Security fixes from clamav 0.95 need backport

Bug #354190 reported by Scott Kitterman
268
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Dapper Backports
Fix Released
Undecided
Unassigned
Hardy Backports
Fix Released
High
Scott Kitterman
clamav (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Fix Released
Undecided
Unassigned
Gutsy
Won't Fix
Undecided
Unassigned
Hardy
Fix Released
Undecided
Unassigned
Intrepid
Fix Released
Medium
Scott Kitterman

Bug Description

Binary package hint: clamav

Clamav 0.95 included patches for two security issues:

 *libclamav/pe.c: division by zero with --detect-broken (bb#1335) (Denial of
   service)
 * libclamav/untar.c: infloop in tar.c (bb#1462) (Denial of Service)

Fixed in Jaunty by 0.95. Open for other Ubuntu releases.

visibility: private → public
Changed in clamav (Ubuntu):
status: New → Fix Released
Changed in clamav (Ubuntu Intrepid):
assignee: nobody → kitterman
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
Scott Kitterman (kitterman) wrote :

Intrepid debdiff attached. My recommended approach for the other releases is:

After intrepid is updated, backport intrepid-security to dapper-backports and hardy-backports and then push 0.94.2 with rdepends to dapper-security and hardy-security. Let Gutsy rest in peace with 0.92.2. That will get us down to two supported versions and we can start working on clamav 0.95 backports.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Intrepid debdiff attached. My recommended approach for the other releases is:

After intrepid is updated, backport intrepid-security to dapper-backports and hardy-backports and then push 0.94.2 with rdepends to dapper-security and hardy-security. Let Gutsy rest in peace with 0.92.2. That will get us down to two supported versions and we can start working on clamav 0.95 backports.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.94.dfsg.2-1ubuntu0.2

---------------
clamav (0.94.dfsg.2-1ubuntu0.2) intrepid-security; urgency=high

  * SECURITY UPDATE (LP: #354190):
  * References Clamav #1335, #1462
  * libclamav/pe.c: division by zero with --detect-broken (bb#1335) (Denial of
    service)
  * libclamav/untar.c: infloop in tar.c (bb#1462) (Denial of Service)
  * Add dconf_renable patch from 0.95 (previously backported to 0.92.2)
    - Bump CL_FLEVEL_DCONF to 0.95 level since security patches are applied

 -- Scott Kitterman <email address hidden> Thu, 02 Apr 2009 17:15:22 -0400

Changed in clamav (Ubuntu Intrepid):
status: In Progress → Fix Released
Revision history for this message
Scott Kitterman (kitterman) wrote :

Gutsy is near end of life and won't get these fixes.

Changed in clamav (Ubuntu Gutsy):
status: New → Won't Fix
Changed in hardy-backports:
assignee: nobody → kitterman
importance: Undecided → High
status: New → In Progress
Changed in hardy-backports:
status: In Progress → Fix Released
Changed in dapper-backports:
status: New → Fix Released
Changed in clamav (Ubuntu Dapper):
status: New → Triaged
Changed in clamav (Ubuntu Hardy):
status: New → In Progress
Changed in clamav (Ubuntu Dapper):
status: Triaged → Fix Committed
Changed in clamav (Ubuntu Hardy):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (9.8 KiB)

This bug was fixed in the package clamav - 0.94.dfsg.2-1ubuntu0.3~hardy4

---------------
clamav (0.94.dfsg.2-1ubuntu0.3~hardy4) hardy-security; urgency=low

  * No change rebuild from backports for use with ClamAV 0.94

clamav (0.94.dfsg.2-1ubuntu0.3~hardy3) hardy-backports; urgency=low

  * Update Hardy backport to include the latest apparmor profile fixes from
    Jaunty development

clamav (0.94.dfsg.2-1ubuntu0.3~hardy2) hardy-backports; urgency=low

  * Drop deny rule in freshclam apparmor profile since deny is not supported
    in Hardy's apparmor (LP: #360919)

clamav (0.94.dfsg.2-1ubuntu0.3~hardy1) hardy-backports; urgency=low

  * Source backport for Hardy (lsb-base not present in sufficient version)
    (LP: #354190, #360502)
    - Drop versioning of lsb-base depends
    - Revert lsb status changes from maintainer scripts
  * Update existing backport with security fixes from 0.95 and 0.95.1
  * Update apparmor profile with fixes from Jaunty

clamav (0.94.dfsg.2-1ubuntu0.3) intrepid-security; urgency=high

  * SECURITY UPDATE: (LP: #360502)
  * References
  * libclamav/others.h: harden CLI_ISCONTAINED macro (bb#1552) (Denial of
    service)
  * Note: clamav-milter bugs such as 1499, 1522, 1524, and 1531 are not
    relevant to clamav 0.94.2 and earlier versions
  * Note: The code related to clamav bug 1553 was substantially rewritten in
    0.95, so it is also not relevant to clamav 0.94.2 and earlier versions
  * Bump CL_FLEVEL_DCONF to 0.95.1 level since relevant security patches are
    applied
  * Added CVE references for 0.94.dfsg.2-1ubuntu0.2 now that they've been
    assigned

clamav (0.94.dfsg.2-1ubuntu0.2) intrepid-security; urgency=high

  * SECURITY UPDATE (LP: #354190):
  * References Clamav #1335, #1462, CVE 2008-6680, CVE 2009-1270
  * libclamav/pe.c: division by zero with --detect-broken (bb#1335) (Denial of
    service)
  * libclamav/untar.c: infloop in tar.c (bb#1462) (Denial of Service)
  * Add dconf_renable patch from 0.95 (previously backported to 0.92.2)
    - Bump CL_FLEVEL_DCONF to 0.95 level since security patches are applied

clamav (0.94.dfsg.2-1ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: (LP: #304017)
    - Fix recursive stack overflow in jpeg parsing code
  * Other changes:
    - debian/control: Recommends apparmor >= 2.1+1075-0ubuntu6 for
      clamav-daemon and clamav-freshclam
    - add debian/usr.bin.freshclam and debian/usr.sbin.clamd
    - debian/clamav-(daemon|freshclam).dirs: add etc/apparmor.d/force-complain
    - debian/clamav-(daemon|freshclam).install: install profiles
    - debian/clamav-(daemon|freshclam).preinst: create symlink for
      force-complain/ on pre-feisty upgrades, upgrades where apparmor-profiles
      profile is unchanged (ie non-enforcing) and upgrades where the profile
      doesn't exist.
    - debian/clamav-(daemon|freshclam).postrm: remove symlink in
      force-complain/ on purge.
    - debian/clamav-(daemon|freshclam).postinst.in: reload apparmor
    - update README.Debian with note on Apparmor
    - Enable upstream test suite in debian/rules

clamav (0.94.dfsg.2-1) unstable; urgency=low

  [ Stephen Gran ]
  * New upstream version

  [ Michael Meskes...

Read more...

Changed in clamav (Ubuntu Hardy):
status: Fix Committed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

clamav (0.94.dfsg.2-1ubuntu0.3~dapper2) dapper-security; urgency=low

  * No change rebuild from backports

Changed in clamav (Ubuntu Dapper):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.