Bug 929192 - (CVE-2015-2170) VUL-0: CVE-2015-2170, CVE-2015-2221, CVE-2015-2222, CVE-2015-2668, CVE-2015-2305: clamav: 0.98.7
(CVE-2015-2170)
VUL-0: CVE-2015-2170, CVE-2015-2221, CVE-2015-2222, CVE-2015-2668, CVE-2015-...
Status: RESOLVED FIXED
: 922560 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
From http://blog.clamav.net/2015/04/c...
maint:released:sle10-sp3:61680 CVSSv2...
:
Depends on:
Blocks: CVE-2015-2305
  Show dependency treegraph
 
Reported: 2015-04-30 08:02 UTC by Andreas Stieger
Modified: 2019-08-16 17:04 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-30 08:02:47 UTC
From http://blog.clamav.net/2015/04/clamav-0987-has-been-released.html

> ClamAV 0.98.7 is here! This release contains new scanning features
> and bug fixes.
> 
>     - Improvements to PDF processing: decryption, escape sequence
>       handling, and file property collection.
>     - Scanning/analysis of additional Microsoft Office 2003 XML format.
>     - Fix infinite loop condition on crafted y0da cryptor file. Identified
>       and patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221.
>     - Fix crash on crafted petite packed file. Reported and patch
>       supplied by Sebastian Andrzej Siewior. CVE-2015-2222.
>     - Fix false negatives on files within iso9660 containers. This issue
>       was reported by Minzhuan Gong.
>     - Fix a couple crashes on crafted upack packed file. Identified and
>       patches supplied by Sebastian Andrzej Siewior.
>     - Fix a crash during algorithmic detection on crafted PE file.
>       Identified and patch supplied by Sebastian Andrzej Siewior.
>     - Fix an infinite loop condition on a crafted "xz" archive file.
>       This was reported by Dimitri Kirchner and Goulven Guiheux.
>       CVE-2015-2668.
>     - Fix compilation error after ./configure --disable-pthreads.
>       Reported and fix suggested by John E. Krokes.
>     - Apply upstream patch for possible heap overflow in Henry Spencer's
>       regex library. CVE-2015-2305.

For clamav, we tracked this in bug 922560.

>     - Fix crash in upx decoder with crafted file. Discovered and patch
>       supplied by Sebastian Andrzej Siewior. CVE-2015-2170.
>     - Fix segfault scanning certain HTML files. Reported with sample by
>       Kai Risku.
>     - Improve detections within xar/pkg files.
Comment 1 Reinhard Max 2015-04-30 08:08:06 UTC
*** Bug 922560 has been marked as a duplicate of this bug. ***
Comment 2 Andreas Stieger 2015-04-30 08:19:53 UTC
https://swamp.suse.de/webswamp/wf/61644
Comment 3 Swamp Workflow Management 2015-04-30 22:00:17 UTC
bugbot adjusting priority
Comment 5 Bernhard Wiedemann 2015-05-06 13:00:08 UTC
This is an autogenerated message for OBS integration:
This bug (929192) was mentioned in
https://build.opensuse.org/request/show/305579 Factory / clamav
Comment 6 Swamp Workflow Management 2015-05-13 20:05:26 UTC
SUSE-SU-2015:0871-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 929192
CVE References: CVE-2015-2170,CVE-2015-2221,CVE-2015-2222,CVE-2015-2305,CVE-2015-2668
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    clamav-0.98.7-0.3.1
SUSE Linux Enterprise Server 11 SP3 (src):    clamav-0.98.7-0.3.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    clamav-0.98.7-0.3.1
Comment 7 Swamp Workflow Management 2015-05-15 10:05:30 UTC
SUSE-SU-2015:0882-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 929192
CVE References: CVE-2015-2170,CVE-2015-2221,CVE-2015-2222,CVE-2015-2305,CVE-2015-2668
Sources used:
SUSE Linux Enterprise Server 12 (src):    clamav-0.98.7-13.1
Comment 8 Swamp Workflow Management 2015-05-15 15:05:15 UTC
SUSE-SU-2015:0882-2: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 929192
CVE References: CVE-2015-2170,CVE-2015-2221,CVE-2015-2222,CVE-2015-2305,CVE-2015-2668
Sources used:
SUSE Linux Enterprise Server 12 (src):    clamav-0.98.7-13.1
SUSE Linux Enterprise Desktop 12 (src):    clamav-0.98.7-13.1
Comment 10 Swamp Workflow Management 2015-05-19 09:05:52 UTC
openSUSE-SU-2015:0906-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 929192
CVE References: CVE-2015-2170,CVE-2015-2221,CVE-2015-2222,CVE-2015-2305,CVE-2015-2668
Sources used:
openSUSE 13.2 (src):    clamav-0.98.7-2.16.1
openSUSE 13.1 (src):    clamav-0.98.7-33.1
Comment 11 Bernhard Wiedemann 2017-12-03 09:04:59 UTC
This is an autogenerated message for OBS integration:
This bug (929192) was mentioned in
https://build.opensuse.org/request/show/547654 15.0 / clamav