Bug 2170937

Summary: CVE-2023-20032: possible remote code execution vulnerability in the HFS+ file parser of ClamAV
Product: [Fedora] Fedora EPEL Reporter: harald.svab
Component: clamavAssignee: Sergio Basto <sergio>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: epel7CC: chhuang, ian, ruben, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: clamav-0.103.8-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-01 00:35:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description harald.svab 2023-02-17 18:29:38 UTC 
Description of problem:


CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

Versions 0.103.8, 0.105.2 and 1.0.1 available for fix.

We would really need the new version for EPEL-7.
Comment 1 harald.svab 2023-02-17 18:32:22 UTC 
sorry forgot to add a link to the source: https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
Comment 2 Ruben PĆ¼ttmann 2023-02-21 08:46:26 UTC 
Seems that fixed versionfor EPEL-8 and higher are available. What is with EPEL-7?
Comment 3 Fedora Update System 2023-02-24 16:44:46 UTC 
FEDORA-EPEL-2023-5cb6798308 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-5cb6798308
Comment 4 Sergio Basto 2023-02-24 16:45:52 UTC 
for EPEL-7 https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-466d8ae059
Comment 5 Fedora Update System 2023-03-01 00:35:03 UTC 
FEDORA-EPEL-2023-5cb6798308 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.