Bug 929192 (CVE-2015-2170)

Summary: VUL-0: CVE-2015-2170, CVE-2015-2221, CVE-2015-2222, CVE-2015-2668, CVE-2015-2305: clamav: 0.98.7
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: krahmer, max, meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: From http://blog.clamav.net/2015/04/clamav-0987-has-been-released.html
Whiteboard: maint:released:sle10-sp3:61680 CVSSv2:NVD:CVE-2015-2170:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2221:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2222:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2305:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2015-2668:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2170:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2221:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2222:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2305:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2015-2668:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2170:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2221:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2222:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2668:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2170:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2221:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2222:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2015-2668:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv2:NVD:CVE-2015-2305:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P) CVSSv2:RedHat:CVE-2015-2305:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 921950    

Description Andreas Stieger 2015-04-30 08:02:47 UTC 
From http://blog.clamav.net/2015/04/clamav-0987-has-been-released.html

> ClamAV 0.98.7 is here! This release contains new scanning features
> and bug fixes.
> 
>     - Improvements to PDF processing: decryption, escape sequence
>       handling, and file property collection.
>     - Scanning/analysis of additional Microsoft Office 2003 XML format.
>     - Fix infinite loop condition on crafted y0da cryptor file. Identified
>       and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221.
>     - Fix crash on crafted petite packed file. Reported and patch
>       supplied by Sebastian Andrzej Siewior. CVE-2015-2222.
>     - Fix false negatives on files within iso9660 containers. This issue
>       was reported by Minzhuan Gong.
>     - Fix a couple crashes on crafted upack packed file. Identified and
>       patches supplied by Sebastian Andrzej Siewior.
>     - Fix a crash during algorithmic detection on crafted PE file.
>       Identified and patch supplied by Sebastian Andrzej Siewior.
>     - Fix an infinite loop condition on a crafted "xz" archive file.
>       This was reported by Dimitri Kirchner and Goulven Guiheux.
>       CVE-2015-2668.
>     - Fix compilation error after ./configure --disable-pthreads.
>       Reported and fix suggested by John E. Krokes.
>     - Apply upstream patch for possible heap overflow in Henry Spencer's
>       regex library. CVE-2015-2305.

For clamav, we tracked this in bug 922560.

>     - Fix crash in upx decoder with crafted file. Discovered and patch
>       supplied by Sebastian Andrzej Siewior. CVE-2015-2170.
>     - Fix segfault scanning certain HTML files. Reported with sample by
>       Kai Risku.
>     - Improve detections within xar/pkg files.
Comment 1 Reinhard Max 2015-04-30 08:08:06 UTC 
*** Bug 922560 has been marked as a duplicate of this bug. ***
Comment 2 Andreas Stieger 2015-04-30 08:19:53 UTC 
https://swamp.suse.de/webswamp/wf/61644
Comment 3 Swamp Workflow Management 2015-04-30 22:00:17 UTC 
bugbot adjusting priority
Comment 5 Bernhard Wiedemann 2015-05-06 13:00:08 UTC 
This is an autogenerated message for OBS integration:
This bug (929192) was mentioned in
https://build.opensuse.org/request/show/305579 Factory / clamav
Comment 6 Swamp Workflow Management 2015-05-13 20:05:26 UTC 
SUSE-SU-2015:0871-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 929192
CVE References: CVE-2015-2170,CVE-2015-2221,CVE-2015-2222,CVE-2015-2305,CVE-2015-2668
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    clamav-0.98.7-0.3.1
SUSE Linux Enterprise Server 11 SP3 (src):    clamav-0.98.7-0.3.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    clamav-0.98.7-0.3.1
Comment 7 Swamp Workflow Management 2015-05-15 10:05:30 UTC 
SUSE-SU-2015:0882-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 929192
CVE References: CVE-2015-2170,CVE-2015-2221,CVE-2015-2222,CVE-2015-2305,CVE-2015-2668
Sources used:
SUSE Linux Enterprise Server 12 (src):    clamav-0.98.7-13.1
Comment 8 Swamp Workflow Management 2015-05-15 15:05:15 UTC 
SUSE-SU-2015:0882-2: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 929192
CVE References: CVE-2015-2170,CVE-2015-2221,CVE-2015-2222,CVE-2015-2305,CVE-2015-2668
Sources used:
SUSE Linux Enterprise Server 12 (src):    clamav-0.98.7-13.1
SUSE Linux Enterprise Desktop 12 (src):    clamav-0.98.7-13.1
Comment 10 Swamp Workflow Management 2015-05-19 09:05:52 UTC 
openSUSE-SU-2015:0906-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 929192
CVE References: CVE-2015-2170,CVE-2015-2221,CVE-2015-2222,CVE-2015-2305,CVE-2015-2668
Sources used:
openSUSE 13.2 (src):    clamav-0.98.7-2.16.1
openSUSE 13.1 (src):    clamav-0.98.7-33.1
Comment 11 Bernhard Wiedemann 2017-12-03 09:04:59 UTC 
This is an autogenerated message for OBS integration:
This bug (929192) was mentioned in
https://build.opensuse.org/request/show/547654 15.0 / clamav