[Clamav-devel] ClamAV® blog: ClamAV 0.102.3 security patch released

[Joel Esler (jesler)]

> https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html <https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html>
> 
> ClamAV 0.102.3 security patch released
> 
> Today, we're publishing 0.102.3. Navigate to ClamAV's downloads page <http://www.clamav.net/downloads> to download the release materials.
> 
> ClamAV 0.102.3
> 
> 
> ClamAV 0.102.3 is a bug patch release to address the following issues.
> 
> - CVE-2020-3327 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327>: Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash.
> 
>   Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability.
> 
> - CVE-2020-3341 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3341>: Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash. Bug found by OSS-Fuzz.
> 
> - Fix "Attempt to allocate 0 bytes" error when parsing some PDF documents.
> 
> - Fix a couple of minor memory leaks.
> 
> - Updated libclamunrar to UnRAR 5.9.2.
> 
> Please join us on the ClamAV mailing lists <https://www.clamav.net/contact#ml>, on irc.freenode.net in #clamav, or on Discord <https://discord.gg/sGaxA5Q> for further discussion. Thanks!  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3010 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-devel/attachments/20200512/e1992496/attachment.bin>