Bug 1187050 (CVE-2014-9328)

Summary: CVE-2014-9328 clamav: heap out of bounds condition with crafted upack packer files
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: carnil, janfrode, jorti, j, mstevens, nathanael, nb, ondrejj, redhat-bugzilla, rhbugs, r.zuidhof
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ClamAV 0.98.6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-18 16:09:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1187051, 1187052    
Bug Blocks:    

Description Vasyl Kaigorodov 2015-01-29 09:20:31 UTC 
ClamAV 0.98.6 fixes a heap out of bounds condition with crafted upack packer files [1].

[1]: http://lurker.clamav.net/message/20150127.232443.27bcc068.en.html
Comment 1 Vasyl Kaigorodov 2015-01-29 09:21:08 UTC 
Created clamav tracking bugs for this issue:

Affects: fedora-all [bug 1187051]
Affects: epel-all [bug 1187052]
Comment 2 Martin Prpič 2015-01-30 07:43:56 UTC 
ClamAV 0.98.6, which fixes this issue, has been released:

http://blog.clamav.net/2015/01/clamav-0986-has-been-released.html
Comment 3 Fedora Update System 2015-01-30 16:03:14 UTC 
clamav-0.98.6-1.el7 has been pushed to the Fedora EPEL 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Fedora Update System 2015-01-30 23:53:49 UTC 
clamav-0.98.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2015-01-30 23:56:37 UTC 
clamav-0.98.6-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2015-02-06 20:47:25 UTC 
clamav-0.98.6-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2015-02-08 19:22:58 UTC 
clamav-0.98.6-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Richard Zuidhof 2015-02-24 10:40:48 UTC 
Although version 0.98.6 is available in rhel6-x86_64-epel it does not get installed using yum --security. Did Red Hat forget to tag it with this CVE?
Comment 9 Robert Scheck 2015-02-24 10:58:06 UTC 
What is "rhel6-x86_64-epel"? Note that EPEL is not maintained by Red Hat, but
by EPEL community contributors like me (and I did this update).
Comment 10 Richard Zuidhof 2015-02-24 11:44:36 UTC 
Indeed it seems I learned today that the yum security plugin is not supported for EPEL (and Centos). Still my Debian background haunting me.