816865 – (CVE-2013-2020) VUL-0: CVE-2013-2020 CVE-2013-2021: clamav 0.97.8 fixes security issues

Bug 816865 (CVE-2013-2020) - VUL-0: CVE-2013-2020 CVE-2013-2021: clamav 0.97.8 fixes security issues

Summary: VUL-0: CVE-2013-2020 CVE-2013-2021: clamav 0.97.8 fixes security issues

Status:	RESOLVED FIXED

Alias:	CVE-2013-2020

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2013-06-17
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp4:52776 maint:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-04-24 06:35 UTC by Sebastian Krahmer
Modified:	2017-12-03 09:03 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2013-04-24 06:35:53 UTC

A new clamav seems to be available:

http://freecode.com/projects/clamav/releases/354139

Comment 1 Sebastian Krahmer 2013-04-24 14:16:08 UTC

As per upstream these are the commits:

commit 270e368b99e93aa5447d46c797c92c3f9f39f375
commit 24ff855c82d3f5c62bc5788a5776cefbffce2971
commit c6870a6c857dd722dffaf6d37ae52ec259d12492
commit 3cbd8b5668bd0f262a8c00b1fd57eb03c117b00a

Comment 2 Swamp Workflow Management 2013-04-24 22:00:09 UTC

bugbot adjusting priority

Comment 3 Sebastian Krahmer 2013-04-29 06:19:09 UTC

Via OSS-sec:

From: Felix Gröbert
Date: Sat, 27 Apr 2013

Hi,

sorry for the delayed response, I'm OOO.

The bugs should be public now:

https://bugzilla.clamav.net/show_bug.cgi?id=7055
heap corruption, potentially exploitable.

https://bugzilla.clamav.net/show_bug.cgi?id=7053
overflow due to PDF key length computation. Potentially exploitable.

https://bugzilla.clamav.net/show_bug.cgi?id=7054
NULL pointer dereference in sis parsing.

When building clamav I recommend disabling legacy or unneeded features
(e.g. sis). I guess that's common sense though.

Cheers
Felix

Comment 4 Bernhard Wiedemann 2013-04-29 11:00:09 UTC

This is an autogenerated message for OBS integration:
This bug (816865) was mentioned in
https://build.opensuse.org/request/show/173707 Factory / clamav

Comment 5 Sebastian Krahmer 2013-04-30 06:32:26 UTC

Vis OSS-sec:

> https://bugzilla.clamav.net/show_bug.cgi?id=7055 heap corruption,
> potentially exploitable.

Please use CVE-2013-2020 for this issue.

> https://bugzilla.clamav.net/show_bug.cgi?id=7053 overflow due to
> PDF key length computation. Potentially exploitable.

Please use CVE-2013-2021 for this issue. [Fixed; was accidantly
given same CVE as above before]

Comment 6 Bernhard Wiedemann 2013-04-30 08:00:14 UTC

This is an autogenerated message for OBS integration:
This bug (816865) was mentioned in
https://build.opensuse.org/request/show/173882 Factory / clamav

Comment 7 Reinhard Max 2013-05-03 16:19:54 UTC

Package submitted to 12.1, 12.2, 12.3, SLE9-SP3, SLE10-SP3, and SLE11.

Comment 8 Bernhard Wiedemann 2013-05-03 17:00:08 UTC

This is an autogenerated message for OBS integration:
This bug (816865) was mentioned in
https://build.opensuse.org/request/show/174453 Maintenance /

Comment 9 Bernhard Wiedemann 2013-05-16 08:00:15 UTC

This is an autogenerated message for OBS integration:
This bug (816865) was mentioned in
https://build.opensuse.org/request/show/175830 Maintenance /

Comment 10 Bernhard Wiedemann 2013-05-20 05:00:25 UTC

This is an autogenerated message for OBS integration:
This bug (816865) was mentioned in
https://build.opensuse.org/request/show/176113 Evergreen:11.2 / clamav

Comment 11 Swamp Workflow Management 2013-05-21 14:04:53 UTC

openSUSE-SU-2013:0813-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 816865
CVE References: CVE-2013-2020,CVE-2013-2021
Sources used:
openSUSE 12.1 (src):    clamav-0.97.8-15.1

Comment 12 Swamp Workflow Management 2013-05-21 15:05:02 UTC

openSUSE-SU-2013:0813-2: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 816865
CVE References: CVE-2013-2020,CVE-2013-2021
Sources used:
openSUSE 12.2 (src):    clamav-0.97.8-1.12.1

Comment 13 Bernhard Wiedemann 2013-05-21 16:00:08 UTC

This is an autogenerated message for OBS integration:
This bug (816865) was mentioned in
https://build.opensuse.org/request/show/176285 Evergreen:11.2 / clamav

Comment 14 Marcus Meissner 2013-05-24 15:00:46 UTC

Reinhard, we did not see your submission for SLES... and i do not see any requests.

do you have the submit ids?

can you resubmit?

Comment 16 Swamp Workflow Management 2013-06-03 01:37:13 UTC

The SWAMPID for this issue is 52771.
This issue was rated as moderate.
Please submit fixed packages until 2013-06-17.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 19 Swamp Workflow Management 2013-06-10 09:09:20 UTC

openSUSE-SU-2013:0881-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 816865
CVE References: CVE-2013-2020,CVE-2013-2021
Sources used:
openSUSE 12.3 (src):    clamav-0.97.8-5.8.1

Comment 20 Swamp Workflow Management 2013-06-10 09:09:46 UTC

openSUSE-SU-2013:0883-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 816865
CVE References: CVE-2013-2020,CVE-2013-2021
Sources used:
openSUSE 11.4 (src):    clamav-0.97.8-21.1

Comment 21 Reinhard Max 2013-06-11 05:19:01 UTC

Whoops, forgot to reassign, but I guess this can be closed by now.

Comment 22 Marcus Meissner 2013-06-20 07:42:08 UTC

released all but sles11 sp3

Comment 23 Swamp Workflow Management 2013-06-20 09:55:33 UTC

Update released for: clamav, clamav-db, clamav-debuginfo, clamav-debugsource
Products:
SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 24 Swamp Workflow Management 2013-06-20 10:04:40 UTC

Update released for: clamav, clamav-db
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)

Comment 25 Swamp Workflow Management 2013-06-20 10:05:42 UTC

Update released for: clamav, clamav-db, clamav-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 26 Swamp Workflow Management 2013-06-20 10:07:31 UTC

Update released for: clamav, clamav-db, clamav-debuginfo
Products:
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)

Comment 27 Swamp Workflow Management 2013-06-20 11:05:03 UTC

Update released for: clamav, clamav-db, clamav-debuginfo, clamav-debugsource
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)

Comment 28 Swamp Workflow Management 2013-07-01 13:53:15 UTC

Update released for: clamav, clamav-db, clamav-debuginfo, clamav-debugsource
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)

Comment 29 Bernhard Wiedemann 2017-12-03 09:03:51 UTC

This is an autogenerated message for OBS integration:
This bug (816865) was mentioned in
https://build.opensuse.org/request/show/547654 15.0 / clamav