Control: tags -1 + confirmed On Sun, 2020-05-24 at 17:47 +0200, Sebastian Andrzej Siewior wrote: > ClamAV upstream released 0.102.3 fixing two CVEs. From their news: > > > ClamAV 0.102.3 is a bug patch release to address the following > > issues. > > > > - [CVE-2020-3327]( > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327): > > Fix a vulnerability in the ARJ archive parsing module in ClamAV > > 0.102.2 that could cause a Denial-of-Service (DoS) condition. > > Improper bounds checking of an unsigned variable results in an out- > > of-bounds read which causes a crash. [...] > > - [CVE-2020-3341]( > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3341): > > Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - > > 0.102.2 that could cause a Denial-of-Service (DoS) condition. > > Improper size checking of a buffer used to initialize AES > > decryption routines results in an out-of-bounds read which may > > cause a crash. Bug found by OSS-Fuzz. > > > > - Fix "Attempt to allocate 0 bytes" error when parsing some PDF > > documents. > > > > - Fix a couple of minor memory leaks.
Please go ahead. Was the intent that the updates be pushed via -updates? Regards, Adam
