Your message dated Thu, 03 Oct 2024 12:05:39 +0000
with message-id <e1swkar-00awch...@fasolo.debian.org>
and subject line Bug#1080962: fixed in clamav 1.4.1+dfsg-1
has caused the Debian Bug report #1080962,
regarding clamav: CVE-2024-20505 CVE-2024-20506
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1080962: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1080962
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: clamav
Version: 1.3.1+dfsg-5
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 1.0.5+dfsg-1~deb12u1
Control: found -1 0.103.10+dfsg-0+deb11u1
Hi,
The following vulnerabilities were published for clamav.
CVE-2024-20505[0]:
| A vulnerability in the PDF parsing module of Clam AntiVirus (ClamAV)
| versions 1.4.0, 1.3.2 and prior versions, all 1.2.x versions, 1.0.6
| and prior versions, all 0.105.x versions, all 0.104.x versions, and
| 0.103.11 and all prior versions could allow an unauthenticated,
| remote attacker to cause a denial of service (DoS) condition on an
| affected device. The vulnerability is due to an out of bounds
| read. An attacker could exploit this vulnerability by submitting a
| crafted PDF file to be scanned by ClamAV on an affected device. An
| exploit could allow the attacker to terminate the scanning process.
CVE-2024-20506[1]:
| A vulnerability in the ClamD service module of Clam AntiVirus
| (ClamAV) versions 1.4.0, 1.3.2 and prior versions, all 1.2.x
| versions, 1.0.6 and prior versions, all 0.105.x versions, all
| 0.104.x versions, and 0.103.11 and all prior versions could allow an
| authenticated, local attacker to corrupt critical system files.
| The vulnerability is due to allowing the ClamD process to write to
| its log file while privileged without checking if the logfile has
| been replaced with a symbolic link. An attacker could exploit this
| vulnerability if they replace the ClamD log file with a symlink to a
| critical system file and then find a way to restart the ClamD
| process. An exploit could allow the attacker to corrupt a critical
| system file by appending ClamD log messages after restart.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-20505
https://www.cve.org/CVERecord?id=CVE-2024-20505
[1] https://security-tracker.debian.org/tracker/CVE-2024-20506
https://www.cve.org/CVERecord?id=CVE-2024-20506
[2] https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: clamav
Source-Version: 1.4.1+dfsg-1
Done: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1080...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated clamav
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 03 Oct 2024 10:51:50 +0200
Source: clamav
Architecture: source
Version: 1.4.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-de...@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Closes: 1080962
Changes:
clamav (1.4.1+dfsg-1) unstable; urgency=medium
.
* Import 1.4.1 (Closes: #1080962)
- CVE-2024-20506 (Changed the logging module to disable following symlinks
on Linux)
- CVE-2024-20505 (Fixed a possible out-of-bounds read bug in the PDF file
parser).
Checksums-Sha1:
7917b33188d4e2d7693c4f33a07c2a5660528072 3080 clamav_1.4.1+dfsg-1.dsc
587f15fe0a3863030a4b698b8a5e0bef7b93d68c 33150848 clamav_1.4.1+dfsg.orig.tar.xz
c033266e899948ad3f5ff76e0fdbb4245cce79ba 503988
clamav_1.4.1+dfsg-1.debian.tar.xz
Checksums-Sha256:
288144b3649f1dc686f0ebb96b60dae69d37445eac77f6303e26a6fb81359ab6 3080
clamav_1.4.1+dfsg-1.dsc
9a994a41d0110a874be7183b3410c91f53c0a6c2eb9dc94c47d47ae0d4a62d0f 33150848
clamav_1.4.1+dfsg.orig.tar.xz
fecf245f7cf6ee469138376a96ae935221624fdc4d347eda0c85806d1ce3e998 503988
clamav_1.4.1+dfsg-1.debian.tar.xz
Files:
070b175efeb30509b34678ac00010653 3080 utils optional clamav_1.4.1+dfsg-1.dsc
88d72153305c1c8f0dda1d3380e82c94 33150848 utils optional
clamav_1.4.1+dfsg.orig.tar.xz
0f092e2022314304f9f3c3b419417538 503988 utils optional
clamav_1.4.1+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZCVGlf/wqkRmzBnme5boFiqM9dEFAmb+hhEACgkQe5boFiqM
9dFpIhAAkbSGkY1fP7+U0RChljv4nNd7OIL2y7cEutkKpTc6z1cQb01aHmVHVsrC
vu1ePM+n3KSy/+5wQ5WRZ1YZpGgiqqWgrXgcFnDl4vgBccqvot6sBaB4HhGFPW8f
37fRPSrQhhEayos9MSc6R1kGPbbo7Xnv06KJC1IZ4jtkUTsR7OGBdEr5hx/lfYkB
prmmyd02dF4eRODUGD/rfVT6IJRj9RbOqgGZWOBIsPkXS+tTO/1vtTFYlh44BM8B
I7VEN+l4FrbrxahFBVqaEu9qqsWB1MeoOG7nT2DVmIH5fqhiS0MqS1YN+gmEdwYA
41E40IacZeLct6G0SF0+u/JW9LVNphxga+rBW8fSAQ3z32kOnYipgHgCMMlUUUZK
zfqZyk/+0JCseHA4v7Z5HecSVMMe3fhJWhLQWWh+j0ft6vv0fMFJWcYjNqvN+1SV
UGh1kPdp2l8dr4ezVqht4i1WDNcU0liSK+CHBLJoJuWyI0sSuthDkgfsa5PWdyaq
ZouCwnjEIyT7NMwcFBiaeyJpUmAJDoflyfFqTXBwzcfhFzZ5nC6aGpPERyGKvbxq
WumdcTv+KQsjAa/ujCgA+J1lZHwQv8X1dh/4eyM0G/QJM5ySDuEImYMVjunU1JIN
VJKmcrTQbjQ3AoFy3iJyR1nEZMDgEtMfE3FKgk8aVCJyCaE8S4M=
=6JQk
-----END PGP SIGNATURE-----
pgppYlvmdcJHF.pgp
Description: PGP signature
--- End Message ---
