[Pkg-clamav-devel] Bug#778406: marked as done (clamav: CVE-2015-2305: Henry Spencer regular expressions (regex) library contains a heap overflow vulnerability)

[Debian Bug Tracking System]

Your message dated Fri, 29 May 2015 04:19:47 +0000
with message-id <e1yyblr-0001hf...@franck.debian.org>
and subject line Bug#778406: fixed in clamav 0.98.7+dfsg-0+deb6u1
has caused the Debian Bug report #778406,
regarding clamav: CVE-2015-2305: Henry Spencer regular expressions (regex) 
library contains a heap overflow vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
778406: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778406
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: clamav
Severity: important
Tags: security patch

The security team received a report from the CERT Coordination Center that the 
Henry Spencer regular expressions (regex) library contains a heap overflow 
vulnerability. It looks like this package includes the affected code at that's 
the reason of this bug report.

The patch is available here:
http://gitweb.dragonflybsd.org/dragonfly.git/blobdiff/4d133046c59a851141519d03553a70e903b3eefc..2841837793bd095a82f477e9c370cfe6cfb3862c:/lib/libc/regex/regcomp.c

Please, can you confirm if the binary packages are affected? Are stable and 
testing affected?

More information, here:
http://www.kb.cert.org/vuls/id/695940
https://guidovranken.wordpress.com/2015/02/04/full-disclosure-heap-overflow-in-h-spencers-regex-library-on-32-bit-systems/

A CVE id has been requested already and the report will be updated with it 
eventually.

Cheers, luciano

--- End Message ---

--- Begin Message ---

Source: clamav
Source-Version: 0.98.7+dfsg-0+deb6u1

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 778...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Scott Kitterman <sc...@kitterman.com> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 27 May 2015 16:15:03 -0400
Source: clamav
Binary: clamav-base clamav-docs clamav-dbg clamav libclamav-dev libclamav6 
clamav-daemon clamav-testfiles clamav-freshclam clamav-milter
Architecture: source all amd64
Version: 0.98.7+dfsg-0+deb6u1
Distribution: squeeze-lts
Urgency: high
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Changed-By: Scott Kitterman <sc...@kitterman.com>
Description: 
 clamav     - anti-virus utility for Unix - command-line interface
 clamav-base - anti-virus utility for Unix - base package
 clamav-daemon - anti-virus utility for Unix - scanner daemon
 clamav-dbg - debug symbols for ClamAV
 clamav-docs - anti-virus utility for Unix - documentation
 clamav-freshclam - anti-virus utility for Unix - virus database update utility
 clamav-milter - anti-virus utility for Unix - sendmail integration
 clamav-testfiles - anti-virus utility for Unix - test files
 libclamav-dev - anti-virus utility for Unix - development files
 libclamav6 - anti-virus utility for Unix - library
Closes: 778406 778445 781088
Changes: 
 clamav (0.98.7+dfsg-0+deb6u1) squeeze-lts; urgency=high
 .
   [ Andreas Cadhalpun ]
   * Fix variable name mismatch in clamav-milter.postinst in order to
     make preseeding work correctly. (Closes: #778445)
   * Drop 'XS-Testsuite: autopkgtest' from debian/control.
     Debhelper automatically adds the Testsuite field.
     This fixes the lintian warning xs-testsuite-header-in-debian-control.
   * Fix cleanup on purge in clamav-base.postrm.
 .
   [ Sebastian Andrzej Siewior ]
   * Replace ” with " in debian/common_functions (Closes: #781088)
   * Import new upstream:
     - Improvements to PDF processing: decryption, escape sequence
       handling, and file property collection.
     - Scanning/analysis of additional Microsoft Office 2003 XML format.
     - Fix infinite loop condition on crafted y0da cryptor file. Identified
       and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221.
     - Fix crash on crafted petite packed file. Reported and patch
       supplied by Sebastian Andrzej Siewior. CVE-2015-2222.
     - Fix false negatives on files within iso9660 containers. This issue
       was reported by Minzhuan Gong.
     - Fix a couple crashes on crafted upack packed file. Identified and
       patches supplied by Sebastian Andrzej Siewior.
     - Fix a crash during algorithmic detection on crafted PE file.
       Identified and patch supplied by Sebastian Andrzej Siewior.
     - Fix an infinite loop condition on a crafted "xz" archive file.
       This was reported by Dimitri Kirchner and Goulven Guiheux.
       CVE-2015-2668.
     - Fix compilation error after ./configure --disable-pthreads.
       Reported and fix suggested by John E. Krokes.
     - Apply upstream patch for possible heap overflow in Henry Spencer's
       regex library. CVE-2015-2305 (Closes: #778406).
     - Fix crash in upx decoder with crafted file. Discovered and patch
       supplied by Sebastian Andrzej Siewior. CVE-2015-2170.
     - Fix segfault scanning certain HTML files. Reported with sample by
       Kai Risku.
     - Improve detections within xar/pkg files.
   * update GPG key used to verify releases to get uscan/get_orig.sh working
     again.
   * update symbol version for cl_retflevel due to CL_FLEVEL change.
 .
   [ Scott Kitterman ]
   * Drop minimum debhelper version to 8 for squeeze and drop indep specific
     override of dh_installdocs
   * Manually patch in results of autoreconf since dh_autoreconf is too
     old and package FTBFS otherwise
   * Drop procps requirement and dpkg minimum version requirement since squeeze
     versions are too old and revert init script changes for freshclam, daemon,
     and milter to use the squeeze versions of the init scripts (also restore
     required functions to debian/common_functions)
Checksums-Sha1: 
 331d06c4ba33ec7bf5a4f9f6b033367d9f09204f 2590 clamav_0.98.7+dfsg-0+deb6u1.dsc
 d00df0b36ca5ef72518e891e5cb2bdf7ffbf9b9c 8322932 clamav_0.98.7+dfsg.orig.tar.xz
 8e4a9b0f21ca2d01ff22785bd160965f01397a66 1044443 
clamav_0.98.7+dfsg-0+deb6u1.debian.tar.gz
 548c2b5d92c96d7e4a8adb284e5be8ee5dc31aa9 282668 
clamav-base_0.98.7+dfsg-0+deb6u1_all.deb
 bfed58411ed7d85e9d270a74c4b3f45b8f4d3b4e 900204 
clamav-docs_0.98.7+dfsg-0+deb6u1_all.deb
 97d28fe268b788886a84c019abac097edb22b4f5 24750164 
clamav-dbg_0.98.7+dfsg-0+deb6u1_amd64.deb
 eead66602bd958eed4d5ed428827c9e7029c4f9a 408530 
clamav_0.98.7+dfsg-0+deb6u1_amd64.deb
 14de05a9b849d68d44f983ff0309c35a9ceb7a42 245258 
libclamav-dev_0.98.7+dfsg-0+deb6u1_amd64.deb
 1d403a533a83251629a91b7657d1691d14822b2d 4447120 
libclamav6_0.98.7+dfsg-0+deb6u1_amd64.deb
 2fbb79e416b6c7845bc529faaca6b795b43da2b4 538564 
clamav-daemon_0.98.7+dfsg-0+deb6u1_amd64.deb
 8ffdafa610253dfe584ee501982fc8759121fe61 5288050 
clamav-testfiles_0.98.7+dfsg-0+deb6u1_all.deb
 10ea604d3b34e8013a3f963ba2a57c90354c511e 353674 
clamav-freshclam_0.98.7+dfsg-0+deb6u1_amd64.deb
 67b87ac5626ff972886390b47d2b6127d107c957 388388 
clamav-milter_0.98.7+dfsg-0+deb6u1_amd64.deb
Checksums-Sha256: 
 cfa7feb3afd762ef0b0e09e5222c4d378c895f7b9a8c54e7a6d15213fc78cb3b 2590 
clamav_0.98.7+dfsg-0+deb6u1.dsc
 3a153ccdde90702dc175bd251784b66f09431b517da4ca8c99407ecd3e295fa5 8322932 
clamav_0.98.7+dfsg.orig.tar.xz
 123f39871f85a419009fb7c36996426a13789860bce907cb3d1446d50709e990 1044443 
clamav_0.98.7+dfsg-0+deb6u1.debian.tar.gz
 a0d7f7eaeda84ce8759046a18397acccf1ab46ab25009daa2471b9b28c714b83 282668 
clamav-base_0.98.7+dfsg-0+deb6u1_all.deb
 64e69e7aaaf3ee9c8e7cf14880c5b5bd9e10289d9c3c642a569d42e80a9d58e6 900204 
clamav-docs_0.98.7+dfsg-0+deb6u1_all.deb
 d75ab02976356b84100eafcc115d3fbcbd72f875efe5f39adecfb04e8a7300c8 24750164 
clamav-dbg_0.98.7+dfsg-0+deb6u1_amd64.deb
 93a7f9c67fc3c142d59dc0b28d1d08c2c3127e3101ed05132a1bfd439e445550 408530 
clamav_0.98.7+dfsg-0+deb6u1_amd64.deb
 b6b4fe717d8646dbed553adc37a096b02e86f3f63304f3999a2e28ab30dab5f1 245258 
libclamav-dev_0.98.7+dfsg-0+deb6u1_amd64.deb
 f8d8135c977193d420c278fda5899e79019749b6a75dc978338251b8869681ba 4447120 
libclamav6_0.98.7+dfsg-0+deb6u1_amd64.deb
 678a1d0a7b94fdaf92177c467531caea6bb64008bb68d6ac819be0e554c70bfc 538564 
clamav-daemon_0.98.7+dfsg-0+deb6u1_amd64.deb
 bf5b0749714749e20bb8de3ad498218364ffb3c804d15defaeb9ff47e264192f 5288050 
clamav-testfiles_0.98.7+dfsg-0+deb6u1_all.deb
 9c3817c945439065b5842a7291115dcda0cc252d930b1d0d08e431d0b3c6b2f0 353674 
clamav-freshclam_0.98.7+dfsg-0+deb6u1_amd64.deb
 900ee3f39e301bbdc4a350e599d030276647fee042474c0ef397ab446ced90a1 388388 
clamav-milter_0.98.7+dfsg-0+deb6u1_amd64.deb
Files: 
 34a0871965394b2273ef56094a0a0cb7 2590 utils optional 
clamav_0.98.7+dfsg-0+deb6u1.dsc
 7a012088d4389bd3ac2ac35442b98d37 8322932 utils optional 
clamav_0.98.7+dfsg.orig.tar.xz
 0f72cb03dc8545d9fab54e3dd7c87269 1044443 utils optional 
clamav_0.98.7+dfsg-0+deb6u1.debian.tar.gz
 c17d626f57d0babf6c5a4f3e52a0b469 282668 utils optional 
clamav-base_0.98.7+dfsg-0+deb6u1_all.deb
 8e82151b0ca73f2b94f4ea9f8aadb8aa 900204 doc optional 
clamav-docs_0.98.7+dfsg-0+deb6u1_all.deb
 7824d0ce8c5553082d2fe9fcdca220cb 24750164 debug extra 
clamav-dbg_0.98.7+dfsg-0+deb6u1_amd64.deb
 0daf4786e224cae58259250c1c1c5aa3 408530 utils optional 
clamav_0.98.7+dfsg-0+deb6u1_amd64.deb
 5c3b196e8c49985ba9bd202fc44e58a9 245258 libdevel optional 
libclamav-dev_0.98.7+dfsg-0+deb6u1_amd64.deb
 4e352c3496f2ebef75350440891fabe6 4447120 libs optional 
libclamav6_0.98.7+dfsg-0+deb6u1_amd64.deb
 f92c9da25d3647fffb5c10f4c34ea01b 538564 utils optional 
clamav-daemon_0.98.7+dfsg-0+deb6u1_amd64.deb
 bb3dfa343ba47ff69229b1b071ee70a8 5288050 utils optional 
clamav-testfiles_0.98.7+dfsg-0+deb6u1_all.deb
 330b9ad62b5df57632f4f4836f44beb7 353674 utils optional 
clamav-freshclam_0.98.7+dfsg-0+deb6u1_amd64.deb
 19137830d7c108e7786f7d99b891460a 388388 utils extra 
clamav-milter_0.98.7+dfsg-0+deb6u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVZ953AAoJEHjX3vua1ZrxSdwP/irWR3ZhDkjto3RDp664QeGj
NDWU6EBqwIx4i6SF4Elsx+7IC4IeVsTO8IrtTVi++HnU/wuz1luQ+YTf1xIZd9dc
heQo099sh/9X+bZWM6DdlAHsJ1Hxz0amj8pmqt+Xjrbga41PbmW9zUD5LPzvljP8
dR1X+a1n/dW1JZqAyq3Kge+jg1+OhFitZIAtR/Waks5PN0uEkXsZup90kHY8tXZv
JYVErVSMAWzDIYvtc9XYW5MGopmMAW4CtwA34ZH0LnslLD+BuakR5IWHb5FHXtw/
PYT8cPmE6rYNE4h4dKK7EOO15n3+hWJCpO2ZQ0LW5O4J6Sctz4XYAgpsHyF/+ph/
eUFsLVWOuAE+5ZIaeZ8M2QAsgx7RsvobEls1vnAmIo7P+ylLUsRMFHUgTAUgRibe
92yaLWAZ4mzBahKRNEOaCcUFoJ1bIMC0f5p+jcnaUCUmuNsQG3sfUfEuMuaLh5+g
0/gQZlmWvixkb3cOOOrG0F9E4xUcRGLKhxPmlOjsBf0fA/0tVSWw0tLhIjGIzHqU
++G3YEM49fFiqUF2zaGx9CWnxQdakByeRSC8j9CH2J9Q/i/fqJx7KOzWSsfDaz9d
46sZJNNhzLpWB9NGOZUmZpAoULfjLTD5UXM8lNegyzmW1CFRznrRS8aJo4w/QNwt
1waAMAZ/mcwNVjpVbSD3
=NAwK
-----END PGP SIGNATURE-----

--- End Message ---

_______________________________________________
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel