https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html

[debian-lts-announce] 20200519 [SECURITY] [DLA 2215-1] clamav security update

FEDORA-2020-b0acd7b66e

FEDORA-2020-bca44487a1

FEDORA-2020-d98d2cbae1

USN-4370-1

USN-4370-2

This update for clamav fixes the following issues :

clamav was updated to the new major release 0.103.0.
(jsc#ECO-3010,bsc#1118459)

Note that libclamav was changed incompatible, if you have a 3rd party application that uses libclamav, it needs to be rebuilt.

Update to 0.103.0

  - clamd can now reload the signature database without     blocking scanning. This multi-threaded database reload     improvement was made possible thanks to a community     effort.

  - Non-blocking database reloads are now the default     behavior. Some systems that are more constrained on RAM     may need to disable non-blocking reloads as it will     temporarily consume two times as much memory. We added a     new clamd config option ConcurrentDatabaseReload, which     may be set to no.

  - Fix clamav-milter.service (requires clamd.service to     run)

Update to 0.102.4

  - CVE-2020-3350: Fix a vulnerability wherein a malicious     user could replace a scan target's directory with a     symlink to another path to trick clamscan, clamdscan, or     clamonacc into removing or moving a different file (eg.
    a critical system file). The issue would affect users     that use the --move or --remove options for clamscan,     clamdscan, and clamonacc.

  - CVE-2020-3327: Fix a vulnerability in the ARJ archive     parsing module in ClamAV 0.102.3 that could cause a     Denial-of-Service (DoS) condition. Improper bounds     checking results in an out-of-bounds read which could     cause a crash. The previous fix for this CVE in 0.102.3     was incomplete. This fix correctly resolves the issue.

  - CVE-2020-3481: Fix a vulnerability in the EGG archive     module in ClamAV 0.102.0 - 0.102.3 could cause a     Denial-of-Service (DoS) condition. Improper error     handling may result in a crash due to a NULL pointer     dereference. This vulnerability is mitigated for those     using the official ClamAV signature databases because     the file type signatures in daily.cvd will not enable     the EGG archive parser in versions affected by the     vulnerability.

Update to 0.102.3

  - CVE-2020-3327: Fix a vulnerability in the ARJ archive     parsing module in ClamAV 0.102.2 that could cause a     Denial-of-Service (DoS) condition. Improper bounds     checking of an unsigned variable results in an     out-of-bounds read which causes a crash.

  - CVE-2020-3341: Fix a vulnerability in the PDF parsing     module in ClamAV 0.101 - 0.102.2 that could cause a     Denial-of-Service (DoS) condition. Improper size     checking of a buffer used to initialize AES decryption     routines results in an out-of-bounds read which may     cause a crash.

  - Fix 'Attempt to allocate 0 bytes' error when parsing     some PDF documents.

  - Fix a couple of minor memory leaks.

  - Updated libclamunrar to UnRAR 5.9.2.

Update to 0.102.2 :

  - CVE-2020-3123: A denial-of-service (DoS) condition may     occur when using the optional credit card     data-loss-prevention (DLP) feature. Improper bounds     checking of an unsigned variable resulted in an     out-of-bounds read, which causes a crash.

  - Significantly improved the scan speed of PDF files on     Windows.

  - Re-applied a fix to alleviate file access issues when     scanning RAR files in downstream projects that use     libclamav where the scanning engine is operating in a     low-privilege process. This bug was originally fixed in     0.101.2 and the fix was mistakenly omitted from 0.102.0.

  - Fixed an issue where freshclam failed to update if the     database version downloaded is one version older than     advertised. This situation may occur after a new     database version is published. The issue affected users     downloading the whole CVD database file.

  - Changed the default freshclam ReceiveTimeout setting to     0 (infinite). The ReceiveTimeout had caused needless     database update failures for users with slower internet     connections.

  - Correctly display the number of kilobytes (KiB) in     progress bar and reduced the size of the progress bar to     accommodate 80-character width terminals.

  - Fixed an issue where running freshclam manually causes a     daemonized freshclam process to fail when it updates     because the manual instance deletes the temporary     download directory. The freshclam temporary files will     now download to a unique directory created at the time     of an update instead of using a hardcoded directory     created/destroyed at the program start/exit.

  - Fix for freshclam's OnOutdatedExecute config option.

  - Fixes a memory leak in the error condition handling for     the email parser.

  - Improved bound checking and error handling in ARJ     archive parser.

  - Improved error handling in PDF parser.

  - Fix for memory leak in byte-compare signature handler.

  - The freshclam.service should not be started before the     network is online (it checks for updates immediately     upon service start)

Update to 0.102.1 :

  - CVE-2019-15961, bsc#1157763: A Denial-of-Service (DoS)     vulnerability may occur when scanning a specially     crafted email file as a result of excessively long scan     times. The issue is resolved by implementing several     maximums in parsing MIME messages and by optimizing use     of memory allocation.

  - Build system fixes to build clamav-milter, to correctly     link with libxml2 when detected, and to correctly detect     fanotify for on-access scanning feature support.

  - Signature load time is significantly reduced by changing     to a more efficient algorithm for loading signature     patterns and allocating the AC trie. Patch courtesy of     Alberto Wu.

  - Introduced a new configure option to statically link     libjson-c with libclamav. Static linking with libjson is     highly recommended to prevent crashes in applications     that use libclamav alongside another JSON parsing     library.

  - Null-dereference fix in email parser when using the

    --gen-json metadata option.

  - Fixes for Authenticode parsing and certificate signature     (.crb database) bugs.

Update to 0.102.0 :

  - The On-Access Scanning feature has been migrated out of     clamd and into a brand new utility named clamonacc. This     utility is similar to clamdscan and clamav-milter in     that it acts as a client to clamd. This separation from     clamd means that clamd no longer needs to run with root     privileges while scanning potentially malicious files.
    Instead, clamd may drop privileges to run under an     account that does not have super-user. In addition to     improving the security posture of running clamd with     On-Access enabled, this update fixed a few outstanding     defects :

  - On-Access scanning for created and moved files     (Extra-Scanning) is fixed.

  - VirusEvent for On-Access scans is fixed.

  - With clamonacc, it is now possible to copy, move, or     remove a file if the scan triggered an alert, just like     with clamdscan.

  - The freshclam database update utility has undergone a     significant update. This includes :

  - Added support for HTTPS.

  - Support for database mirrors hosted on ports other than     80.

  - Removal of the mirror management feature (mirrors.dat).

  - An all new libfreshclam library API.

  - created new subpackage libfreshclam2

Update to 0.101.4 :

  - CVE-2019-12900: An out of bounds write in the NSIS bzip2     (bsc#1149458)

  - CVE-2019-12625: Introduce a configurable time limit to     mitigate zip bomb vulnerability completely. Default is 2     minutes, configurable useing the clamscan --max-scantime     and for clamd using the MaxScanTime config option     (bsc#1144504)

Update to version 0.101.3 :

  - bsc#1144504: ZIP bomb causes extreme CPU spikes

Update to version 0.101.2 (bsc#1130721)

  - CVE-2019-1787: An out-of-bounds heap read condition may     occur when scanning PDF documents. The defect is a     failure to correctly keep track of the number of bytes     remaining in a buffer when indexing file data.

  - CVE-2019-1789: An out-of-bounds heap read condition may     occur when scanning PE files (i.e. Windows EXE and DLL     files) that have been packed using Aspack as a result of     inadequate bound-checking.

  - CVE-2019-1788: An out-of-bounds heap write condition may     occur when scanning OLE2 files such as Microsoft Office     97-2003 documents. The invalid write happens when an     invalid pointer is mistakenly used to initialize a 32bit     integer to zero. This is likely to crash the     application.

  - CVE-2019-1786: An out-of-bounds heap read condition may     occur when scanning malformed PDF documents as a result     of improper bounds-checking.

  - CVE-2019-1785: A path-traversal write condition may     occur as a result of improper input validation when     scanning RAR archives.

  - CVE-2019-1798: A use-after-free condition may occur as a     result of improper error handling when scanning nested     RAR archives.

This update was imported from the SUSE:SLE-15:Update update project.

This update for clamav fixes the following issues :

clamav was updated to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459.

clamd can now reload the signature database without blocking scanning.
This multi-threaded database reload improvement was made possible thanks to a community effort.

  - Non-blocking database reloads are now the default     behavior. Some systems that are more constrained on RAM     may need to disable non-blocking reloads as it will     temporarily consume two times as much memory. We added a     new clamd config option ConcurrentDatabaseReload, which     may be set to no.

Fix clamav-milter.service (requires clamd.service to run)

bsc#1119353, clamav-fips.patch: Fix freshclam crash in FIPS mode.

Partial sync with SLE15.

Update to version 0.102.4

Accumulated security fixes :

CVE-2020-3350: Fix a vulnerability wherein a malicious user could replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (eg. a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan, and clamonacc. (bsc#1174255)

CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking results in an out-of-bounds read which could cause a crash. The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly resolves the issue.

CVE-2020-3481: Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS) condition.
Improper error handling may result in a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in versions affected by the vulnerability. (bsc#1174250)

CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition.
Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash.
(bsc#1171981)

CVE-2020-3123: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature.
Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.

CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation. (bsc#1157763).

CVE-2019-12900: An out of bounds write in the NSIS bzip2 (bsc#1149458)

CVE-2019-12625: Introduce a configurable time limit to mitigate zip bomb vulnerability completely. Default is 2 minutes, configurable useing the clamscan --max-scantime and for clamd using the MaxScanTime config option (bsc#1144504)

Update to version 0.101.3 :

ZIP bomb causes extreme CPU spikes (bsc#1144504)

Update to version 0.101.2 (bsc#1118459) :

Support for RAR v5 archive extraction.

Incompatible changes to the arguments of cl_scandesc, cl_scandesc_callback, and cl_scanmap_callback.

Scanning options have been converted from a single flag bit-field into a structure of multiple categorized flag bit-fields.

The CL_SCAN_HEURISTIC_ENCRYPTED scan option was replaced by 2 new scan options: CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE, and CL_SCAN_HEURISTIC_ENCRYPTED_DOC

Incompatible clamd.conf and command line interface changes.

Heuristic Alerts' (aka 'Algorithmic Detection') options have been changed to make the names more consistent. The original options are deprecated in 0.101, and will be removed in a future feature release.

For details, see https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for clamav fixes the following issues :

clamav was updated to the new major release 0.103.0.
(jsc#ECO-3010,bsc#1118459)

Note that libclamav was changed incompatible, if you have a 3rd party application that uses libclamav, it needs to be rebuilt.

Update to 0.103.0

clamd can now reload the signature database without blocking scanning.
This multi-threaded database reload improvement was made possible thanks to a community effort.

  - Non-blocking database reloads are now the default     behavior. Some systems that are more constrained on RAM     may need to disable non-blocking reloads as it will     temporarily consume two times as much memory. We added a     new clamd config option ConcurrentDatabaseReload, which     may be set to no.

  - Fix clamav-milter.service (requires clamd.service to     run)

Update to 0.102.4

  - CVE-2020-3350: Fix a vulnerability wherein a malicious     user could replace a scan target's directory with a     symlink to another path to trick clamscan, clamdscan, or     clamonacc into removing or moving a different file (eg.
    a critical system file). The issue would affect users     that use the --move or --remove options for clamscan,     clamdscan, and clamonacc.

  - CVE-2020-3327: Fix a vulnerability in the ARJ archive     parsing module in ClamAV 0.102.3 that could cause a     Denial-of-Service (DoS) condition. Improper bounds     checking results in an out-of-bounds read which could     cause a crash. The previous fix for this CVE in 0.102.3     was incomplete. This fix correctly resolves the issue.

  - CVE-2020-3481: Fix a vulnerability in the EGG archive     module in ClamAV 0.102.0 - 0.102.3 could cause a     Denial-of-Service (DoS) condition. Improper error     handling may result in a crash due to a NULL pointer     dereference. This vulnerability is mitigated for those     using the official ClamAV signature databases because     the file type signatures in daily.cvd will not enable     the EGG archive parser in versions affected by the     vulnerability.

Update to 0.102.3

  - CVE-2020-3327: Fix a vulnerability in the ARJ archive     parsing module in ClamAV 0.102.2 that could cause a     Denial-of-Service (DoS) condition. Improper bounds     checking of an unsigned variable results in an     out-of-bounds read which causes a crash.

  - CVE-2020-3341: Fix a vulnerability in the PDF parsing     module in ClamAV 0.101 - 0.102.2 that could cause a     Denial-of-Service (DoS) condition. Improper size     checking of a buffer used to initialize AES decryption     routines results in an out-of-bounds read which may     cause a crash.

  - Fix 'Attempt to allocate 0 bytes' error when parsing     some PDF documents.

  - Fix a couple of minor memory leaks.

  - Updated libclamunrar to UnRAR 5.9.2.

Update to 0.102.2 :

  - CVE-2020-3123: A denial-of-service (DoS) condition may     occur when using the optional credit card     data-loss-prevention (DLP) feature. Improper bounds     checking of an unsigned variable resulted in an     out-of-bounds read, which causes a crash.

  - Significantly improved the scan speed of PDF files on     Windows.

  - Re-applied a fix to alleviate file access issues when     scanning RAR files in downstream projects that use     libclamav where the scanning engine is operating in a     low-privilege process. This bug was originally fixed in     0.101.2 and the fix was mistakenly omitted from 0.102.0.

  - Fixed an issue where freshclam failed to update if the     database version downloaded is one version older than     advertised. This situation may occur after a new     database version is published. The issue affected users     downloading the whole CVD database file.

  - Changed the default freshclam ReceiveTimeout setting to     0 (infinite). The ReceiveTimeout had caused needless     database update failures for users with slower internet     connections.

  - Correctly display the number of kilobytes (KiB) in     progress bar and reduced the size of the progress bar to     accommodate 80-character width terminals.

  - Fixed an issue where running freshclam manually causes a     daemonized freshclam process to fail when it updates     because the manual instance deletes the temporary     download directory. The freshclam temporary files will     now download to a unique directory created at the time     of an update instead of using a hard-coded directory     created/destroyed at the program start/exit.

  - Fix for freshclam's OnOutdatedExecute config option.

  - Fixes a memory leak in the error condition handling for     the email parser.

  - Improved bound checking and error handling in ARJ     archive parser.

  - Improved error handling in PDF parser.

  - Fix for memory leak in byte-compare signature handler.

The freshclam.service should not be started before the network is online (it checks for updates immediately upon service start)

Update to 0.102.1 :

  - CVE-2019-15961, bsc#1157763: A Denial-of-Service (DoS)     vulnerability may occur when scanning a specially     crafted email file as a result of excessively long scan     times. The issue is resolved by implementing several     maximums in parsing MIME messages and by optimizing use     of memory allocation.

  - Build system fixes to build clamav-milter, to correctly     link with libxml2 when detected, and to correctly detect     fanotify for on-access scanning feature support.

  - Signature load time is significantly reduced by changing     to a more efficient algorithm for loading signature     patterns and allocating the AC trie. Patch courtesy of     Alberto Wu.

  - Introduced a new configure option to statically link     libjson-c with libclamav. Static linking with libjson is     highly recommended to prevent crashes in applications     that use libclamav alongside another JSON parsing     library.

  - Null-dereference fix in email parser when using the

    --gen-json metadata option.

  - Fixes for Authenticode parsing and certificate signature     (.crb database) bugs.

Update to 0.102.0 :

  - The On-Access Scanning feature has been migrated out of     clamd and into a brand new utility named clamonacc. This     utility is similar to clamdscan and clamav-milter in     that it acts as a client to clamd. This separation from     clamd means that clamd no longer needs to run with root     privileges while scanning potentially malicious files.
    Instead, clamd may drop privileges to run under an     account that does not have super-user. In addition to     improving the security posture of running clamd with     On-Access enabled, this update fixed a few outstanding     defects :

  - On-Access scanning for created and moved files     (Extra-Scanning) is fixed.

  - VirusEvent for On-Access scans is fixed.

  - With clamonacc, it is now possible to copy, move, or     remove a file if the scan triggered an alert, just like     with clamdscan.

  - The freshclam database update utility has undergone a     significant update. This includes :

  - Added support for HTTPS.

  - Support for database mirrors hosted on ports other than     80.

  - Removal of the mirror management feature (mirrors.dat).

  - An all new libfreshclam library API. created new     subpackage libfreshclam2

Update to 0.101.4 :

  - CVE-2019-12900: An out of bounds write in the NSIS bzip2     (bsc#1149458)

  - CVE-2019-12625: Introduce a configurable time limit to     mitigate zip bomb vulnerability completely. Default is 2     minutes, configurable useing the clamscan --max-scantime     and for clamd using the MaxScanTime config option     (bsc#1144504)

Update to version 0.101.3 :

  - bsc#1144504: ZIP bomb causes extreme CPU spikes

Update to version 0.101.2 (bsc#1130721)

  - CVE-2019-1787: An out-of-bounds heap read condition may     occur when scanning PDF documents. The defect is a     failure to correctly keep track of the number of bytes     remaining in a buffer when indexing file data.

  - CVE-2019-1789: An out-of-bounds heap read condition may     occur when scanning PE files (i.e. Windows EXE and DLL     files) that have been packed using Aspack as a result of     inadequate bound-checking.

  - CVE-2019-1788: An out-of-bounds heap write condition may     occur when scanning OLE2 files such as Microsoft Office     97-2003 documents. The invalid write happens when an     invalid pointer is mistakenly used to initialize a 32bit     integer to zero. This is likely to crash the     application.

  - CVE-2019-1786: An out-of-bounds heap read condition may     occur when scanning malformed PDF documents as a result     of improper bounds-checking.

  - CVE-2019-1785: A path-traversal write condition may     occur as a result of improper input validation when     scanning RAR archives.

  - CVE-2019-1798: A use-after-free condition may occur as a     result of improper error handling when scanning nested     RAR archives.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for clamav fixes the following issues :

clamav was updated to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459.

clamd can now reload the signature database without blocking scanning.
This multi-threaded database reload improvement was made possible thanks to a community effort.

  - Non-blocking database reloads are now the default     behavior. Some systems that are more constrained on RAM     may need to disable non-blocking reloads as it will     temporarily consume two times as much memory. We added a     new clamd config option ConcurrentDatabaseReload, which     may be set to no.

Fix clamav-milter.service (requires clamd.service to run)

Fix freshclam crash in FIPS mode. (bsc#1119353)

Update to version 0.102.4 :

Accumulated security fixes :

CVE-2020-3350: Fix a vulnerability wherein a malicious user could replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (eg. a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan, and clamonacc. (bsc#1174255)

CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking results in an out-of-bounds read which could cause a crash. The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly resolves the issue.

CVE-2020-3481: Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS) condition.
Improper error handling may result in a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in versions affected by the vulnerability. (bsc#1174250)

CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition.
Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash.
(bsc#1171981)

CVE-2020-3123: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature.
Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.

CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation. (bsc#1157763).

CVE-2019-12900: An out of bounds write in the NSIS bzip2 (bsc#1149458)

CVE-2019-12625: Introduce a configurable time limit to mitigate zip bomb vulnerability completely. Default is 2 minutes, configurable useing the clamscan --max-scantime and for clamd using the MaxScanTime config option (bsc#1144504)

Increase the startup timeout of clamd to 5 minutes to cater for the grown virus database as a workaround until clamd has learned to talk to systemd to extend the timeout as long as needed. (bsc#1151839)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ClamAV 0.102.3 is a bug patch release to address the following issues.

  - CVE-2020-3327: Fix a vulnerability in the ARJ archive     parsing module in ClamAV 0.102.2 that could cause a     Denial-of-Service (DoS) condition. Improper bounds     checking of an unsigned variable results in an     out-of-bounds read which causes a crash. Special thanks     to Daehui Chang and Fady Othman for helping identify the     ARJ parsing vulnerability.

  - CVE-2020-3341: Fix a vulnerability in the PDF parsing     module in ClamAV 0.101 - 0.102.2 that could cause a     Denial-of-Service (DoS) condition. Improper size     checking of a buffer used to initialize AES decryption     routines results in an out-of-bounds read which may     cause a crash. Bug found by OSS-Fuzz.

  - Fix 'Attempt to allocate 0 bytes' error when parsing     some PDF documents.

  - Fix a couple of minor memory leaks.

----

  - Add upstream patch to fix 'Attempt to allocate 0 bytes'     errors while scanning certain PDFs 

  - Do not log freshclam output to syslog by default -     creates double entries in the journal (bz#1822012)

  - (#1820069) add try-restart clamav-freshclam.service on     logrotate

  - Enable prelude support (bz#1829726)

  - Move /etc/clamd.d/scan.conf to clamav-filesystem

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that ClamAV incorrectly handled parsing ARJ archives. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3327)

It was discovered that ClamAV incorrectly handled parsing PDF files. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3341).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The following CVE(s) were found in src:clamav package.

CVE-2020-3327

A vulnerability in the ARJ archive parsing module in Clam AntiVirus (ClamAV) could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to a heap buffer overflow read. An attacker could exploit this vulnerability by sending a crafted ARJ file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition.

CVE-2020-3341

A vulnerability in the PDF archive parsing module in Clam AntiVirus (ClamAV) could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to a stack-based buffer overflow read. An attacker could exploit this vulnerability by sending a crafted PDF file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition.

For Debian 8 'Jessie', these problems have been fixed in version 0.101.5+dfsg-0+deb8u2.

We recommend that you upgrade your clamav packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Micah Snyder reports :

CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.2 that could cause a denial-of-service condition.
Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability.

CVE-2020-3341: Fixed a vulnerability in the PDF-parsing module in ClamAV 0.101 - 0.102.2 that could cause a denial-of-service condition.
Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read, which may cause a crash.
OSS-Fuzz discovered this vulnerability.

ID	Name	Product	Family	Severity
145338	openSUSE Security Update : clamav (openSUSE-2020-2268)	Nessus	SuSE Local Security Checks	high
145307	openSUSE Security Update : clamav (openSUSE-2020-2276)	Nessus	SuSE Local Security Checks	high
144579	SUSE SLES12 Security Update : clamav (SUSE-SU-2020:3918-1)	Nessus	SuSE Local Security Checks	high
144237	SUSE SLED15 / SLES15 Security Update : clamav (SUSE-SU-2020:3790-1)	Nessus	SuSE Local Security Checks	high
143705	SUSE SLES12 Security Update : clamav (SUSE-SU-2020:3729-1)	Nessus	SuSE Local Security Checks	high
136848	Fedora 30 : clamav (2020-d98d2cbae1)	Nessus	Fedora Local Security Checks	medium
136844	Fedora 31 : clamav (2020-b0acd7b66e)	Nessus	Fedora Local Security Checks	medium
136801	Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : ClamAV vulnerabilities (USN-4370-1)	Nessus	Ubuntu Local Security Checks	medium
136720	Debian DLA-2215-1 : clamav security update	Nessus	Debian Local Security Checks	medium
136688	FreeBSD : clamav -- multiple vulnerabilities (91ce95d5-cd15-4105-b942-af5ccc7144c1)	Nessus	FreeBSD Local Security Checks	medium

CVE-2020-3341

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

medium

medium

medium

medium

medium