Bug 724856 - VUL-0: clamav recursion level crash
VUL-0: clamav recursion level crash
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P5 - None : Major
: ---
Assigned To: Security Team bot
E-mail List
maint:released:11.3:43738 maint:relea...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-10-18 12:24 UTC by Sebastian Krahmer
Modified: 2017-12-03 09:03 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2011-10-18 12:24:48 UTC
Via OSS-sec:


Date: Tue, 18 Oct 2011 12:39:59 +0200
From: Hanno Böck
To: oss-security


Sadly, as we know, upstream clamav doesn't care about publishing
security advisories. They even seem to have stopped to publish new
versions on their -announce-list, so the only way to see changes is to
dig into the tar-file and see the Changelog.

This one here sounds like security relevant:
Sat Oct  8 12:10:13 EEST 2011 (edwin)
-------------------------------------
 * libclamav/bytecode.c,bytecode_api.c: fix recursion level crash (bb
   #3706).
Upstream bug is invisible to the public. Please assign CVE



Maybe others have a look at the full Changelog, but I think the rest
sounds non-security-relevant:
Mon Oct 17 18:04:30 CEST 2011 (tk)
----------------------------------
 * V 0.97.3

Mon Oct 10 14:41:48 CEST 2011 (tk)
----------------------------------
 * freshclam/manager.c: fix error when compiling without DNS support
(bb#3056)

Sat Oct  8 12:19:49 EEST 2011 (edwin)
-------------------------------------
 * libclamav/pdf.c: flag and dump PDF objects with /Launch (bb #3514)

Sat Oct  8 12:10:13 EEST 2011 (edwin)
-------------------------------------
 * libclamav/bytecode.c,bytecode_api.c: fix recursion level crash (bb
#3706).

Tue Aug  2 17:03:33 CEST 2011 (tk)
----------------------------------
 * docs: clarify behavior of --scan-*/Scan* options (bb#3134)

Mon Jul 25 16:09:19 EEST 2011 (edwin)
-------------------------------------
 * libclamav/bytecode_vm.c: fix opcode 20 error (bb #3100)

Thu Sep 15 14:44:11 CEST 2011 (tk)
----------------------------------
 * freshclam: fix pidfile removal (bb#3499)

Sun Aug 21 17:05:24 EEST 2011 (edwin)
-------------------------------------
 * libclamav/pdf.c:  fix incorrect blocking of some encrypted PDF with
empty user passwords. (bb #3364)

Wed Aug  3 15:41:28 CEST 2011 (tk)
----------------------------------
 * sigtool/sigtool.c: fix calculation of max signature length
Comment 1 Sebastian Krahmer 2011-10-19 06:47:22 UTC
CVE-2011-3627
Comment 2 Swamp Workflow Management 2011-10-19 08:21:24 UTC
The SWAMPID for this issue is 43729.
This issue was rated as moderate.
Please submit fixed packages until 2011-11-02.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 3 Bernhard Wiedemann 2011-10-19 12:00:31 UTC
This is an autogenerated message for OBS integration:
This bug (724856) was mentioned in
https://build.opensuse.org/request/show/88699 Factory / clamav
https://build.opensuse.org/request/show/88700 11.4 / clamav
https://build.opensuse.org/request/show/88701 11.3 / clamav
Comment 4 Bernhard Wiedemann 2011-10-19 14:00:29 UTC
This is an autogenerated message for OBS integration:
This bug (724856) was mentioned in
https://build.opensuse.org/request/show/88722 11.3 / clamav
https://build.opensuse.org/request/show/88723 11.4 / clamav
https://build.opensuse.org/request/show/88724 Factory / clamav
Comment 5 Reinhard Max 2011-10-19 14:09:21 UTC
Packages submitted to the openSUSE projects mentioned above, and to SLE10-SP3, SLE10-SP4, SLE11-SP1, and SLE11-SP2.
Comment 11 Swamp Workflow Management 2011-10-24 09:07:15 UTC
Update released for: clamav, clamav-db, clamav-debuginfo, clamav-debugsource
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 12 Sebastian Krahmer 2011-10-24 09:07:46 UTC
done
Comment 13 Swamp Workflow Management 2011-10-24 12:09:33 UTC
Update released for: clamav, clamav-db, clamav-debuginfo
Products:
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SDK 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 14 Swamp Workflow Management 2011-10-24 14:08:28 UTC
Update released for: clamav, clamav-db, clamav-debuginfo
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 15 Swamp Workflow Management 2011-10-24 14:26:00 UTC
Update released for: clamav, clamav-db, clamav-debuginfo, clamav-debugsource
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 16 Swamp Workflow Management 2011-10-24 17:12:52 UTC
Update released for: clamav, clamav-db
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 17 Bernhard Wiedemann 2011-10-25 10:00:24 UTC
This is an autogenerated message for OBS integration:
This bug (724856) was mentioned in
https://build.opensuse.org/request/show/89250 Evergreen:11.1 / clamav
Comment 18 Bernhard Wiedemann 2017-12-03 09:03:10 UTC
This is an autogenerated message for OBS integration:
This bug (724856) was mentioned in
https://build.opensuse.org/request/show/547654 15.0 / clamav