Bug 809945 - VUL-0: clamav 0.97.7 release has hardening fixes
VUL-0: clamav 0.97.7 release has hardening fixes
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle10-sp4:51873 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-18 10:41 UTC by Marcus Meissner
Modified: 2017-12-03 09:03 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-03-18 10:41:37 UTC
via clamav release / oss-security


So far no actual security issues have been identified, just various Coverity hardening issues were fixed.


clamav 0.97.7 fixes several bugs:

Date: Fri, 15 Mar 2013 10:08:19 -0400 (EDT)
From: Jan Lieskovsky <jlieskov@redhat.com>
Subject: [oss-security] Further issue details about flaws corrected in upstream ClamAV 0.97.7 version

Hello Mateusz, Gynvael, vendors,

  this is due the following ones:
  [1] https://bugs.mageia.org/show_bug.cgi?id=9399
  [2] http://blog.clamav.net/2013/03/clamav-0977-has-been-released.html
  [3] https://github.com/vrtadmin/clamav-devel/blob/0.97/ChangeLog

I have tried to grep CLamAV's git log for further information, but many
of the commits prior to 2013-02-20 have form of:

'Fix CID#...' :(.

The only two security related ones seem to be the following two:
commit b2212def1bb92b5ac45c82da100dc0d1376de6a3
Author: Steve Morgan <smorgan@sourcefire.com>
Date:   Thu Feb 14 18:29:53 2013 -0500

    cid 10776 - fix double free

commit 71990820d01c246e4e61408a3659dd9d92949b38
Author: Ryan Pentney <rpentney@sourcefire.com>
Date:   Fri Feb 15 03:10:50 2013 -0800

    Fixed heap corruption in wwunpack.c

We to be better able to tell, which concrete security flaws
got corrected in 0.97.7 version and based on that to properly
allocate CVE identifiers, could you please provide further
information about:
a) how many and what kind of issues got corrected in that
   version?,
b) links to relevant upstream patches? (since patch log telling
   CID# wouldn't be enough either to find out the appropriate
   commits).

Thank you for your time, look && cooperation in advance.

Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Comment 1 Marcus Meissner 2013-03-18 10:43:34 UTC
(we can run a opensuse update already, but I would leave SLES until clarification of the security impact)
Comment 2 Swamp Workflow Management 2013-03-18 23:01:49 UTC
bugbot adjusting priority
Comment 3 Reinhard Max 2013-03-20 12:01:11 UTC
(In reply to comment #1)
> but I would leave SLES until clarification of the security impact

Would that change anything besides adding some CVE numbers to clamav.changes?
Comment 4 Swamp Workflow Management 2013-03-20 14:12:20 UTC
The SWAMPID for this issue is 51775.
This issue was rated as moderate.
Please submit fixed packages until 2013-04-03.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 5 Marcus Meissner 2013-03-20 14:14:01 UTC
I was wondering about whether to do an update at all, if there is no direct security impact.

But I think "heap corruption" likely will be marked security relevant and get a CVE, so we will do an update.
Comment 7 Bernhard Wiedemann 2013-03-20 18:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (809945) was mentioned in
https://build.opensuse.org/request/show/160305 Factory / clamav
Comment 10 Bernhard Wiedemann 2013-03-22 09:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (809945) was mentioned in
https://build.opensuse.org/request/show/160547 Evergreen:11.2 / clamav
Comment 12 Reinhard Max 2013-03-25 15:48:50 UTC
Whoops, looks like I wanted to wait for the build results in the branch project and then forgot to finish the submission.

Submitting package  clamav.SUSE_SLE-10-SP3_Update_Test
Submitting package  clamav.SUSE_SLE-11_Update_Test
Submitting package  clamav.SUSE_SLE-9-SP3_Update_Teradata_Test
Request created:  25198
Successfully finished
Comment 15 Swamp Workflow Management 2013-03-28 12:04:46 UTC
openSUSE-SU-2013:0560-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 809945
CVE References: 
Sources used:
openSUSE 12.3 (src):    clamav-0.97.7-5.4.1
openSUSE 12.2 (src):    clamav-0.97.7-1.8.1
openSUSE 12.1 (src):    clamav-0.97.7-11.1
Comment 16 Bernhard Wiedemann 2013-03-29 08:00:29 UTC
This is an autogenerated message for OBS integration:
This bug (809945) was mentioned in
https://build.opensuse.org/request/show/161695 Evergreen:11.2 / clamav
Comment 17 Swamp Workflow Management 2013-03-29 08:04:36 UTC
openSUSE-SU-2013:0563-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 809945
CVE References: 
Sources used:
openSUSE 11.4 (src):    clamav-0.97.7-17.1
Comment 18 Sebastian Krahmer 2013-04-03 14:22:50 UTC
seems to be clarified
Comment 19 Sebastian Krahmer 2013-04-03 14:23:53 UTC
released
Comment 20 Swamp Workflow Management 2013-04-03 17:00:09 UTC
Update released for: clamav, clamav-db, clamav-debuginfo, clamav-debugsource
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 21 Swamp Workflow Management 2013-04-03 17:05:04 UTC
Update released for: clamav, clamav-db
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 22 Swamp Workflow Management 2013-04-03 17:13:18 UTC
Update released for: clamav, clamav-db, clamav-debuginfo
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 23 Swamp Workflow Management 2013-04-03 18:15:21 UTC
Update released for: clamav, clamav-db, clamav-debuginfo, clamav-debugsource
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 24 Swamp Workflow Management 2013-04-03 18:16:04 UTC
Update released for: clamav, clamav-db, clamav-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 25 Bernhard Wiedemann 2017-12-03 09:03:45 UTC
This is an autogenerated message for OBS integration:
This bug (809945) was mentioned in
https://build.opensuse.org/request/show/547654 15.0 / clamav