Bugzilla – Bug 906077
VUL-0: CVE-2013-6497: clamav: Segmentation fault when processing certain files
Last modified: 2017-12-03 09:04:27 UTC
clamav can crash when scanning certain files From http://seclists.org/oss-sec/2014/q4/673: • Security fix for ClamAV crash when using 'clamscan -a'. This issue was identified by Kurt Siefried of Red Hat. • Security fix for ClamAV crash when scanning maliciously crafted yoda's crypter files. This issue, as well as several other bugs fixed in this release, were identified by Damien Millescamp of Oppida. Fixed in 0.98.5. I'll try to get a reproducer References: https://bugzilla.redhat.com/show_bug.cgi?id=1138101 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6497 http://seclists.org/oss-sec/2014/q4/673
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-12-03. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/59747
(In reply to Johannes Segitz from comment #0) > Fixed in 0.98.5. I'll try to get a reproducer Could this be related to bug 898163?
(In reply to Reinhard Max from comment #2) Don't think so. 898163 is fixed in 0.98.4, this is claimed to be fixed in 0.98.5. But there isn't a lot of detail, sorry.
(In reply to Johannes Segitz from comment #3) > 898163 is fixed in 0.98.4 I don't have a confirmation for that yet. I was just unable to reproduce it in my environment, which also included 0.98.4.
Created attachment 614226 [details] Reproducer
Created attachment 614227 [details] Patch for the issue
Why the patch when we're updating to 0.98.5 anyway?
bugbot adjusting priority
(In reply to Reinhard Max from comment #8) It serves as explanation for the issue. You don't have to use it.
openSUSE-SU-2014:1560-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 903489,903719,904207,906077,906770 CVE References: CVE-2013-6497,CVE-2014-9050 Sources used: openSUSE 13.2 (src): clamav-0.98.5-2.5.2 openSUSE 13.1 (src): clamav-0.98.5-22.3 openSUSE 12.3 (src): clamav-0.98.5-5.30.3
A SLE12 submission seems missing.
SUSE-SU-2014:1571-1: An update that solves two vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 899395,903489,903719,904207,906077,906770 CVE References: CVE-2013-6497,CVE-2014-9050 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): clamav-0.98.5-0.5.1 SUSE Linux Enterprise Server 11 SP1 LTSS (src): clamav-0.98.5-0.5.1
SUSE-SU-2014:1574-1: An update that solves two vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 903489,903719,904207,906077,906770 CVE References: CVE-2013-6497,CVE-2014-9050 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): clamav-0.98.5-0.5.1 SUSE Linux Enterprise Server 11 SP3 (src): clamav-0.98.5-0.5.1 SUSE Linux Enterprise Server 10 SP4 LTSS (src): clamav-0.98.5-0.7.1 SUSE Linux Enterprise Desktop 11 SP3 (src): clamav-0.98.5-0.5.1
openSUSE-SU-2014:1679-1: An update that solves one vulnerability and has two fixes is now available. Category: security (important) Bug References: 903489,904207,906077 CVE References: CVE-2013-6497 Sources used: openSUSE Evergreen 11.4 (src): clamav-0.98.5-37.1
released (well execpting sle12 which will be released soon)
SUSE-SU-2015:0188-1: An update that solves two vulnerabilities and has 5 fixes is now available. Category: security (moderate) Bug References: 903489,903719,904207,906077,906770,908731,914505 CVE References: CVE-2013-6497,CVE-2014-9050 Sources used: SUSE Linux Enterprise Server 12 (src): clamav-0.98.5-6.1 SUSE Linux Enterprise Desktop 12 (src): clamav-0.98.5-6.1
This is an autogenerated message for OBS integration: This bug (906077) was mentioned in https://build.opensuse.org/request/show/547654 15.0 / clamav