Bug 1961572 (CVE-2021-1405)

Summary: CVE-2021-1405 clamav: denial of service in the PDF parsing module
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anon.amish, bennie.joubert, hanspeter.gosteli, janfrode, j, lee.jnk, ondrejj, orion, pgnet.dev, redhat-bugzilla, rh-bugzilla, steve
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in clamav. The email parsing module could allow an unauthenticated, remote attacker to cause a denial of service condition due to improper variable initialization that may result in an NULL pointer read. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1961573, 1961574, 1961711    
Bug Blocks: 1961575    

Description Marian Rehak 2021-05-18 10:05:51 UTC 
A vulnerability in the email parsing module in Clam AntiVirus (ClamAV) Software version 0.103.1 and all prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper variable initialization that may result in an NULL pointer read. An attacker could exploit this vulnerability by sending a crafted email to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition.

https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html
https://lists.debian.org/debian-lts-announce/2021/04/msg00012.html
https://security.gentoo.org/glsa/202104-07
Comment 1 Marian Rehak 2021-05-18 10:06:35 UTC 
Created clamav tracking bugs for this issue:

Affects: epel-all [bug 1961574]
Affects: fedora-all [bug 1961573]
Comment 3 Sergio Basto 2021-05-18 20:03:05 UTC 
(In reply to Marian Rehak from comment #0)
> A vulnerability in the email parsing module in Clam AntiVirus (ClamAV)
> Software version 0.103.1 and all prior versions could allow an
> unauthenticated, remote attacker to cause a denial of service condition on
> an affected device. The vulnerability is due to improper variable
> initialization that may result in an NULL pointer read. An attacker could
> exploit this vulnerability by sending a crafted email to an affected device.
> An exploit could allow the attacker to cause the ClamAV scanning process
> crash, resulting in a denial of service condition.
> 
> https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html

https://src.fedoraproject.org/rpms/clamav  [1]  all branches are already updated 


                  Stable version	Version in testing
Fedora 35	clamav-0.103.2-1.fc35	
Fedora 34	clamav-0.103.2-1.fc34	
Fedora 33	clamav-0.103.2-1.fc33	
Fedora 32	clamav-0.103.2-1.fc32	
Fedora EPEL 8	clamav-0.103.2-1.el8	
Fedora EPEL 7	clamav-0.103.2-1.el7	
Fedora ELN	clamav-0.103.2-1.eln110