ClamAV needs updated to reflect security fixes

Bug #1822503 reported by chris pollock
16
This bug affects 2 people
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Fix Released
Medium
Marc Deslauriers
Precise
Fix Released
Medium
Leonidas S. Barbosa
Trusty
Fix Released
Medium
Marc Deslauriers
Xenial
Fix Released
Medium
Marc Deslauriers
Bionic
Fix Released
Medium
Marc Deslauriers
Cosmic
Fix Released
Medium
Marc Deslauriers
Disco
Fix Released
Medium
Marc Deslauriers

Bug Description

lsb_release -rd
Description: Ubuntu 18.04.2 LTS
Release: 18.04

apt-cache policy clamav
clamav:
  Installed: 0.100.2+dfsg-1ubuntu0.18.04.1
  Candidate: 0.100.2+dfsg-1ubuntu0.18.04.1

The current version of ClamAV for 18.04.2 LTS is 0.100.2+dfsg-1ubuntu0.18.04.1. The current stable version of ClamAV is 0.101.2. There have been patches released for 0.101.2 and 0.100.3 that fix security related bugs as shown below:

ClamAV 0.101.2

ClamAV 0.101.2 is a patch release to address a handful of security related bugs.

This patch release is being released alongside the 0.100.3 patch so that users
who are unable to upgrade to 0.101 due to libclamav API changes are protected.

This release includes 3 extra security related bug fixes that do not apply to
prior versions. In addition, it includes a number of minor bug fixes and
improvements.

- Fixes for the following vulnerabilities affecting 0.101.1 and prior:
  - CVE-2019-1787:
    An out-of-bounds heap read condition may occur when scanning PDF
    documents. The defect is a failure to correctly keep track of the number
    of bytes remaining in a buffer when indexing file data.
  - CVE-2019-1789:
    An out-of-bounds heap read condition may occur when scanning PE files
    (i.e. Windows EXE and DLL files) that have been packed using Aspack as a
    result of inadequate bound-checking.
  - CVE-2019-1788:
    An out-of-bounds heap write condition may occur when scanning OLE2 files
    such as Microsoft Office 97-2003 documents. The invalid write happens when
    an invalid pointer is mistakenly used to initialize a 32bit integer to
    zero. This is likely to crash the application.

- Fixes for the following vulnerabilities affecting 0.101.1 and 0.101.0 only:
  - CVE-2019-1786:
    An out-of-bounds heap read condition may occur when scanning malformed PDF
    documents as a result of improper bounds-checking.
  - CVE-2019-1785:
    A path-traversal write condition may occur as a result of improper input
    validation when scanning RAR archives. Issue reported by aCaB.
  - CVE-2019-1798:
    A use-after-free condition may occur as a result of improper error
    handling when scanning nested RAR archives. Issue reported by David L.

- Fixes for the following assorted bugs:
  - Added checks to prevent shifts from causing undefined behavior in HTML
    normalizer, UPX unpacker, ARJ extractor, CPIO extractor, OLE2 parser,
    LZW decompressor used in the PDF parser, Xz decompressor, and UTF-16 to
    ASCII transcoder.
  - Added checks to prevent integer overflow in UPX unpacker.
  - Fix for minor memory leak in OLE2 parser.
  - Fix to speed up PDF parser when handling truncated (or malformed) PDFs.
  - Fix for memory leak in ARJ decoder failure condition.
  - Fix for potential memory and file descriptor leak in HTML normalization code.

- Removed use of problematic feature that converted file descriptors to
  file paths. The feature was intended to improve performance when scanning
  file types, notably RAR archives, for which the API requires a file path.
  This feature caused issues in environments where the ClamAV engine is run
  in a low-permissions or sandboxed process. RAR archives are still supported
  with this change, but performance may suffer slightly if the file path is not
  provided in calls to `cl_scandesc_callback()`.
  - Added filename and tempfile names to scandesc calls in clamd.
  - Added general scan option `CL_SCAN_GENERAL_UNPRIVILEGED` to treat the scan
    engine as unprivileged, meaning that the scan engine will not have read
    access to the file. Provided file paths are for logging purposes only.
  - Added ability to create a temp file when scanning RAR archives when the
    process does not have read access to the file path provided (i.e.
    unprivileged is set, or an access check fails).

ClamAV 0.100.3

ClamAV 0.100.3 is a patch release to address a few security related bugs.

This patch release is being released alongside the 0.101.2 patch so that users
who are unable to upgrade to 0.101 due to libclamav API changes are protected.

The bug fixes in this release are limited to security-related bugs only.
Users are encouraged to upgrade to 0.101.2 for additional improvements.

- Fixes for the following vulnerabilities:
  - CVE-2019-1787:
    An out-of-bounds heap read condition may occur when scanning PDF
    documents. The defect is a failure to correctly keep track of the number
    of bytes remaining in a buffer when indexing file data.
  - CVE-2019-1789:
    An out-of-bounds heap read condition may occur when scanning PE files
    (i.e. Windows EXE and DLL files) that have been packed using Aspack as a
    result of inadequate bound-checking.
  - CVE-2019-1788:
    An out-of-bounds heap write condition may occur when scanning OLE2 files
    such as Microsoft Office 97-2003 documents. The invalid write happens when
    an invalid pointer is mistakenly used to initialize a 32bit integer to
    zero. This is likely to crash the application.

CVE References

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi Chris,
usually in the past the security Team has done such updates. I subscribed them to get their feedback on the request for a newer clamav version.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I'll prepare updates for this.

Changed in clamav (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Changed in clamav (Ubuntu Trusty):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in clamav (Ubuntu Xenial):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in clamav (Ubuntu Bionic):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in clamav (Ubuntu Cosmic):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in clamav (Ubuntu Disco):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
chris pollock (cpollock) wrote :

Thank you Marc.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.100.3+dfsg-0ubuntu1

---------------
clamav (0.100.3+dfsg-0ubuntu1) disco; urgency=medium

  * Updated to version 0.100.3 to fix security issues. (LP: #1822503)
    - debian/libclamav7.symbols: updated to new version.
    - CVE-2019-1787
    - CVE-2019-1788
    - CVE-2019-1789

 -- Marc Deslauriers <email address hidden> Thu, 04 Apr 2019 08:19:16 -0400

Changed in clamav (Ubuntu Disco):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.100.3+dfsg-0ubuntu0.14.04.1

---------------
clamav (0.100.3+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium

  * Updated to version 0.100.3 to fix security issues. (LP: #1822503)
    - debian/libclamav7.symbols: updated to new version.
    - CVE-2019-1787
    - CVE-2019-1788
    - CVE-2019-1789

 -- Marc Deslauriers <email address hidden> Thu, 04 Apr 2019 10:02:52 -0400

Changed in clamav (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.100.3+dfsg-0ubuntu0.16.04.1

---------------
clamav (0.100.3+dfsg-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * Updated to version 0.100.3 to fix security issues. (LP: #1822503)
    - debian/libclamav7.symbols: updated to new version.
    - CVE-2019-1787
    - CVE-2019-1788
    - CVE-2019-1789

 -- Marc Deslauriers <email address hidden> Thu, 04 Apr 2019 09:45:34 -0400

Changed in clamav (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.100.3+dfsg-0ubuntu0.18.04.1

---------------
clamav (0.100.3+dfsg-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * Updated to version 0.100.3 to fix security issues. (LP: #1822503)
    - debian/libclamav7.symbols: updated to new version.
    - CVE-2019-1787
    - CVE-2019-1788
    - CVE-2019-1789

 -- Marc Deslauriers <email address hidden> Thu, 04 Apr 2019 09:25:12 -0400

Changed in clamav (Ubuntu Bionic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.100.3+dfsg-0ubuntu0.18.10.1

---------------
clamav (0.100.3+dfsg-0ubuntu0.18.10.1) cosmic-security; urgency=medium

  * Updated to version 0.100.3 to fix security issues. (LP: #1822503)
    - debian/libclamav7.symbols: updated to new version.
    - CVE-2019-1787
    - CVE-2019-1788
    - CVE-2019-1789

 -- Marc Deslauriers <email address hidden> Thu, 04 Apr 2019 09:08:50 -0400

Changed in clamav (Ubuntu Cosmic):
status: Confirmed → Fix Released
Revision history for this message
Leonidas S. Barbosa (leosilvab) wrote :

In precise/esm these CVE were fixed update/released in 0.100.3+dfsg-1ubuntu0.12.04.1

Changed in clamav (Ubuntu Precise):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.