Bug#1031509: marked as done (clamav: 2 RCE bugs in ClamAV 0.103 (+ 1.0.0), CVE-2023-20032/CVE-2023-20052)

Debian Bug Tracking System Sat, 18 Feb 2023 11:05:28 -0800

Your message dated Sat, 18 Feb 2023 19:02:26 +0000
with message-id <e1ptsta-009hnm...@fasolo.debian.org>
and subject line Bug#1031509: fixed in clamav 0.103.8+dfsg-0+deb11u1
has caused the Debian Bug report #1031509,
regarding clamav: 2 RCE bugs in ClamAV 0.103 (+ 1.0.0), 
CVE-2023-20032/CVE-2023-20052
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1031509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031509
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: clamav
Version: 0.103.7+dfsg-0+deb11u1
Severity: important

Dear Maintainer,

ClamAV/Cisco have released a security advisory concerning 2 potential-RCE
bugs in ClamAV:
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

According to the the security tracker, all versions currently in Debian
are vulnerable:
https://security-tracker.debian.org/tracker/CVE-2023-20032
https://security-tracker.debian.org/tracker/CVE-2023-20052

Please consider an update. Currently, ClamAV is not suitable for use in a
(quite common) email-scanning setup like with Amavis, but can still be
used (with appropriate care) directly. Thus I think Severity: important fits.

Kind regards,
Robert

-- Package-specific info:
--- configuration ---
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

--- data dir ---
total 226104
-rw-r--r-- 1 clamav clamav    293670 Feb 17 14:46 bytecode.cvd
-rw-r--r-- 1 clamav clamav  60744631 Feb 17 14:44 daily.cvd
-rw-r--r-- 1 clamav clamav        69 Feb 17 14:43 freshclam.dat
-rw-r--r-- 1 clamav clamav 170479789 Feb 17 14:46 main.cvd

-- System Information:
Debian Release: 11.6
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 
'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.18.0-0.deb11.4-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages clamav depends on:
ii  clamav-freshclam [clamav-data]  0.103.7+dfsg-0+deb11u1
ii  libc6                           2.31-13+deb11u5
ii  libclamav9                      0.103.7+dfsg-0+deb11u1
ii  libcurl4                        7.74.0-1.3+deb11u3
ii  libjson-c5                      0.15-2
ii  libssl1.1                       1.1.1n-0+deb11u3
ii  zlib1g                          1:1.2.11.dfsg-2+deb11u2

Versions of packages clamav recommends:
ii  clamav-base  0.103.7+dfsg-0+deb11u1

Versions of packages clamav suggests:
pn  clamav-docs   <none>
pn  libclamunrar  <none>

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: clamav
Source-Version: 0.103.8+dfsg-0+deb11u1
Done: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1031...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated clamav 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 17 Feb 2023 21:43:57 +0100
Source: clamav
Architecture: source
Version: 0.103.8+dfsg-0+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-de...@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Closes: 1031509
Changes:
 clamav (0.103.8+dfsg-0+deb11u1) bullseye; urgency=medium
 .
   * Import 0.103.8 (Closes: #1031509)
     - CVE-2023-20032 (Possible RCE in the HFS+ file parser).
     - CVE-2023-20052 (Possible information leak in the DMG file parser).
Checksums-Sha1:
 8b99d177c1a511a5683800516448ab8f31b00215 2809 clamav_0.103.8+dfsg-0+deb11u1.dsc
 23abb9015972460c9ead147ed691e46e857ca1a3 7130804 
clamav_0.103.8+dfsg.orig.tar.xz
 6ac65a4ae397f7f82d1b698f3f7cc942a9644338 220388 
clamav_0.103.8+dfsg-0+deb11u1.debian.tar.xz
Checksums-Sha256:
 cdc076fa44d055d1795d0e00223a2488ae7bdfa84e66411e693a9b3b45a77b13 2809 
clamav_0.103.8+dfsg-0+deb11u1.dsc
 e218adee2fb7e9eec4dbef04f25554cff65b771ea039f00136b2ed9a5b49fbba 7130804 
clamav_0.103.8+dfsg.orig.tar.xz
 87c5e9f844a70c79c5192562eacf62cfa6c0ab4850b653519896b5df8d146bf5 220388 
clamav_0.103.8+dfsg-0+deb11u1.debian.tar.xz
Files:
 458a5071d97c7c94f9912a3c84d396c5 2809 utils optional 
clamav_0.103.8+dfsg-0+deb11u1.dsc
 b36e464f39364dde17f77220a105c433 7130804 utils optional 
clamav_0.103.8+dfsg.orig.tar.xz
 8f1e64c581db249313ecc56bf1b9558f 220388 utils optional 
clamav_0.103.8+dfsg-0+deb11u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmPv6wUACgkQBWQfF1cS
+lvL2gv/XTVJN8xXqYOTfx802ZXvUBXn87gtCC7FXuT1w30zRp1aN5issYK6JzE3
PdGCF8jqEKR+G06DBI4cScY3AoIJVWODpLO4j12Be3kJlzAH3kKGVkWoyJLTCSWv
oBibz2xqWx2HIr6BQjiMs8/8npVhcbt6DS8Y1o8B2n2TBfWDM+nuIPxjD8Zc/5lJ
DHHyij5rUv8yu9EHYTrWhCF0p2V46B/7q9p51cqyVZF7bPgMcC+YDZ4SIFHH/srh
Q46XtNm/IVWc48McdVA8jSFJxtn6CkPnzbpXmpHTsGEEnBrzlSqqkMbELQgBQwBq
RJ6U8iZLjdh++W4AJjhMo2/LoxCsicc7ukvrhn4ROxdnPqXBc3l2xRVikgcEgz7R
G0eliaQHf0p+y5H9d+5iuWpgh76UsNYY7uFSrrYMC9qt/38rmxrNUw3g+H8bE9Mg
If6ZjPzjdgTuwgg3Xq04Tis/6gB4XYkAOzAgQPy5FqENA7LyPyBPBepcSo5dKNLd
L+kLbGnc
=Yo8w
-----END PGP SIGNATURE-----

--- End Message ---

Bug#1031509: marked as done (clamav: 2 RCE bugs in ClamAV 0.103 (+ 1.0.0), CVE-2023-20032/CVE-2023-20052)

Reply via email to