Clam AntiVirus upstream has released 0.97.8 version correcting couple of potential security bugs: [1] http://blog.clamav.net/2013/04/clamav-0978-has-been-released.html [2] https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog
These issues affect the versions of the clamav package, as shipped with Fedora release of 17 and 18. Please schedule an update. -- These issues did NOT affect the version of the clamav package, as shipped with Fedora EPEL 6 (it has been updated to clamav-0.97.8-1.el6 version already). -- These issues affect the version of the clamav package, as shipped with Fedora EPEL 5. Please schedule an update.
Created clamav tracking bugs for this issue Affects: fedora-all [bug 956177] Affects: epel-5 [bug 956178]
Request for further issue details: http://www.openwall.com/lists/oss-security/2013/04/24/3
According to http://www.openwall.com/lists/oss-security/2013/04/24/4: the particular upstream changes (information from Joel Esler) are as follows: https://github.com/vrtadmin/clamav-devel/commit/270e368b99e93aa5447d46c797c92c3f9f39f375 https://github.com/vrtadmin/clamav-devel/commit/24ff855c82d3f5c62bc5788a5776cefbffce2971 https://github.com/vrtadmin/clamav-devel/commit/c6870a6c857dd722dffaf6d37ae52ec259d12492 https://github.com/vrtadmin/clamav-devel/commit/3cbd8b5668bd0f262a8c00b1fd57eb03c117b00a
Further issue details (http://www.openwall.com/lists/oss-security/2013/04/27/3): -------------------------------------------------------------------------------- Hi, sorry for the delayed response, I'm OOO. The bugs should be public now: https://bugzilla.clamav.net/show_bug.cgi?id=7055 heap corruption, potentially exploitable. https://bugzilla.clamav.net/show_bug.cgi?id=7053 overflow due to PDF key length computation. Potentially exploitable. https://bugzilla.clamav.net/show_bug.cgi?id=7054 NULL pointer dereference in sis parsing. When building clamav I recommend disabling legacy or unneeded features (e.g. sis). I guess that's common sense though. Cheers Felix
(In reply to comment #5) > The bugs should be public now: > https://bugzilla.clamav.net/show_bug.cgi?id=7054 > NULL pointer dereference in sis parsing. This last one is still not public. > When building clamav I recommend disabling legacy or unneeded features > (e.g. sis). I guess that's common sense though. Why do you consider, that sis is unwanted? For email scanner any attachment parsing is useful. Even on PC platform user can send an promiscuous .sis file. Disabling some features can be considered as security bug too, if user knows about features in clamav, but they are disabled in Fedora/EPEL.
According to http://www.openwall.com/lists/oss-security/2013/04/29/12 : > https://bugzilla.clamav.net/show_bug.cgi?id=7055 > heap corruption, potentially exploitable. this is CVE-2013-2020 > https://bugzilla.clamav.net/show_bug.cgi?id=7053 > overflow due to PDF key length computation. Potentially exploitable. this is CVE-2013-2021 (the email above has a typo and also says 2020, which is incorrect; a subsequent email will rectify that typo) > https://bugzilla.clamav.net/show_bug.cgi?id=7054 > NULL pointer dereference in sis parsing. This bug is still not public, so no CVE assigned as of yet.
clamav-0.97.8-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
clamav-0.97.8-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
clamav-0.97.8-2.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
clamav-0.97.8-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.