Your message dated Mon, 04 May 2015 10:02:41 +0000
with message-id <[email protected]>
and subject line Bug#778406: fixed in clamav 0.98.7+dfsg-0+deb7u1
has caused the Debian Bug report #778406,
regarding clamav: CVE-2015-2305: Henry Spencer regular expressions (regex)
library contains a heap overflow vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
778406: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778406
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: clamav
Severity: important
Tags: security patch
The security team received a report from the CERT Coordination Center that the
Henry Spencer regular expressions (regex) library contains a heap overflow
vulnerability. It looks like this package includes the affected code at that's
the reason of this bug report.
The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c
Please, can you confirm if the binary packages are affected? Are stable and
testing affected?
More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/
A CVE id has been requested already and the report will be updated with it
eventually.
Cheers, luciano
--- End Message ---
--- Begin Message ---
Source: clamav
Source-Version: 0.98.7+dfsg-0+deb7u1
We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated clamav
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 02 May 2015 22:35:37 +0200
Source: clamav
Binary: clamav-base clamav-docs clamav-dbg clamav libclamav-dev libclamav6
clamav-daemon clamav-testfiles clamav-freshclam clamav-milter
Architecture: source all
Version: 0.98.7+dfsg-0+deb7u1
Distribution: oldstable
Urgency: high
Maintainer: ClamAV Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Description:
clamav - anti-virus utility for Unix - command-line interface
clamav-base - anti-virus utility for Unix - base package
clamav-daemon - anti-virus utility for Unix - scanner daemon
clamav-dbg - debug symbols for ClamAV
clamav-docs - anti-virus utility for Unix - documentation
clamav-freshclam - anti-virus utility for Unix - virus database update utility
clamav-milter - anti-virus utility for Unix - sendmail integration
clamav-testfiles - anti-virus utility for Unix - test files
libclamav-dev - anti-virus utility for Unix - development files
libclamav6 - anti-virus utility for Unix - library
Closes: 778406 778445 781088
Changes:
clamav (0.98.7+dfsg-0+deb7u1) oldstable; urgency=high
.
[ Andreas Cadhalpun ]
* Fix variable name mismatch in clamav-milter.postinst in order to
make preseeding work correctly. (Closes: #778445)
* Drop 'XS-Testsuite: autopkgtest' from debian/control.
Debhelper automatically adds the Testsuite field.
This fixes the lintian warning xs-testsuite-header-in-debian-control.
* Fix cleanup on purge in clamav-base.postrm.
.
[ Sebastian Andrzej Siewior ]
* Replace ” with " in debian/common_functions (Closes: #781088)
* Import new upstream:
- Improvements to PDF processing: decryption, escape sequence
handling, and file property collection.
- Scanning/analysis of additional Microsoft Office 2003 XML format.
- Fix infinite loop condition on crafted y0da cryptor file. Identified
and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221.
- Fix crash on crafted petite packed file. Reported and patch
supplied by Sebastian Andrzej Siewior. CVE-2015-2222.
- Fix false negatives on files within iso9660 containers. This issue
was reported by Minzhuan Gong.
- Fix a couple crashes on crafted upack packed file. Identified and
patches supplied by Sebastian Andrzej Siewior.
- Fix a crash during algorithmic detection on crafted PE file.
Identified and patch supplied by Sebastian Andrzej Siewior.
- Fix an infinite loop condition on a crafted "xz" archive file.
This was reported by Dimitri Kirchner and Goulven Guiheux.
CVE-2015-2668.
- Fix compilation error after ./configure --disable-pthreads.
Reported and fix suggested by John E. Krokes.
- Apply upstream patch for possible heap overflow in Henry Spencer's
regex library. CVE-2015-2305 (Closes: #778406).
- Fix crash in upx decoder with crafted file. Discovered and patch
supplied by Sebastian Andrzej Siewior. CVE-2015-2170.
- Fix segfault scanning certain HTML files. Reported with sample by
Kai Risku.
- Improve detections within xar/pkg files.
* update GPG key used to verify releases to get uscan/get_orig.sh working
again.
* update symbol version for cl_retflevel due to CL_FLEVEL change.
Checksums-Sha1:
6b755bd27eb547946424c3055b4e431adb374d52 2883 clamav_0.98.7+dfsg-0+deb7u1.dsc
d00df0b36ca5ef72518e891e5cb2bdf7ffbf9b9c 8322932 clamav_0.98.7+dfsg.orig.tar.xz
9e9ba6cb4f82cea7b259d5f679cfc9caeac2eab8 852764
clamav_0.98.7+dfsg-0+deb7u1.debian.tar.gz
0c597e1edb972459961683abbe9c32a75d06f4db 282498
clamav-base_0.98.7+dfsg-0+deb7u1_all.deb
0e5edb040faa54b26fcd789f2e6995a99fff7431 903890
clamav-docs_0.98.7+dfsg-0+deb7u1_all.deb
0c56e36ada43850a1ed74bf8d44657d1959fa28e 5286736
clamav-testfiles_0.98.7+dfsg-0+deb7u1_all.deb
Checksums-Sha256:
a109d8300ad94c0edf38533889555eb6c2ecdedd5b14d88b69f56ca260c8b7c1 2883
clamav_0.98.7+dfsg-0+deb7u1.dsc
3a153ccdde90702dc175bd251784b66f09431b517da4ca8c99407ecd3e295fa5 8322932
clamav_0.98.7+dfsg.orig.tar.xz
a950749d6d13a893abef1d7c2e1594b418a762ed60e516b190152dc2a1ac24e1 852764
clamav_0.98.7+dfsg-0+deb7u1.debian.tar.gz
872b97d291939e68e4d6278dc2aa3033a5be6ce4f73a5e9f4867dc85f3ade045 282498
clamav-base_0.98.7+dfsg-0+deb7u1_all.deb
1e28adc8b7b1f3580acd20d5894658d0cf15db4ed26866546334372f90d83425 903890
clamav-docs_0.98.7+dfsg-0+deb7u1_all.deb
d69b0b68fef69855580a430b91180e23c8c32de1c4a8c427ef8cbf7a9b4d5d6d 5286736
clamav-testfiles_0.98.7+dfsg-0+deb7u1_all.deb
Files:
2794f43800109b40d94322b2e5824fc4 2883 utils optional
clamav_0.98.7+dfsg-0+deb7u1.dsc
7a012088d4389bd3ac2ac35442b98d37 8322932 utils optional
clamav_0.98.7+dfsg.orig.tar.xz
4b56dfef2016aab476b25556db565718 852764 utils optional
clamav_0.98.7+dfsg-0+deb7u1.debian.tar.gz
e8bb543cd777ab0cb06ce61ad4c2ef46 282498 utils optional
clamav-base_0.98.7+dfsg-0+deb7u1_all.deb
0ff20570cb447079860ab76fae4674be 903890 doc optional
clamav-docs_0.98.7+dfsg-0+deb7u1_all.deb
948da1e5ed025856943a6b2e6fdad5f0 5286736 utils optional
clamav-testfiles_0.98.7+dfsg-0+deb7u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJVRnkhAAoJEHuW6BYqjPXRh/oP/0ehbzhDdM/nky8nwcVo6qMp
s6L5zf9ievFmqHKnlaA7faer6YP1Ip+NVYGAuKszPW7oVgsKRSC+IL41mN5LERk1
eoV7rszWXCnrMIg08pRnPTDFAH7Tn5x30nRNo/HyNBqh0N+js/kdN875dsjqV2n0
/KO90dp/UivUsZQY+jU0dXeXWCkFWDTKUKLie+pA6NOT4JEdmKV83NeN6oUqVZhZ
mDzLy27VZp1o8Yrb8UvCAdWV6nz297DiLCJqHwuPSId/XukB5a2Y23bbHtbrGKcL
DYJ7ACN6tpW74A54u3EuyObN6RDr/z0bFt4udKHWxBzL1eLDaDalDQwfqPstg6Fs
8JlZhqBpEa8+hgZkEyhcoixYcAK8pgu9cY8YMDSOgTNE89vvaAHd7JGWW+nJpHJf
hDMBx5bNyPzuTaJd2RdTgYhXtZB66ry/5TXyv+wLyeU9qpsBFrImkpQa3Ap20FLi
yTuW8wtPNifd8a4wgNILZ/CjNB+0GnJQhRJtL4HQ2cB/ry/ghR4Jwwo3a/Pjal6B
QbwozEaxYgfw1gZm+onxmkRyMiWyQf3oDoCp+SjW37crHV65DQTdR8E5u9ZTe7dz
1/4mRUZGhfUNJYD9Ouiti9kV5aZtEuvJPPLdWCY0OWg36hOuyZq6mMwEApv8lCZA
xMkiSiqZGDwbi/Uod3cj
=bI4e
-----END PGP SIGNATURE-----
--- End Message ---
_______________________________________________
Pkg-clamav-devel mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel
