Debian Bug report logs - #986622
ClamAV 0.103.2 security patch release

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ralf Hildebrandt <Ralf.Hildebrandt@charite.de>

To: submit@bugs.debian.org

Subject: ClamAV 0.103.2 security patch release

Date: Thu, 8 Apr 2021 10:11:51 +0200

Package: clamav
Version: 0.103.0+dfsg-3.1

ClamAV 0.103.2 is a security patch release with the following fixes:

CVE-2021-1252 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1252>: 
Fix for Excel XLM parser infinite loop. Affects 0.103.0 and 0.103.1 only.

CVE-2021-1404 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1404>: 
Fix for PDF parser buffer over-read; possible crash. Affects 0.103.0 and 0.103.1 only.

CVE-2021-1405 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1405>: 
Fix for mail parser NULL-dereference crash. Affects 0.103.1 and prior.

CVE-2021-1386 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1386>:
Fix for UnRAR DLL load privilege escalation. Affects 0.103.1 and prior on Windows only.

Message #14 received at 986622@bugs.debian.org (full text, mbox, reply):

From: Matus UHLAR - fantomas <uhlar@fantomas.sk>

To: 986622@bugs.debian.org

Subject: fixes

Date: Sat, 10 Apr 2021 15:10:36 +0200

Hello,

I just wanted to note that clamav 0.103.2 fixes[1] all issues currently open
at security tracker[2]

CVE-2021-1252
CVE-2021-1404
CVE-2021-1405

It also makes freshclam more efficient for work with clamav mirrors, which
is desired for clamav infrastructure that has problems with older
versions[3] [4] [5].

[1]
https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html

[2]
https://security-tracker.debian.org/tracker/source-package/clamav 

[3]
https://lists.clamav.net/pipermail/clamav-users/2021-March/010544.html

[4]
https://lists.clamav.net/pipermail/clamav-users/2021-March/010578.html

[5]
https://lists.clamav.net/pipermail/clamav-users/2021-April/011043.html
-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...

Message #19 received at 986622@bugs.debian.org (full text, mbox, reply):

From: Damian Lukowski <debian-bugs@arcsin.de>

To: 986622@bugs.debian.org

Subject: Re: ClamAV 0.103.2 security patch release

Date: Sun, 11 Apr 2021 12:38:38 +0200

> CVE-2021-1252 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1252>:
> Fix for Excel XLM parser infinite loop. Affects 0.103.0 and 0.103.1 only.

Debian's security tracker claims that stretch and buster are vulnerable. According to the clamav announcement and CVE they 
shouldn't be.

> CVE-2021-1405 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1405>:
> Fix for mail parser NULL-dereference crash. Affects 0.103.1 and prior.

The clamav announcement and CVE are inconsistent whether 0.102 is affected.

Message #24 received at 986622@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

To: Matus UHLAR - fantomas <uhlar@fantomas.sk>, 986622@bugs.debian.org

Subject: Re: [Pkg-clamav-devel] Bug#986622: fixes

Date: Sun, 11 Apr 2021 23:17:14 +0200

On 2021-04-10 15:10:36 [+0200], Matus UHLAR - fantomas wrote:
> Hello,
Hi,

> I just wanted to note that clamav 0.103.2 fixes[1] all issues currently open
> at security tracker[2]
> 
> CVE-2021-1252
> CVE-2021-1404
> CVE-2021-1405

Everyone wondering, yes I am aware but not as fast as I would like to.
My plan is to get 103.2 into Buster after I spent the day today to look
what should be backported and what not.

Sebastian

Message #35 received at 986622-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 986622-close@bugs.debian.org

Subject: Bug#986622: fixed in clamav 0.103.2+dfsg-1

Date: Mon, 12 Apr 2021 19:48:27 +0000

Source: clamav
Source-Version: 0.103.2+dfsg-1
Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 986622@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 12 Apr 2021 21:31:08 +0200
Source: clamav
Architecture: source
Version: 0.103.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Closes: 986622
Changes:
 clamav (0.103.2+dfsg-1) unstable; urgency=medium
 .
   * Import 0.103.2
     - CVE-2021-1252 (Fix for Excel XLM parser infinite loop.)
     - CVE-2021-1404 (Fix for PDF parser buffer over-read; possible crash.)
     - CVE-2021-1405 (Fix for mail parser NULL-dereference crash.)
     - Update symbol file.
    (Closes: #986622).
Checksums-Sha1:
 ec6abbe689364881025ef8980c3b37015eb996d2 2777 clamav_0.103.2+dfsg-1.dsc
 461ec3a7b45851e31a1cd9a4458473f9b4dc2677 5123788 clamav_0.103.2+dfsg.orig.tar.xz
 2f6896bb20cb32b31edd03dae496e821ac239d06 220248 clamav_0.103.2+dfsg-1.debian.tar.xz
Checksums-Sha256:
 8754a64602d698ba82d80b673933fb3141ad42e33335966ad688b12a3f269a78 2777 clamav_0.103.2+dfsg-1.dsc
 1f5d08342552f4b011521f44dd25e732dc79531ed2b54db385f8520496026371 5123788 clamav_0.103.2+dfsg.orig.tar.xz
 9a6827ee763c6734da59277d97514a5a018d307c4976ea5ab44ded6a4479046b 220248 clamav_0.103.2+dfsg-1.debian.tar.xz
Files:
 6348840ef9cf8b0069d26cb0adf61d93 2777 utils optional clamav_0.103.2+dfsg-1.dsc
 246d43d86d170e5aad57d512f4b0f6f8 5123788 utils optional clamav_0.103.2+dfsg.orig.tar.xz
 c1548d055b0400ed1ae6ad769620a568 220248 utils optional clamav_0.103.2+dfsg-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmB0oh0ACgkQBWQfF1cS
+lttKQv+OrFkvYOTM0NzFTs7GstLJQNDgcDIIpoCzp7J+EzYqwVL0hiygyjCnEdZ
fJGZkZGDFFpS8QEkJTgAOh9Y4dMSEIxpCHCUiz6YmXVdDA6Yp5flBJ5pxXveZP6O
67QMN6Y7V6Q7EERjZ8G+ZImWG/9beZNfCWHV0qHodf3QstpBC5r78539F/rLgA3B
TJj06Epq7bTwRQ1i63F/HsVUI2I997JrbSqxX1WPqIKqLjh4akFMhZfMPILDfD/i
TkhMCgbbltm5VdpyYIMyPBV9G+rhhamOwcNKkZjNNbLP4WLx4uriwwK/vHelOu8x
L4Jvfvv9Vh16+3JpRKyadJuuJ9wV8EfNXQzKv0Vra9/mdBmBFdUXYWiQFaeqNgvX
NYvOqxKlQnBcwBP14DqMMpVOtewdjBxmHOeXTHM7I4kUfAo+RURMoN7/j/ryw9GC
cuhRsbXxLQwf/zyyFKFqyKr1701l3VXQALWleSqXDsarK8bktHZSzqwYZOlUlDtD
RsyyNYc/
=6Ng6
-----END PGP SIGNATURE-----

Message #44 received at 986622@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: sebastian@breakpoint.cc

Cc: 986622@bugs.debian.org

Subject: Re: [Pkg-clamav-devel] Bug#986622: fixes

Date: Tue, 13 Apr 2021 16:08:17 +0530

Hi Sebastian,

Sebastian Andrzej Siewior wrote:
> My plan is to get 103.2 into Buster after I spent the day today
> to look what should be backported and what not.

Do we not generally backport clamav as-is to buster (of course, after
thoroughly checking) so as to get the latest release there?

I ask/confirm because I'd like to further backport this to
stretch/jessie for LTS/ELTS as well. We generally wait for buster to
be updated and then we backport to stretch and then jessie.

Also, once you get the update prepared for buster and plan to release,
could you also let me know so I get a heads up and thus plan
accordingly for stretch and jessie?

Thanks.


- u

Message #49 received at 986622@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

To: Utkarsh Gupta <utkarsh@debian.org>

Cc: 986622@bugs.debian.org

Subject: Re: [Pkg-clamav-devel] Bug#986622: fixes

Date: Tue, 13 Apr 2021 21:02:21 +0200

On 2021-04-13 16:08:17 [+0530], Utkarsh Gupta wrote:
> Hi Sebastian,
Hi,

> Sebastian Andrzej Siewior wrote:
> > My plan is to get 103.2 into Buster after I spent the day today
> > to look what should be backported and what not.
> 
> Do we not generally backport clamav as-is to buster (of course, after
> thoroughly checking) so as to get the latest release there?

Usually yes, I let it slide (unfortunatelly) and was checking best
options moving forward. After all I need reasons to present to the
release team.

> I ask/confirm because I'd like to further backport this to
> stretch/jessie for LTS/ELTS as well. We generally wait for buster to
> be updated and then we backport to stretch and then jessie.
> 
> Also, once you get the update prepared for buster and plan to release,
> could you also let me know so I get a heads up and thus plan
> accordingly for stretch and jessie?

Sure. My plan for now is to prepare today the release for Buster, deploy
it on one my machines and if nothing breaks open the pu tomorrow.

> Thanks.
> 
> 
> - u

Sebastian

Message #54 received at 986622@bugs.debian.org (full text, mbox, reply):

From: Utkarsh Gupta <utkarsh@debian.org>

To: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Cc: 986622@bugs.debian.org

Subject: Re: [Pkg-clamav-devel] Bug#986622: fixes

Date: Wed, 14 Apr 2021 12:38:19 +0530

Hello,

On Wed, Apr 14, 2021 at 12:32 AM Sebastian Andrzej Siewior
<sebastian@breakpoint.cc> wrote:
> Usually yes, I let it slide (unfortunatelly) and was checking best
> options moving forward. After all I need reasons to present to the
> release team.

I just noticed that the only CVE that affects buster is CVE-2021-1405.
The other two affects only 0.103.0 and 0.103.1 and the patch for
CVE-2021-1405 could be easily backported to buster. Maybe we could
instead do that now? And later when there's a need, we can backport
the entire new version? What do you think?


- u

Message #59 received at 986622@bugs.debian.org (full text, mbox, reply):

From: Athanasius <debian@miggy.org>

To: 986622@bugs.debian.org

Subject: Re: [Pkg-clamav-devel] Bug#986622: fixes

Date: Wed, 21 Apr 2021 08:17:53 +0100

  There's also the point that the current buster version is logging:

Apr 18 07:25:31 river freshclam[25421]: Sun Apr 18 07:25:31 2021 -> ^Your ClamAV installation is OUTDATED!
Apr 18 07:25:31 river freshclam[25421]: Sun Apr 18 07:25:31 2021 -> ^Local version: 0.102.4 Recommended version: 0.103.2
Apr 18 07:25:31 river freshclam[25421]: Sun Apr 18 07:25:31 2021 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading-clamav

once an hour.

So long as any Debian update of the packages both addresses the
outstanding CVEs *and* quiets this logging I'll be happy.
-- 
-         Athanasius = Athanasius(at)miggy.org / https://miggy.org/
                  GPG/PGP Key: https://miggy.org/gpg-key
	   "And it's me who is my enemy. Me who beats me up.
Me who makes the monsters. Me who strips my confidence." Paula Cole - ME

Message #64 received at 986622@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

To: Athanasius <debian@miggy.org>, 986622@bugs.debian.org

Subject: Re: [Pkg-clamav-devel] Bug#986622: Bug#986622: fixes

Date: Wed, 21 Apr 2021 21:36:56 +0200

On 2021-04-21 08:17:53 [+0100], Athanasius wrote:
> So long as any Debian update of the packages both addresses the
> outstanding CVEs *and* quiets this logging I'll be happy.

Be aware that I am following the process to get an update into Buster.

Sebastian

Message #69 received at 986622-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 986622-close@bugs.debian.org

Subject: Bug#986622: fixed in clamav 0.103.2+dfsg-0+deb10u1

Date: Wed, 21 Apr 2021 21:47:08 +0000

Source: clamav
Source-Version: 0.103.2+dfsg-0+deb10u1
Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 986622@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <sebastian@breakpoint.cc> (supplier of updated clamav package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 14 Apr 2021 08:38:52 +0200
Source: clamav
Architecture: source
Version: 0.103.2+dfsg-0+deb10u1
Distribution: buster
Urgency: medium
Maintainer: ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>
Changed-By: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Closes: 960843 963853 972974 973619 986622
Changes:
 clamav (0.103.2+dfsg-0+deb10u1) buster; urgency=medium
 .
   [ Sebastian Andrzej Siewior ]
   * Import 0.103.2
     - CVE-2021-1252 (Fix for Excel XLM parser infinite loop.)
     - CVE-2021-1404 (Fix for PDF parser buffer over-read; possible crash.)
     - CVE-2021-1405 (Fix for mail parser NULL-dereference crash.)
     - Fix testsuite in an IPv6 only environment (Closes: #963853).
     - Update symbol file.
     - Drop CURL_CA_BUNDLE related patch, changes applied upstream.
    (Closes: #986622).
   * Rename NEWS.Debian to NEWS.
   * Update lintian overrides.
   * Update apparmor profile for freshclam. Thanks to Michael Borgelt.
     (Closes: #972974)
   * Update apparmor profile for clamd. Thanks to Stefano Callegari.
     (Closes: #973619).
   * Remove deprecated option SafeBrowsing from debconf templates.
 .
   [ Helmut Grohne ]
   * Honour DEB_BUILD_OPTIONS=nocheck again. (Closes: #960843)
Checksums-Sha1:
 97ae77d5b851bf714bf531e0b59380aee558f31a 2818 clamav_0.103.2+dfsg-0+deb10u1.dsc
 461ec3a7b45851e31a1cd9a4458473f9b4dc2677 5123788 clamav_0.103.2+dfsg.orig.tar.xz
 b97c89e34d2d19ce3481405573b824bc236ac476 219196 clamav_0.103.2+dfsg-0+deb10u1.debian.tar.xz
Checksums-Sha256:
 89b3710e3557779a1e44f3c4e0b025485a2f1c646827c7897c6a2828a048948f 2818 clamav_0.103.2+dfsg-0+deb10u1.dsc
 1f5d08342552f4b011521f44dd25e732dc79531ed2b54db385f8520496026371 5123788 clamav_0.103.2+dfsg.orig.tar.xz
 f0b3a38c9e9d4982268803d3d0a2f9e988f5272ebe1e90791eada811300efa9a 219196 clamav_0.103.2+dfsg-0+deb10u1.debian.tar.xz
Files:
 e6662a7da2fc99a18844cbbcaf153181 2818 utils optional clamav_0.103.2+dfsg-0+deb10u1.dsc
 246d43d86d170e5aad57d512f4b0f6f8 5123788 utils optional clamav_0.103.2+dfsg.orig.tar.xz
 bd423c06620b81afa231cec0736066bd 219196 utils optional clamav_0.103.2+dfsg-0+deb10u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmCAevoACgkQBWQfF1cS
+lshWQv9HRE7RtIyIy8Jg59jbpB/NbwP3rGVxyZei3ZOqBb6oMz0ZDYnOKl7kG7I
OkrVYhrS0AvNQx7cFKeo45iIzDcw0ziFio3EPApaJsR2WSp3RkLIPEsYzhN9x1bT
qaEdZEHEQS/394s3gEne8X7XhRKBm5ZcZqF+YXcXpRFCwhfcnb1jEQszx0V3jyQH
mwacjW/knXz91GMlUG1laGrkzE+LbMM2DNPhWclxSKzWV5yEG02WQfVvynhJ4x12
U6x7tMFETVnUEi5o8XEmPzv5JcO72tYgvfbSSc1kCH/1rX99z7SNVjRA4fSRdZaz
kz24YU2E2qHX+UaeWX3jOJwviGkWS75W4prJwmZ+ljDOsa14/kWeWfKCTNDBywbk
pXZDJQUYh0T+F/7xPrCZNDtcqHEU7dMj9iHWCjjnUsfKDbtZCBJ7TUDjlftpFArV
3dgB6lfO3QkNTSU3w41+3FXxdOOkfaIDBzVV2fgS0Xi09DSaxwsYNLcvc1BepwHa
OlAvX9KG
=yZXw
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.