Bug 1771392 (CVE-2007-0899)

Summary: CVE-2007-0899 clamav: heap based overflow in libclamav/fsg.c
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anon.amish, bennie.joubert, gbcox, janfrode, j, ondrejj, orion, redhat-bugzilla, rh-bugzilla, sergio, steve
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-13 03:36:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1771394, 1771395    
Bug Blocks: 1771393    

Description Dhananjay Arunesh 2019-11-12 09:52:53 UTC 
There is a possible heap overflow in libclamav/fsg.c before 0.100.0.

Reference:
https://security-tracker.debian.org/tracker/CVE-2007-0899
Comment 1 Dhananjay Arunesh 2019-11-12 09:53:41 UTC 
Created clamav tracking bugs for this issue:

Affects: epel-all [bug 1771395]
Affects: fedora-all [bug 1771394]
Comment 2 Sergio Basto 2019-11-13 03:36:03 UTC 
(In reply to Dhananjay Arunesh from comment #0)
> There is a possible heap overflow in libclamav/fsg.c before 0.100.0.
> 
> Reference:
> https://security-tracker.debian.org/tracker/CVE-2007-0899

https://apps.fedoraproject.org/packages/clamav

Rawhide 	0.101.4-1.fc32 	None
Fedora 32 	0.101.4-1.fc32 	None
Fedora 31 	0.101.4-1.fc31 	None
Fedora 30 	0.101.4-1.fc30 (update) 	None
Fedora 29 	0.101.4-1.fc29 (update) 	None
Fedora EPEL 8 	0.101.4-1.el8 	None
Fedora EPEL 7 	0.101.4-1.el7 	None
Fedora EPEL 6 	0.100.3-1.el6 	None
Comment 5 Dave Baker 2020-03-30 15:58:33 UTC 
CVSS has been updated to match NIST.  This flaw pre-dates the existing upstream git repo, so I've been unable to find the specific patch that addressed the flaw.  However, based on other "possible heap overflows" from that era, their CVSS looks to be appropriate.

It's possible this flaw is the same one from 2005 noted here: https://seclists.org/vulnwatch/2005/q4/33