[Bug 2007456] Re: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser.
Updated versions have been published: Ubuntu 22.10 * clamav - 0.103.8+dfsg-0ubuntu0.22.10.1 Ubuntu 22.04 * clamav - 0.103.8+dfsg-0ubuntu0.22.04.1 Ubuntu 20.04 * clamav - 0.103.8+dfsg-0ubuntu0.20.04.1 Ubuntu 18.04 * clamav - 0.103.8+dfsg-0ubuntu0.18.04.1 More information in: https://ubuntu.com/security/notices/USN-5887-1 ** Changed in: clamav (Ubuntu Bionic) Status: In Progress => Fix Released ** Changed in: clamav (Ubuntu Focal) Status: In Progress => Fix Released ** Changed in: clamav (Ubuntu Jammy) Status: In Progress => Fix Released ** Changed in: clamav (Ubuntu Kinetic) Status: In Progress => Fix Released ** Changed in: clamav (Ubuntu Lunar) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2007456 Title: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2007456/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2007456] Re: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser.
Hi Keath, It takes time because it is a newer version update. As you can see in comment #4 it is currently available for testing on security-proposed ppa. If you could test it and give us a feedback that it is working properly that would be much appreciated. Also we are currently having issues with clamav and lunar but we hope to have it done by next week and everything publish. Please bear with us in the meantime. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2007456 Title: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2007456/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2007456] Re: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser.
I'm sorry,... but why is this critical bug taking so long? It's in the wild and effects a large population... (since the 16'th) This is the type of thing that kills distros (i.e. Gentoo) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2007456 Title: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2007456/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2007456] Re: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser.
https://ubuntu.com/security/CVE-2023-20032 lists this CVE as a medium priority. The Google security-research team rates it as high severity and has a POC zip file that will crash ClamAV in default configuration when it scans it. https://github.com/google/security-research/security/advisories/GHSA-r6g3-3wqj-m3c8 So can the priority be raised and updates for older versions of Ubuntu as well be released quickly? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2007456 Title: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2007456/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2007456] Re: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser.
Updated 0.103.8 versions have been pushed to the security-proposed PPA (https://launchpad.net/~ubuntu-security- proposed/+archive/ubuntu/ppa/+packages?field.name_filter=clamav&field.status_filter=published&field.series_filter=) Feel free to test them and communicate any possible issues. Thanks for the help! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2007456 Title: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2007456/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2007456] Re: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser.
We are currently working on updates, and they should be released within the next few days. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2007456 Title: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2007456/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2007456] Re: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser.
We did a temporary inplace-replacement with the 1.0.1 LTS clamav: https://blog.werk21.de/en/2023/02/20/update-place-replacement-clamav-ubuntu We have package-dependencies and were not able to purge the original packages so we decided to override the bins and libs temporary. Maybe you want to switch to the LTS-deb from https://www.clamav.net/downloads -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2007456 Title: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2007456/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2007456] Re: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser.
Is there anything that I, and/or others, can do to help resolve this CVE? As its a critical (9.8 CVE) RCE, I'm quite concerned about running ClamAV right now with any exposure to the internet, and have begun looking into compiling a drop-in replacement of ClamAV for this existing package. If there's anything I can do to help test or compile the upstream code with different options, please let me know. I'm happy to help, as I want to see this resolved as quickly as possible. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2007456 Title: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2007456/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2007456] Re: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-20032 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2007456 Title: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2007456/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2007456] Re: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser.
** Information type changed from Private Security to Public Security ** Also affects: clamav (Ubuntu Kinetic) Importance: Undecided Status: New ** Also affects: clamav (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: clamav (Ubuntu Lunar) Importance: Undecided Assignee: David Fernandez Gonzalez (litios) Status: New ** Also affects: clamav (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: clamav (Ubuntu Jammy) Importance: Undecided Status: New ** Changed in: clamav (Ubuntu Bionic) Status: New => In Progress ** Changed in: clamav (Ubuntu Focal) Status: New => In Progress ** Changed in: clamav (Ubuntu Jammy) Status: New => In Progress ** Changed in: clamav (Ubuntu Kinetic) Status: New => In Progress ** Changed in: clamav (Ubuntu Lunar) Status: New => In Progress ** Changed in: clamav (Ubuntu Kinetic) Assignee: (unassigned) => David Fernandez Gonzalez (litios) ** Changed in: clamav (Ubuntu Jammy) Assignee: (unassigned) => David Fernandez Gonzalez (litios) ** Changed in: clamav (Ubuntu Focal) Assignee: (unassigned) => David Fernandez Gonzalez (litios) ** Changed in: clamav (Ubuntu Bionic) Assignee: (unassigned) => David Fernandez Gonzalez (litios) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/2007456 Title: CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/2007456/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs