354190, #360502)
    - Drop versioning of lsb-base depends
    - Revert lsb status changes from maintainer scripts
  * Update existing backport with security fixes from 0.95 and 0.95.1
  * Update apparmor profile with fixes from Jaunty

clamav (0.94.dfsg.2-1ubuntu0.3) intrepid-security; urgency=high

  * SECURITY UPDATE: (LP: #360502)
  * References
  * libclamav/others.h: harden CLI_ISCONTAINED macro (bb#1552) (Denial of
    service)
  * Note: clamav-milter bugs such as 1499, 1522, 1524, and 1531 are not
    relevant to clamav 0.94.2 and earlier versions
  * Note: The code related to clamav bug 1553 was substantially rewritten in
    0.95, so it is also not relevant to clamav 0.94.2 and earlier versions
  * Bump CL_FLEVEL_DCONF to 0.95.1 level since relevant security patches are
    applied
  * Added CVE references for 0.94.dfsg.2-1ubuntu0.2 now that they've been
    assigned

clamav (0.94.dfsg.2-1ubuntu0.2) intrepid-security; urgency=high

  * SECURITY UPDATE (LP: #354190):
  * References Clamav #1335, #1462, CVE 2008-6680, CVE 2009-1270
  * libclamav/pe.c: division by zero with --detect-broken (bb#1335) (Denial of
    service)
  * libclamav/untar.c: infloop in tar.c (bb#1462) (Denial of Service)
  * Add dconf_renable patch from 0.95 (previously backported to 0.92.2)
    - Bump CL_FLEVEL_DCONF to 0.95 level since security patches are applied

clamav (0.94.dfsg.2-1ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: (LP: #304017)
    - Fix recursive stack overflow in jpeg parsing code
  * Other changes:
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
      clamav-daemon and clamav-freshclam
    - add debian/usr.bin.freshclam and debian/usr.sbin.clamd
    - debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
    - debian/clamav-(daemon|freshclam).install: install profiles
    - debian/clamav-(daemon|freshclam).preinst: create symlink for
      force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
      profile is unchanged (ie non-enforcing) and upgrades where the profile
      doesn't exist.
    - debian/clamav-(daemon|freshclam).postrm: remove symlink in
      force-complain/ on purge.
    - debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
    - update README.Debian with note on Apparmor
    - Enable upstream test suite in debian/rules

clamav (0.94.dfsg.2-1) unstable; urgency=low

[ Stephen Gran ]
* New upstream version

[ Michael Meskes...

This bug was fixed in the package clamav - 0.94.dfsg.2-1ubuntu0.3~hardy4

---------------
clamav (0.94.dfsg.2-1ubuntu0.3~hardy4) hardy-security; urgency=low

* No change rebuild from backports for use with ClamAV 0.94

clamav (0.94.dfsg.2-1ubuntu0.3~hardy3) hardy-backports; urgency=low

* Update Hardy backport to include the latest apparmor profile fixes from
    Jaunty development

clamav (0.94.dfsg.2-1ubuntu0.3~hardy2) hardy-backports; urgency=low

* Drop deny rule in freshclam apparmor profile since deny is not supported
    in Hardy's apparmor (LP: #360919)

clamav (0.94.dfsg.2-1ubuntu0.3~hardy1) hardy-backports; urgency=low

* Source backport for Hardy (lsb-base not present in sufficient version)
    (LP: #354190, #360502)
    - Drop versioning of lsb-base depends
    - Revert lsb status changes from maintainer scripts
  * Update existing backport with security fixes from 0.95 and 0.95.1
  * Update apparmor profile with fixes from Jaunty

clamav (0.94.dfsg.2-1ubuntu0.3) intrepid-security; urgency=high

* SECURITY UPDATE: (LP: #360502)
  * References
  * libclamav/others.h: harden CLI_ISCONTAINED macro (bb#1552) (Denial of
    service)
  * Note: clamav-milter bugs such as 1499, 1522, 1524, and 1531 are not
    relevant to clamav 0.94.2 and earlier versions
  * Note: The code related to clamav bug 1553 was substantially rewritten in
    0.95, so it is also not relevant to clamav 0.94.2 and earlier versions
  * Bump CL_FLEVEL_DCONF to 0.95.1 level since relevant security patches are
    applied
  * Added CVE references for 0.94.dfsg.2-1ubuntu0.2 now that they've been
    assigned

clamav (0.94.dfsg.2-1ubuntu0.2) intrepid-security; urgency=high

* SECURITY UPDATE (LP: #354190):
  * References Clamav #1335, #1462, CVE 2008-6680, CVE 2009-1270
  * libclamav/pe.c: division by zero with --detect-broken (bb#1335) (Denial of
    service)
  * libclamav/untar.c: infloop in tar.c (bb#1462) (Denial of Service)
  * Add dconf_renable patch from 0.95 (previously backported to 0.92.2)
    - Bump CL_FLEVEL_DCONF to 0.95 level since security patches are applied

clamav (0.94.dfsg.2-1ubuntu0.1) intrepid-security; urgency=low

* SECURITY UPDATE: (LP: #304017)
    - Fix recursive stack overflow in jpeg parsing code
  * Other changes:
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
      clamav-daemon and clamav-freshclam
    - add debian/usr.bin.freshclam and debian/usr.sbin.clamd
    - debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
    - debian/clamav-(daemon|freshclam).install: install profiles
    - debian/clamav-(daemon|freshclam).preinst: create symlink for
      force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
      profile is unchanged (ie non-enforcing) and upgrades where the profile
      doesn't exist.
    - debian/clamav-(daemon|freshclam).postrm: remove symlink in
      force-complain/ on purge.
    - debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
    - update README.Debian with note on Apparmor
    - Enable upstream test suite in debian/rules

clamav (0.94.dfsg.2-1) unstable; urgency=low

[ Stephen Gran ]
  * New upstream version

[ Michael Meskes ]
  * Removed unused debconf templates and unfuzzied all translations.

[ Michael Tautschnig ]
  * Removed --unzip from clampipe script (closes: #506055)
  * Moved clamav-milter specific stuff from its specific README.Debian to
    clamav-global one.
  * Sync start of clamav-milter with clamav-daemon when clamav-daemon is being
    upgraded (closes: #309067)
  * The TemporaryDirectory option has been added long ago, no need for hacks
    via clamav-daemon.default anymore (closes: #253080)

clamav (0.94.dfsg.1-1ubuntu0.1) intrepid-security; urgency=low

* SECURITY UPDATE: (LP: #296704)
    - Fix off-by-one heap overflow
  * Other changes:
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
      clamav-daemon and clamav-freshclam
    - add debian/usr.bin.freshclam and debian/usr.sbin.clamd
    - debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
    - debian/clamav-(daemon|freshclam).install: install profiles
    - debian/clamav-(daemon|freshclam).preinst: create symlink for
      force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
      profile is unchanged (ie non-enforcing) and upgrades where the profile
      doesn't exist.
    - debian/clamav-(daemon|freshclam).postrm: remove symlink in
      force-complain/ on purge.
    - debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
    - update README.Debian with note on Apparmor
  * Update apparmor profile for clamd to work with TCP sockets (LP: #288942)

clamav (0.94.dfsg.1-1) unstable; urgency=low

[ Stephen Gran ]
  * New upstream version (closes: #505134, #502165, #501298)
  * Handle new option SubmitDetectionStats in freshclam.conf
  * Remove RAR from the description, since we really don't handle it anymore
  * Skip 'sleep until -e socket' logic if socket is of type inet (LP #296086)

[ Michael Meskes ]
  * Added myself as uploader.
  * Changed watch file to account for dfsg extension.
  * Do not configure temporary directory in clamd.conf anymore unless it is
    already configured there.
  * Added Basque debconf translation (closes: #500007)

[ Michael Tautschnig ]
  * Use lsb's status_of_proc function to determine the status of the process
    and return with according exit codes (closes: #486076)
  * Updated Dutch debconf translation (thanks Paul Gevers <paul@climbing.nl>)
    (closes: #501627)
  * Changed versioned dependency of clamav-daemon to clamav-base to equals
    (closes: #500416)
  * Handle new option DetectionStatsCountry in freshclam.conf
  * Don't trust the multilib guessing stuff, always use libdir=$prefix/lib
  * Removed nowadays unused lintian overrides
  * Create md5sums control file for clamav-dbg as well (thanks, lintian)

clamav (0.94.dfsg.1~rc1-0ubuntu2) intrepid; urgency=low

* update clamd profile for use with exim (LP: #288110)

clamav (0.94.dfsg.1~rc1-0ubuntu1) intrepid; urgency=low

* New upstream RC release (LP:#286176)
    - Odd version numbering is to get a higher version than 0.94.dfsg without
      an epoch and was coordinated with Debian
    - Packaging based on current Ubuntu (0.94.dfsg-1ubuntu2) and does not use
      unreleased packaging improvements in the Debian pkg-claamv Git repo to
      minimize risk for Intrepid
    - Handle new freshclam option SubmitDetectionStats (cherry picked from
      Debian pkg-clamav Git repo)

clamav (0.94.dfsg-1ubuntu2) intrepid; urgency=low

* Update apparmor profile based on test feedback (LP: #276865)
    -Thanks to Ante Karamatić for the change

clamav (0.94.dfsg-1ubuntu1) intrepid; urgency=low

* Follow ApparmorProfileMigration and force apparmor complain mode on some
    upgrades (LP: #264817)
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
      clamav-daemon and clamav-freshclam
    - add debian/usr.bin.freshclam and debian/usr.sbin.clamd
    - debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
    - debian/clamav-(daemon|freshclam).install: install profiles
    - debian/clamav-(daemon|freshclam).preinst: create symlink for
      force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
      profile is unchanged (ie non-enforcing) and upgrades where the profile
      doesn't exist.
    - debian/clamav-(daemon|freshclam).postrm: remove symlink in
      force-complain/ on purge.
    - debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
    - update README.Debian with note on Apparmor

clamav (0.94.dfsg-1) unstable; urgency=low

* New upstream version (closes: #497662, #497773)
    - lots of new options for clamd.conf
    - fixes CVEs CVE-2008-3912, CVE-2008-3913, CVE-2008-3914, and
      CVE-2008-1389
  * No longer supports --unzip option, so typo is gone (closes: #496276)
  * Translations:
    - sv (thanks Martin Bagge <brother@bsnet.se>) (closes: #491760)

clamav (0.93.3.dfsg-1) unstable; urgency=low

* New upstream version (closes: #489890, #492838, #491720)
  * Fix AUTHORS symlink (closes: #490207)
  * Fix freshclam's logcheck regex (closes: #486385)

clamav (0.93.1.dfsg-1.1) unstable; urgency=high

* Non-maintainer upload by the Security Team.
  * This update addresses the following security issue:
    - CVE-2008-2713: A crafted petite file can trigger an out-of-bound
      read operation in petite.c resulting in a denial of sevice
      (Closes: #490925).

clamav (0.93.1.dfsg-1) unstable; urgency=low

* New upstream version
  * Move conflicts to freshclam

clamav (0.93~dfsg-4) unstable; urgency=low

* Dammit.  The -f flag is there for a reason (closes: #484262)

clamav (0.93~dfsg-3) unstable; urgency=low

* Make dash happy with use of return (closes: #484170)

clamav (0.93~dfsg-2) unstable; urgency=low

* Remove dpatch dependency - we keep the code in a patch system.
  * Wrap evaluations of [ $variable = true ] in calls to to_lower()
  * Add is_true function to catch the 7 bajillion variants of something being
    true (closes: #483874)
  * Clean up old incompatible database formats.  Users of 3rd party software
    that also loads those old databases are now out of luck. (closes: #481864)
  * Fix logcheck lines for clamav-daemon (closes: #477818)
  * New translation:
    - sv (thanks Martin Bagge <martin.bagge@bthstudent.se>)(closes: #483765)

clamav (0.93~dfsg-1) unstable; urgency=low

* New upstream release (closes: #476450, #477278)
    - Fixes failure to lock database directory
      (closes: #467298, #471643, #426503)
  * Fix logrotation when supervised (closes: #469196)
  * Run adduser on every new install - this should work around the
    xen-create-image thing of adding users but not groups (closes: #458015)
  * Make clamav-milter be a little more self-documenting (closes: #477178)

-- Jamie Strandboge <jamie@ubuntu.com>   Thu, 30 Apr 2009 14:44:26 -0500

Changed in clamav (Ubuntu Hardy):
status:	Fix Committed → Fix Released

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2009-05-04:

#7

clamav (0.94.dfsg.2-1ubuntu0.3~dapper2) dapper-security; urgency=low

* No change rebuild from backports

Changed in clamav (Ubuntu Dapper):
status:	Fix Committed → Fix Released

Ubuntu
clamav package

Fix relevant security bugs from 0.95.1 in earlier releases

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

	Status	Importance	Assigned to
Dapper Backports	Fix Released	Undecided	Unassigned
Hardy Backports	Fix Released	Undecided	Unassigned
clamav (Ubuntu)	Fix Released	High	Unassigned
Dapper	Fix Released	Undecided	Unassigned
Gutsy	Won't Fix	Undecided	Unassigned
Hardy	Fix Released	Undecided	Unassigned
Intrepid	Fix Released	High	Scott Kitterman

Ubuntuclamav package

Fix relevant security bugs from 0.95.1 in earlier releases

Bug Description

Related branches

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
clamav package