Your message dated Fri, 03 Jul 2026 21:49:28 +0000
with message-id <[email protected]>
and subject line Bug#1141303: fixed in clamav 1.4.5+dfsg-1
has caused the Debian Bug report #1141303,
regarding clamav: CVE-2026-20213 CVE-2026-20214 CVE-2026-20215 CVE-2026-20216 
CVE-2026-20217 CVE-2026-20243 CVE-2026-20244
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1141303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1141303
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: clamav
Version: 1.4.4+dfsg-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for clamav.

CVE-2026-20213[0]:
| A vulnerability in the PE file format parser of ClamAV could allow
| an unauthenticated, remote attacker to cause a DoS condition, or
| possibly other expanded impacts, resulting from memory corruption on
| an affected device.    This vulnerability is due to improper
| boundary checks for content in PE files during scanning, which may
| result in an out-of-bounds buffer write. An attacker could exploit
| this vulnerability by submitting a crafted file that contains PE
| content to be scanned by ClamAV on an affected device. A successful
| exploit could allow the attacker to cause the ClamAV scanning
| process to terminate, resulting in a DoS condition on the affected
| software.


CVE-2026-20214[1]:
| A vulnerability in the FSG file format parser of ClamAV could allow
| an unauthenticated, remote attacker to cause a DoS condition, or
| possibly other expanded impacts, resulting from memory corruption on
| an affected device.    This vulnerability is due to improper
| boundary checks for content in FSG files during scanning, which may
| result in an out-of-bounds buffer write. An attacker could exploit
| this vulnerability by submitting a crafted file that contains
| portable executable content compressed with FSG to be scanned by
| ClamAV on an affected device. A successful exploit could allow the
| attacker to cause the ClamAV scanning process to terminate,
| resulting in a DoS condition on the affected software.


CVE-2026-20215[2]:
| A vulnerability in the 7z file format parser of ClamAV could allow
| an unauthenticated, remote attacker to cause a DoS condition, or
| possibly other expanded impacts, resulting from memory corruption on
| an affected device.    This vulnerability is due to improper
| boundary checks for content in 7z files during scanning, which may
| result in an out-of-bounds buffer write. An attacker could exploit
| this vulnerability by submitting a crafted file that contains
| 7z&nbsp;content to be scanned by ClamAV on an affected device. A
| successful exploit could allow the attacker to cause the ClamAV
| scanning process to terminate, resulting in a DoS condition on the
| affected software.


CVE-2026-20216[3]:
| A vulnerability in the InstallShield file format parser of ClamAV
| could allow an unauthenticated, remote attacker to cause a DoS
| condition on an affected device.    This vulnerability is due to
| improper handling of temporary resources during file scanning. An
| attacker could exploit this vulnerability by submitting a crafted
| InstallShield file to be scanned by ClamAV on an affected device. A
| successful exploit could allow the attacker to terminate the ClamAV
| scanning process and temporarily consume available system resources,
| resulting in a DoS condition on the affected software.


CVE-2026-20217[4]:
| A vulnerability in the PESpin file format parser of ClamAV could
| allow an unauthenticated, remote attacker to cause a DoS condition,
| or possibly other expanded impacts, resulting from memory corruption
| on an affected device.    This vulnerability is due to improper
| boundary checks for content in PESpin files during scanning, which
| may result in an out-of-bounds buffer write. An attacker could
| exploit this vulnerability by submitting a crafted file that
| contains PESpin content to be scanned by ClamAV on an affected
| device. A successful exploit could allow the attacker to cause the
| ClamAV scanning process to terminate, resulting in a DoS condition
| on the affected software.


CVE-2026-20243[5]:
| A vulnerability in the ALZ file format parser of ClamAV could allow
| an unauthenticated, remote attacker to cause a DoS condition, or
| possibly other expanded impacts, resulting from memory corruption on
| an affected device.    This vulnerability is due to improper
| boundary checks for content in ALZ files during scanning, which may
| result in an out-of-bounds buffer write. An attacker could exploit
| this vulnerability by submitting a crafted file that contains ALZ
| content to be scanned by ClamAV on an affected device. A successful
| exploit could allow the attacker to cause the ClamAV scanning
| process to terminate, resulting in a DoS condition on the affected
| software.


CVE-2026-20244[6]:
| A vulnerability in the DMG file format parser of ClamAV could allow
| an unauthenticated, remote attacker to cause a DoS condition, or
| possibly other expanded impacts, resulting from memory corruption on
| an affected device.    This vulnerability is due to improper
| boundary checks for content in DMG files during scanning, which may
| result in an integer overflow on 32-bit platforms only. An attacker
| could exploit this vulnerability by submitting a crafted file that
| contains DMG content to be scanned by ClamAV on an affected device.
| A successful exploit could allow the attacker to cause the ClamAV
| scanning process to terminate, resulting in a DoS condition on the
| affected software.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-20213
    https://www.cve.org/CVERecord?id=CVE-2026-20213
[1] https://security-tracker.debian.org/tracker/CVE-2026-20214
    https://www.cve.org/CVERecord?id=CVE-2026-20214
[2] https://security-tracker.debian.org/tracker/CVE-2026-20215
    https://www.cve.org/CVERecord?id=CVE-2026-20215
[3] https://security-tracker.debian.org/tracker/CVE-2026-20216
    https://www.cve.org/CVERecord?id=CVE-2026-20216
[4] https://security-tracker.debian.org/tracker/CVE-2026-20217
    https://www.cve.org/CVERecord?id=CVE-2026-20217
[5] https://security-tracker.debian.org/tracker/CVE-2026-20243
    https://www.cve.org/CVERecord?id=CVE-2026-20243
[6] https://security-tracker.debian.org/tracker/CVE-2026-20244
    https://www.cve.org/CVERecord?id=CVE-2026-20244
[7] https://blog.clamav.net/2026/07/clamav-153-and-145-security-patch.html

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: clamav
Source-Version: 1.4.5+dfsg-1
Done: Sebastian Andrzej Siewior <[email protected]>

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated clamav 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 03 Jul 2026 23:16:21 +0200
Source: clamav
Architecture: source
Version: 1.4.5+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1141303 1141347
Changes:
 clamav (1.4.5+dfsg-1) unstable; urgency=medium
 .
   * Import 1.4.5 (Closes: #1141303)
     - CVE-2026-20217 ("Fixed a bug in the PESpin unpacker cleanup path")
     - CVE-2026-20213 ("Fixed an integer overflow in PE rebuild size
       calculations")
     - CVE-2026-20216 ("Fixed an InstallShield archive extraction limit
       bypass")
     - CVE-2026-20214 ("Fixed an FSG unpacker loop underflow")
     - CVE-2026-20243 ("Fixed ALZ parser size handling bugs")
     - CVE-2026-20215 ("Fixed a 7z parser substream count overflow")
     - CVE-2026-20244 ("Fixed 32-bit DMG parser size checks")
   * Use -DCMAKE_BUILD_TYPE=RelWithDebInfo by default (Closes: #1141347).
Checksums-Sha1:
 6454e256ac5d4a36ccc43aaaec539f8c3181a2a6 3042 clamav_1.4.5+dfsg-1.dsc
 f35240155c184e0a514d6ae24e4d669cb60c9894 27685412 clamav_1.4.5+dfsg.orig.tar.xz
 d6bda30f4f78b769e6f65400ef5e528736d58ffa 521132 
clamav_1.4.5+dfsg-1.debian.tar.xz
Checksums-Sha256:
 cdb2309b27f674f6b9dea54e820f9232ba7318e1d00a5221e3f7e8030d3ce7ed 3042 
clamav_1.4.5+dfsg-1.dsc
 61eaa197005878dcdbe4a368c7c7255cd104228f79669f0a998717ab9a0dbf9c 27685412 
clamav_1.4.5+dfsg.orig.tar.xz
 af5cd67159ab4512361ff02b3b714b5e98d1db252030d870415a1527ffb65071 521132 
clamav_1.4.5+dfsg-1.debian.tar.xz
Files:
 0e311caa2a1f31e33ab27b701ebd3eb6 3042 utils optional clamav_1.4.5+dfsg-1.dsc
 ddae5dfa89a3f90e03f8fa3f92a09517 27685412 utils optional 
clamav_1.4.5+dfsg.orig.tar.xz
 c2cd2cf4f4838a202d3f8eae7f7401d9 521132 utils optional 
clamav_1.4.5+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmpIKHgACgkQBWQfF1cS
+lvUgAv+N7NIwqc1NAqHet/3rIrJ2yJQKoe0pwDSFVvPt6urBVpqjMRsoNwXDdG6
ZDeCvFDcSXJNKjkN4WI9Om25z+aXRBeezPM+HCwStzVkdlJtz9PAOYzwYiMEISvd
v1XgD+Es548croORclUd/LAQJrCUzGOFx6LfqPSEOz5DIqv5KtYiOhMGz1bpzsRA
ItsRoRa2ocAtxQOT7qZe1Kc1C1mO5jG+y1l6D/Ft6f//cQzDPonF+juPxBms4oOM
7mmgscT/Jgn/E2V0R3Z9R/FUVuWX0nNpUig4e581D/+SwrffS91Eijgl11p/zjRO
fGXUXQ5AlylK+T7rPcDqhWY7AE0ywCB0NMiTOsZWB8TS4E7XpEc+fpAilOcaWP0v
qZHoafbqK3eKuTs2tQH7lVGbMCKh4Kv/xxEPcnOrY3q8Iz4hv7JbbDQY6Qq6QyBP
EdS4+Sl2/WDcNjobyo9+Gtmh8ElopEM9cdGRZHmySSiowP0j4PDEPimxa11STx8+
A3kMr5KT
=8jUW
-----END PGP SIGNATURE-----

Attachment: pgplPPAlN9Nw4.pgp
Description: PGP signature


--- End Message ---

Reply via email to