[Pkg-clamav-devel] Bug#1031509: marked as done (clamav: 2 RCE bugs in ClamAV 0.103 (+ 1.0.0), CVE-2023-20032/CVE-2023-20052)

Fri, 17 Feb 2023 11:51:16 -0800 

Your message dated Fri, 17 Feb 2023 19:49:38 +0000
with message-id <[email protected]>
and subject line Bug#1031509: fixed in clamav 1.0.1+dfsg-1
has caused the Debian Bug report #1031509,
regarding clamav: 2 RCE bugs in ClamAV 0.103 (+ 1.0.0), 
CVE-2023-20032/CVE-2023-20052
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1031509: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031509
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: clamav
Version: 0.103.7+dfsg-0+deb11u1
Severity: important

Dear Maintainer,

ClamAV/Cisco have released a security advisory concerning 2 potential-RCE
bugs in ClamAV:
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

According to the the security tracker, all versions currently in Debian
are vulnerable:
https://security-tracker.debian.org/tracker/CVE-2023-20032
https://security-tracker.debian.org/tracker/CVE-2023-20052

Please consider an update. Currently, ClamAV is not suitable for use in a
(quite common) email-scanning setup like with Amavis, but can still be
used (with appropriate care) directly. Thus I think Severity: important fits.

Kind regards,
Robert

-- Package-specific info:
--- configuration ---
# Automatically created by the clamav-freshclam postinst
# Comments will get lost when you reconfigure the clamav-freshclam package

DatabaseOwner clamav
UpdateLogFile /var/log/clamav/freshclam.log
LogVerbose false
LogSyslog false
LogFacility LOG_LOCAL6
LogFileMaxSize 0
LogRotate true
LogTime true
Foreground false
Debug false
MaxAttempts 5
DatabaseDirectory /var/lib/clamav
DNSDatabaseInfo current.cvd.clamav.net
ConnectTimeout 30
ReceiveTimeout 0
TestDatabases yes
ScriptedUpdates yes
CompressLocalDatabase no
Bytecode true
NotifyClamd /etc/clamav/clamd.conf
# Check for new database 24 times a day
Checks 24
DatabaseMirror db.local.clamav.net
DatabaseMirror database.clamav.net

--- data dir ---
total 226104
-rw-r--r-- 1 clamav clamav    293670 Feb 17 14:46 bytecode.cvd
-rw-r--r-- 1 clamav clamav  60744631 Feb 17 14:44 daily.cvd
-rw-r--r-- 1 clamav clamav        69 Feb 17 14:43 freshclam.dat
-rw-r--r-- 1 clamav clamav 170479789 Feb 17 14:46 main.cvd

-- System Information:
Debian Release: 11.6
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 
'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates-debug')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.18.0-0.deb11.4-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages clamav depends on:
ii  clamav-freshclam [clamav-data]  0.103.7+dfsg-0+deb11u1
ii  libc6                           2.31-13+deb11u5
ii  libclamav9                      0.103.7+dfsg-0+deb11u1
ii  libcurl4                        7.74.0-1.3+deb11u3
ii  libjson-c5                      0.15-2
ii  libssl1.1                       1.1.1n-0+deb11u3
ii  zlib1g                          1:1.2.11.dfsg-2+deb11u2

Versions of packages clamav recommends:
ii  clamav-base  0.103.7+dfsg-0+deb11u1

Versions of packages clamav suggests:
pn  clamav-docs   <none>
pn  libclamunrar  <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: clamav
Source-Version: 1.0.1+dfsg-1
Done: Sebastian Andrzej Siewior <[email protected]>

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated clamav 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 17 Feb 2023 20:29:05 +0100
Source: clamav
Architecture: source
Version: 1.0.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 1031509
Changes:
 clamav (1.0.1+dfsg-1) unstable; urgency=medium
 .
   * Import 1.0.1 (Closes: #1031509)
     - CVE-2023-20032 (Possible RCE in the HFS+ file parser).
     - CVE-2023-20052 (Possible information leak in the DMG file parser).
Checksums-Sha1:
 fec345e5820bc6ea8c8b15a41cf1234e2320ff0e 2829 clamav_1.0.1+dfsg-1.dsc
 fe18edded75204a2b4b4ec0c73c22da14e5235c2 14132600 clamav_1.0.1+dfsg.orig.tar.xz
 2271488d1efe0e9dfb402630c520c36a46af34a8 222848 
clamav_1.0.1+dfsg-1.debian.tar.xz
Checksums-Sha256:
 6263eb81b8cdabc605bac140742ba31907a4025a3a4d65ea82e4992aba5486fc 2829 
clamav_1.0.1+dfsg-1.dsc
 0f19b43ec26395bb921a03a77a17138b92fde4ddbcee33804da7075e5d709c90 14132600 
clamav_1.0.1+dfsg.orig.tar.xz
 4aa0a1529b35cfd795905815ac959b9d717054e35968dfcf1a88ed0cef2d787d 222848 
clamav_1.0.1+dfsg-1.debian.tar.xz
Files:
 b3f25cf5947cc8d612a5bf677bfae921 2829 utils optional clamav_1.0.1+dfsg-1.dsc
 5dae77cb4de79e4ead9275f75c90bd20 14132600 utils optional 
clamav_1.0.1+dfsg.orig.tar.xz
 5d68b02434a4dcb01ed33089f5cdecf1 222848 utils optional 
clamav_1.0.1+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmPv1d0ACgkQBWQfF1cS
+lv1OQv+PZ78Ke84bICNkMqTqVyN1RAxtF8v6u58hbDwnqjhp1cD2PuHuX67nSMx
WTZgTH4IqzMGfPnPQR7HPXiSFmd0GQt/2LqNy/WKr4C3yeHG0I4I2nHOBxyQRbG1
YZ7WAz8RXbU9gJWcEFZTQZBwcYy+D4ts1Sm67XbIz8WytIaXbl4lM/QCEMuX7Mqn
qyL+utgOW8V575QJo7BwYHIgyvOAWkHqprCGTgX8/PttxzdDxm+jwdH0E/qROCQM
2MpWuD7V87rzyQJZ3amYVXpuCRfaECoWiNb8LEZznMlx10+HzYtJjuJeC1N84JSm
+YyspwtrqiBBUWYVsx/RSp8emfyq7qy8RU1fmR2nEqVtQqwsXstWdZvpO69fBRmV
A+PX9Lp2i8WsX4378NgcLrtbAmxvMHjFXRZRJo76IaXKNZGb/DBgwgE9es0gpPbG
j5D1hW8KwT7WJ55SmgE7yPw6s+i4KLvgdSxviSP/lItdbfgNDpqHGwpVXCuVNFoz
VDYQwsDt
=0Fl8
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Pkg-clamav-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-clamav-devel

Reply via email to