[clamav-users] ClamAV CVE's

Micah Snyder (micasnyd) micasnyd at cisco.com
Fri Aug 23 09:21:27 EDT 2019


Chris, Al,

I think the CVE description is slightly misleading.  0.100.3 was created at the same time as 0.101.2 and addressed each of those:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html

However, these issues affect all versions prior to 0.101.4, as we did not create a patch for 0.100 this time:
* CVE-2019-12625: zip-bomb scan time issue.
* CVE-2019-12900: bz2 buffer overwrite in NSIS parser's copy of libbz2 decompression code.

And this issue affects all versions prior to 0.101.3:
* CVE-2019-1010305: libmspack buffer overflow in CHM file parser in bundled version of libmspack (if using).

This is still reason enough to update.
As a side note, CVE-2019-12625 is still private though it was supposed to be published yesterday.  Will get it opened up as soon as possible. 

-Micah

On 8/22/19, 8:54 PM, "clamav-users on behalf of Chris Pollock via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:

    On Thu, 2019-08-22 at 17:46 -0700, Al Varnell via clamav-users wrote:
    > Yes, I'm sorry, I was thinking of 0.101.3 when I said that.
    > 
    > -Al-
    > 
    No problem, so, I can reference these to hopefully get an update built
    for 18.04. I'll file a bug report tomorrow some time. 
    Thanks Al.
    
    > On Thu, Aug 22, 2019 at 17:37 PM, Chris Pollock via clamav-users
    > wrote:
    > > On Thu, 2019-08-22 at 16:58 -0700, Al Varnell via clamav-users
    > > wrote:
    > > > I'm don't see anything specifying 0.100.3 yet: <
    > > > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=clamav>;.
    > > > 
    > > > -Al-
    > > > ClamXAV user
    > > 
    > > Thanks Al, maybe I'm reading the listing wrong but these
    > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1798
    > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1788
    > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1787
    > > 
    > > refer to Clam AntiVirus (ClamAV) Software versions 0.101.1 and
    > > prior.
    > > Wouldn't 0.100.3 fit into those parameters? 
    > > 
    > > > On Aug 22, 2019, at 14:12, Chris Pollock via clamav-users <
    > > > clamav-users at lists.clamav.net> wrote:
    > > > > The most current version is ClamAV 0.100.3 for Ubuntu 18.04.3
    > > > > LTS.
    > > > > Is
    > > > > there a list of CVE's that I can reference in a bug report to
    > > > > try
    > > > > and
    > > > > get ClamAV updated to the latest version?
    > > > > 
    > > > > Thank you
    > > > > Chris
    > > > > 
    > > > > -- 
    > > > > Chris
    > > > 
    > > > _______________________________________________
    > > > 
    > > > clamav-users mailing list
    > > > clamav-users at lists.clamav.net
    > > > https://lists.clamav.net/mailman/listinfo/clamav-users
    > > > 
    > > > 
    > > > Help us build a comprehensive ClamAV guide:
    > > > https://github.com/vrtadmin/clamav-faq
    > > > 
    > > > http://www.clamav.net/contact.html#ml
    > 
    > 
    > 
    > _______________________________________________
    > 
    > clamav-users mailing list
    > clamav-users at lists.clamav.net
    > https://lists.clamav.net/mailman/listinfo/clamav-users
    > 
    > 
    > Help us build a comprehensive ClamAV guide:
    > https://github.com/vrtadmin/clamav-faq
    > 
    > http://www.clamav.net/contact.html#ml
    -- 
    Chris
    KeyID 0xE372A7DA98E6705C
    31.11972; -97.90167 (Elev. 1092 ft)
    19:52:06 up 9 days, 11:09, 1 user, load average: 1.74, 1.27, 0.98
    Description:	Ubuntu 18.04.3 LTS, kernel 5.0.0-25-generic
    
    



More information about the clamav-users mailing list