ClamAV 0.102.4 security patch released

[debian-lts-announce] 20200806 [SECURITY] [DLA 2314-1] clamav security update

FEDORA-2020-6584a641ae

FEDORA-2020-dd0c20d985

GLSA-202007-23

USN-4435-1

USN-4435-2

This update for clamav fixes the following issues :

clamav was updated to the new major release 0.103.0.
(jsc#ECO-3010,bsc#1118459)

Note that libclamav was changed incompatible, if you have a 3rd party application that uses libclamav, it needs to be rebuilt.

Update to 0.103.0

  - clamd can now reload the signature database without     blocking scanning. This multi-threaded database reload     improvement was made possible thanks to a community     effort.

  - Non-blocking database reloads are now the default     behavior. Some systems that are more constrained on RAM     may need to disable non-blocking reloads as it will     temporarily consume two times as much memory. We added a     new clamd config option ConcurrentDatabaseReload, which     may be set to no.

  - Fix clamav-milter.service (requires clamd.service to     run)

Update to 0.102.4

  - CVE-2020-3350: Fix a vulnerability wherein a malicious     user could replace a scan target's directory with a     symlink to another path to trick clamscan, clamdscan, or     clamonacc into removing or moving a different file (eg.
    a critical system file). The issue would affect users     that use the --move or --remove options for clamscan,     clamdscan, and clamonacc.

  - CVE-2020-3327: Fix a vulnerability in the ARJ archive     parsing module in ClamAV 0.102.3 that could cause a     Denial-of-Service (DoS) condition. Improper bounds     checking results in an out-of-bounds read which could     cause a crash. The previous fix for this CVE in 0.102.3     was incomplete. This fix correctly resolves the issue.

  - CVE-2020-3481: Fix a vulnerability in the EGG archive     module in ClamAV 0.102.0 - 0.102.3 could cause a     Denial-of-Service (DoS) condition. Improper error     handling may result in a crash due to a NULL pointer     dereference. This vulnerability is mitigated for those     using the official ClamAV signature databases because     the file type signatures in daily.cvd will not enable     the EGG archive parser in versions affected by the     vulnerability.

Update to 0.102.3

  - CVE-2020-3327: Fix a vulnerability in the ARJ archive     parsing module in ClamAV 0.102.2 that could cause a     Denial-of-Service (DoS) condition. Improper bounds     checking of an unsigned variable results in an     out-of-bounds read which causes a crash.

  - CVE-2020-3341: Fix a vulnerability in the PDF parsing     module in ClamAV 0.101 - 0.102.2 that could cause a     Denial-of-Service (DoS) condition. Improper size     checking of a buffer used to initialize AES decryption     routines results in an out-of-bounds read which may     cause a crash.

  - Fix 'Attempt to allocate 0 bytes' error when parsing     some PDF documents.

  - Fix a couple of minor memory leaks.

  - Updated libclamunrar to UnRAR 5.9.2.

Update to 0.102.2 :

  - CVE-2020-3123: A denial-of-service (DoS) condition may     occur when using the optional credit card     data-loss-prevention (DLP) feature. Improper bounds     checking of an unsigned variable resulted in an     out-of-bounds read, which causes a crash.

  - Significantly improved the scan speed of PDF files on     Windows.

  - Re-applied a fix to alleviate file access issues when     scanning RAR files in downstream projects that use     libclamav where the scanning engine is operating in a     low-privilege process. This bug was originally fixed in     0.101.2 and the fix was mistakenly omitted from 0.102.0.

  - Fixed an issue where freshclam failed to update if the     database version downloaded is one version older than     advertised. This situation may occur after a new     database version is published. The issue affected users     downloading the whole CVD database file.

  - Changed the default freshclam ReceiveTimeout setting to     0 (infinite). The ReceiveTimeout had caused needless     database update failures for users with slower internet     connections.

  - Correctly display the number of kilobytes (KiB) in     progress bar and reduced the size of the progress bar to     accommodate 80-character width terminals.

  - Fixed an issue where running freshclam manually causes a     daemonized freshclam process to fail when it updates     because the manual instance deletes the temporary     download directory. The freshclam temporary files will     now download to a unique directory created at the time     of an update instead of using a hardcoded directory     created/destroyed at the program start/exit.

  - Fix for freshclam's OnOutdatedExecute config option.

  - Fixes a memory leak in the error condition handling for     the email parser.

  - Improved bound checking and error handling in ARJ     archive parser.

  - Improved error handling in PDF parser.

  - Fix for memory leak in byte-compare signature handler.

  - The freshclam.service should not be started before the     network is online (it checks for updates immediately     upon service start)

Update to 0.102.1 :

  - CVE-2019-15961, bsc#1157763: A Denial-of-Service (DoS)     vulnerability may occur when scanning a specially     crafted email file as a result of excessively long scan     times. The issue is resolved by implementing several     maximums in parsing MIME messages and by optimizing use     of memory allocation.

  - Build system fixes to build clamav-milter, to correctly     link with libxml2 when detected, and to correctly detect     fanotify for on-access scanning feature support.

  - Signature load time is significantly reduced by changing     to a more efficient algorithm for loading signature     patterns and allocating the AC trie. Patch courtesy of     Alberto Wu.

  - Introduced a new configure option to statically link     libjson-c with libclamav. Static linking with libjson is     highly recommended to prevent crashes in applications     that use libclamav alongside another JSON parsing     library.

  - Null-dereference fix in email parser when using the

    --gen-json metadata option.

  - Fixes for Authenticode parsing and certificate signature     (.crb database) bugs.

Update to 0.102.0 :

  - The On-Access Scanning feature has been migrated out of     clamd and into a brand new utility named clamonacc. This     utility is similar to clamdscan and clamav-milter in     that it acts as a client to clamd. This separation from     clamd means that clamd no longer needs to run with root     privileges while scanning potentially malicious files.
    Instead, clamd may drop privileges to run under an     account that does not have super-user. In addition to     improving the security posture of running clamd with     On-Access enabled, this update fixed a few outstanding     defects :

  - On-Access scanning for created and moved files     (Extra-Scanning) is fixed.

  - VirusEvent for On-Access scans is fixed.

  - With clamonacc, it is now possible to copy, move, or     remove a file if the scan triggered an alert, just like     with clamdscan.

  - The freshclam database update utility has undergone a     significant update. This includes :

  - Added support for HTTPS.

  - Support for database mirrors hosted on ports other than     80.

  - Removal of the mirror management feature (mirrors.dat).

  - An all new libfreshclam library API.

  - created new subpackage libfreshclam2

Update to 0.101.4 :

  - CVE-2019-12900: An out of bounds write in the NSIS bzip2     (bsc#1149458)

  - CVE-2019-12625: Introduce a configurable time limit to     mitigate zip bomb vulnerability completely. Default is 2     minutes, configurable useing the clamscan --max-scantime     and for clamd using the MaxScanTime config option     (bsc#1144504)

Update to version 0.101.3 :

  - bsc#1144504: ZIP bomb causes extreme CPU spikes

Update to version 0.101.2 (bsc#1130721)

  - CVE-2019-1787: An out-of-bounds heap read condition may     occur when scanning PDF documents. The defect is a     failure to correctly keep track of the number of bytes     remaining in a buffer when indexing file data.

  - CVE-2019-1789: An out-of-bounds heap read condition may     occur when scanning PE files (i.e. Windows EXE and DLL     files) that have been packed using Aspack as a result of     inadequate bound-checking.

  - CVE-2019-1788: An out-of-bounds heap write condition may     occur when scanning OLE2 files such as Microsoft Office     97-2003 documents. The invalid write happens when an     invalid pointer is mistakenly used to initialize a 32bit     integer to zero. This is likely to crash the     application.

  - CVE-2019-1786: An out-of-bounds heap read condition may     occur when scanning malformed PDF documents as a result     of improper bounds-checking.

  - CVE-2019-1785: A path-traversal write condition may     occur as a result of improper input validation when     scanning RAR archives.

  - CVE-2019-1798: A use-after-free condition may occur as a     result of improper error handling when scanning nested     RAR archives.

This update was imported from the SUSE:SLE-15:Update update project.

This update for clamav fixes the following issues :

clamav was updated to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459.

clamd can now reload the signature database without blocking scanning.
This multi-threaded database reload improvement was made possible thanks to a community effort.

  - Non-blocking database reloads are now the default     behavior. Some systems that are more constrained on RAM     may need to disable non-blocking reloads as it will     temporarily consume two times as much memory. We added a     new clamd config option ConcurrentDatabaseReload, which     may be set to no.

Fix clamav-milter.service (requires clamd.service to run)

bsc#1119353, clamav-fips.patch: Fix freshclam crash in FIPS mode.

Partial sync with SLE15.

Update to version 0.102.4

Accumulated security fixes :

CVE-2020-3350: Fix a vulnerability wherein a malicious user could replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (eg. a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan, and clamonacc. (bsc#1174255)

CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking results in an out-of-bounds read which could cause a crash. The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly resolves the issue.

CVE-2020-3481: Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS) condition.
Improper error handling may result in a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in versions affected by the vulnerability. (bsc#1174250)

CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition.
Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash.
(bsc#1171981)

CVE-2020-3123: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature.
Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.

CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation. (bsc#1157763).

CVE-2019-12900: An out of bounds write in the NSIS bzip2 (bsc#1149458)

CVE-2019-12625: Introduce a configurable time limit to mitigate zip bomb vulnerability completely. Default is 2 minutes, configurable useing the clamscan --max-scantime and for clamd using the MaxScanTime config option (bsc#1144504)

Update to version 0.101.3 :

ZIP bomb causes extreme CPU spikes (bsc#1144504)

Update to version 0.101.2 (bsc#1118459) :

Support for RAR v5 archive extraction.

Incompatible changes to the arguments of cl_scandesc, cl_scandesc_callback, and cl_scanmap_callback.

Scanning options have been converted from a single flag bit-field into a structure of multiple categorized flag bit-fields.

The CL_SCAN_HEURISTIC_ENCRYPTED scan option was replaced by 2 new scan options: CL_SCAN_HEURISTIC_ENCRYPTED_ARCHIVE, and CL_SCAN_HEURISTIC_ENCRYPTED_DOC

Incompatible clamd.conf and command line interface changes.

Heuristic Alerts' (aka 'Algorithmic Detection') options have been changed to make the names more consistent. The original options are deprecated in 0.101, and will be removed in a future feature release.

For details, see https://blog.clamav.net/2018/12/clamav-01010-has-been-released.html

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for clamav fixes the following issues :

clamav was updated to the new major release 0.103.0.
(jsc#ECO-3010,bsc#1118459)

Note that libclamav was changed incompatible, if you have a 3rd party application that uses libclamav, it needs to be rebuilt.

Update to 0.103.0

clamd can now reload the signature database without blocking scanning.
This multi-threaded database reload improvement was made possible thanks to a community effort.

  - Non-blocking database reloads are now the default     behavior. Some systems that are more constrained on RAM     may need to disable non-blocking reloads as it will     temporarily consume two times as much memory. We added a     new clamd config option ConcurrentDatabaseReload, which     may be set to no.

  - Fix clamav-milter.service (requires clamd.service to     run)

Update to 0.102.4

  - CVE-2020-3350: Fix a vulnerability wherein a malicious     user could replace a scan target's directory with a     symlink to another path to trick clamscan, clamdscan, or     clamonacc into removing or moving a different file (eg.
    a critical system file). The issue would affect users     that use the --move or --remove options for clamscan,     clamdscan, and clamonacc.

  - CVE-2020-3327: Fix a vulnerability in the ARJ archive     parsing module in ClamAV 0.102.3 that could cause a     Denial-of-Service (DoS) condition. Improper bounds     checking results in an out-of-bounds read which could     cause a crash. The previous fix for this CVE in 0.102.3     was incomplete. This fix correctly resolves the issue.

  - CVE-2020-3481: Fix a vulnerability in the EGG archive     module in ClamAV 0.102.0 - 0.102.3 could cause a     Denial-of-Service (DoS) condition. Improper error     handling may result in a crash due to a NULL pointer     dereference. This vulnerability is mitigated for those     using the official ClamAV signature databases because     the file type signatures in daily.cvd will not enable     the EGG archive parser in versions affected by the     vulnerability.

Update to 0.102.3

  - CVE-2020-3327: Fix a vulnerability in the ARJ archive     parsing module in ClamAV 0.102.2 that could cause a     Denial-of-Service (DoS) condition. Improper bounds     checking of an unsigned variable results in an     out-of-bounds read which causes a crash.

  - CVE-2020-3341: Fix a vulnerability in the PDF parsing     module in ClamAV 0.101 - 0.102.2 that could cause a     Denial-of-Service (DoS) condition. Improper size     checking of a buffer used to initialize AES decryption     routines results in an out-of-bounds read which may     cause a crash.

  - Fix 'Attempt to allocate 0 bytes' error when parsing     some PDF documents.

  - Fix a couple of minor memory leaks.

  - Updated libclamunrar to UnRAR 5.9.2.

Update to 0.102.2 :

  - CVE-2020-3123: A denial-of-service (DoS) condition may     occur when using the optional credit card     data-loss-prevention (DLP) feature. Improper bounds     checking of an unsigned variable resulted in an     out-of-bounds read, which causes a crash.

  - Significantly improved the scan speed of PDF files on     Windows.

  - Re-applied a fix to alleviate file access issues when     scanning RAR files in downstream projects that use     libclamav where the scanning engine is operating in a     low-privilege process. This bug was originally fixed in     0.101.2 and the fix was mistakenly omitted from 0.102.0.

  - Fixed an issue where freshclam failed to update if the     database version downloaded is one version older than     advertised. This situation may occur after a new     database version is published. The issue affected users     downloading the whole CVD database file.

  - Changed the default freshclam ReceiveTimeout setting to     0 (infinite). The ReceiveTimeout had caused needless     database update failures for users with slower internet     connections.

  - Correctly display the number of kilobytes (KiB) in     progress bar and reduced the size of the progress bar to     accommodate 80-character width terminals.

  - Fixed an issue where running freshclam manually causes a     daemonized freshclam process to fail when it updates     because the manual instance deletes the temporary     download directory. The freshclam temporary files will     now download to a unique directory created at the time     of an update instead of using a hard-coded directory     created/destroyed at the program start/exit.

  - Fix for freshclam's OnOutdatedExecute config option.

  - Fixes a memory leak in the error condition handling for     the email parser.

  - Improved bound checking and error handling in ARJ     archive parser.

  - Improved error handling in PDF parser.

  - Fix for memory leak in byte-compare signature handler.

The freshclam.service should not be started before the network is online (it checks for updates immediately upon service start)

Update to 0.102.1 :

  - CVE-2019-15961, bsc#1157763: A Denial-of-Service (DoS)     vulnerability may occur when scanning a specially     crafted email file as a result of excessively long scan     times. The issue is resolved by implementing several     maximums in parsing MIME messages and by optimizing use     of memory allocation.

  - Build system fixes to build clamav-milter, to correctly     link with libxml2 when detected, and to correctly detect     fanotify for on-access scanning feature support.

  - Signature load time is significantly reduced by changing     to a more efficient algorithm for loading signature     patterns and allocating the AC trie. Patch courtesy of     Alberto Wu.

  - Introduced a new configure option to statically link     libjson-c with libclamav. Static linking with libjson is     highly recommended to prevent crashes in applications     that use libclamav alongside another JSON parsing     library.

  - Null-dereference fix in email parser when using the

    --gen-json metadata option.

  - Fixes for Authenticode parsing and certificate signature     (.crb database) bugs.

Update to 0.102.0 :

  - The On-Access Scanning feature has been migrated out of     clamd and into a brand new utility named clamonacc. This     utility is similar to clamdscan and clamav-milter in     that it acts as a client to clamd. This separation from     clamd means that clamd no longer needs to run with root     privileges while scanning potentially malicious files.
    Instead, clamd may drop privileges to run under an     account that does not have super-user. In addition to     improving the security posture of running clamd with     On-Access enabled, this update fixed a few outstanding     defects :

  - On-Access scanning for created and moved files     (Extra-Scanning) is fixed.

  - VirusEvent for On-Access scans is fixed.

  - With clamonacc, it is now possible to copy, move, or     remove a file if the scan triggered an alert, just like     with clamdscan.

  - The freshclam database update utility has undergone a     significant update. This includes :

  - Added support for HTTPS.

  - Support for database mirrors hosted on ports other than     80.

  - Removal of the mirror management feature (mirrors.dat).

  - An all new libfreshclam library API. created new     subpackage libfreshclam2

Update to 0.101.4 :

  - CVE-2019-12900: An out of bounds write in the NSIS bzip2     (bsc#1149458)

  - CVE-2019-12625: Introduce a configurable time limit to     mitigate zip bomb vulnerability completely. Default is 2     minutes, configurable useing the clamscan --max-scantime     and for clamd using the MaxScanTime config option     (bsc#1144504)

Update to version 0.101.3 :

  - bsc#1144504: ZIP bomb causes extreme CPU spikes

Update to version 0.101.2 (bsc#1130721)

  - CVE-2019-1787: An out-of-bounds heap read condition may     occur when scanning PDF documents. The defect is a     failure to correctly keep track of the number of bytes     remaining in a buffer when indexing file data.

  - CVE-2019-1789: An out-of-bounds heap read condition may     occur when scanning PE files (i.e. Windows EXE and DLL     files) that have been packed using Aspack as a result of     inadequate bound-checking.

  - CVE-2019-1788: An out-of-bounds heap write condition may     occur when scanning OLE2 files such as Microsoft Office     97-2003 documents. The invalid write happens when an     invalid pointer is mistakenly used to initialize a 32bit     integer to zero. This is likely to crash the     application.

  - CVE-2019-1786: An out-of-bounds heap read condition may     occur when scanning malformed PDF documents as a result     of improper bounds-checking.

  - CVE-2019-1785: A path-traversal write condition may     occur as a result of improper input validation when     scanning RAR archives.

  - CVE-2019-1798: A use-after-free condition may occur as a     result of improper error handling when scanning nested     RAR archives.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for clamav fixes the following issues :

clamav was updated to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459.

clamd can now reload the signature database without blocking scanning.
This multi-threaded database reload improvement was made possible thanks to a community effort.

  - Non-blocking database reloads are now the default     behavior. Some systems that are more constrained on RAM     may need to disable non-blocking reloads as it will     temporarily consume two times as much memory. We added a     new clamd config option ConcurrentDatabaseReload, which     may be set to no.

Fix clamav-milter.service (requires clamd.service to run)

Fix freshclam crash in FIPS mode. (bsc#1119353)

Update to version 0.102.4 :

Accumulated security fixes :

CVE-2020-3350: Fix a vulnerability wherein a malicious user could replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (eg. a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan, and clamonacc. (bsc#1174255)

CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking results in an out-of-bounds read which could cause a crash. The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly resolves the issue.

CVE-2020-3481: Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS) condition.
Improper error handling may result in a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in versions affected by the vulnerability. (bsc#1174250)

CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition.
Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash.
(bsc#1171981)

CVE-2020-3123: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature.
Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.

CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation. (bsc#1157763).

CVE-2019-12900: An out of bounds write in the NSIS bzip2 (bsc#1149458)

CVE-2019-12625: Introduce a configurable time limit to mitigate zip bomb vulnerability completely. Default is 2 minutes, configurable useing the clamscan --max-scantime and for clamd using the MaxScanTime config option (bsc#1144504)

Increase the startup timeout of clamd to 5 minutes to cater for the grown virus database as a workaround until clamd has learned to talk to systemd to extend the timeout as long as needed. (bsc#1151839)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2020-1433 advisory.

  - A vulnerability in the ARJ archive parsing module in Clam AntiVirus (ClamAV) Software versions 0.102.2     could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected     device. The vulnerability is due to a heap buffer overflow read. An attacker could exploit this     vulnerability by sending a crafted ARJ file to an affected device. An exploit could allow the attacker to     cause the ClamAV scanning process crash, resulting in a denial of service condition. (CVE-2020-3327)

  - A vulnerability in the endpoint software of Cisco AMP for Endpoints and Clam AntiVirus could allow an     authenticated, local attacker to cause the running software to delete arbitrary files on the system. The     vulnerability is due to a race condition that could occur when scanning malicious files. An attacker with     local shell access could exploit this vulnerability by executing a script that could trigger the race     condition. A successful exploit could allow the attacker to delete arbitrary files on the system that the     attacker would not normally have privileges to delete, producing system instability or causing the     endpoint software to stop working. (CVE-2020-3350)

  - A vulnerability in the EGG archive parsing module in Clam AntiVirus (ClamAV) Software versions 0.102.0 -     0.102.3 could allow an unauthenticated, remote attacker to cause a denial of service condition on an     affected device. The vulnerability is due to a null pointer dereference. An attacker could exploit this     vulnerability by sending a crafted EGG file to an affected device. An exploit could allow the attacker to     cause the ClamAV scanning process crash, resulting in a denial of service condition. (CVE-2020-3481)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Several vulnerabilities have been found in the ClamAV antivirus toolkit :

CVE-2020-3327

An out of bounds read in the ARJ archive-parsing module could cause denial of service. The fix in 0.102.3 was incomplete.

CVE-2020-3350

A malicious user could trick clamscan, clamdscan or clamonacc into moving or removing a different file than intended when those are used with one of the --move or --remove options. This could be used to get rid of special system files.

CVE-2020-3481

The EGG archive module was vulnerable to denial of service via NULL pointer dereference due to improper error handling. The official signature database avoided this problem because the signatures there avoided the use of the EGG archive parser.

For Debian 9 stretch, these problems have been fixed in version 0.102.4+dfsg-0+deb9u1.

We recommend that you upgrade your clamav packages.

For the detailed security status of clamav please refer to its security tracker page at:
https://security-tracker.debian.org/tracker/clamav

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ClamAV 0.102.4 is a bug patch release to address the following issues :

CVE-2020-3350 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3350> Fixed a vulnerability a malicious user could exploit to replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (such as a critical system file). The issue would affect users that use the
--move or --remove options for clamscan, clamdscan and clamonacc.

For more information about AV quarantine attacks using links, see RACK911 Lab's report <https://www.rack911labs.com/research/exploiting-almost-every-antiviru s-software>.

CVE-2020-3327 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327> Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS) condition. Improper bounds checking resulted in an out-of-bounds read that could cause a crash.
The previous fix for this CVE in version 0.102.3 was incomplete. This fix correctly resolves the issue.

CVE-2020-3481 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3481> Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 that could cause a denial-of-service (DoS) condition. Improper error handling could cause a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in affected versions.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that ClamAV incorrectly handled parsing ARJ archives. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3327) It was discovered that ClamAV incorrectly handled scanning malicious files. A local attacker could possibly use this issue to delete arbitrary files. (CVE-2020-3350) It was discovered that ClamAV incorrectly handled parsing EGG archives. A remote attacker could possibly use this issue to cause ClamAV to crash, resulting in a denial of service. (CVE-2020-3481).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-202007-23 (ClamAV: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in ClamAV. Please review       the CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

Micah Snyder reports : CVE-2020-3350 Fixed a vulnerability a malicious user could exploit to replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (such as a critical system file).
The issue would affect users that use the --move or --remove options for clamscan, clamdscan and clamonacc. CVE-2020-3327 Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS) condition. Improper bounds checking resulted in an out-of-bounds read that could cause a crash.
The previous fix for this CVE in version 0.102.3 was incomplete. This fix correctly resolves the issue. CVE-2020-3481 Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 that could cause a denial-of-service (DoS) condition. Improper error handling could cause a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in affected versions.

ID	Name	Product	Family	Severity
145338	openSUSE Security Update : clamav (openSUSE-2020-2268)	Nessus	SuSE Local Security Checks	high
145307	openSUSE Security Update : clamav (openSUSE-2020-2276)	Nessus	SuSE Local Security Checks	high
144579	SUSE SLES12 Security Update : clamav (SUSE-SU-2020:3918-1)	Nessus	SuSE Local Security Checks	high
144237	SUSE SLED15 / SLES15 Security Update : clamav (SUSE-SU-2020:3790-1)	Nessus	SuSE Local Security Checks	high
143705	SUSE SLES12 Security Update : clamav (SUSE-SU-2020:3729-1)	Nessus	SuSE Local Security Checks	high
140612	Amazon Linux AMI : clamav (ALAS-2020-1433)	Nessus	Amazon Linux Local Security Checks	low
139387	Debian DLA-2314-1 : clamav security update	Nessus	Debian Local Security Checks	low
139260	Fedora 32 : clamav (2020-6584a641ae)	Nessus	Fedora Local Security Checks	low
139108	Fedora 31 : clamav (2020-dd0c20d985)	Nessus	Fedora Local Security Checks	low
139023	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 : ClamAV vulnerabilities (USN-4435-1)	Nessus	Ubuntu Local Security Checks	low
138946	GLSA-202007-23 : ClamAV: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	low
138583	FreeBSD : clamav -- multiple vulnerabilities (f7a02651-c798-11ea-81d6-6805cabe6ebb)	Nessus	FreeBSD Local Security Checks	low

CVE-2020-3481

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

low

low

low

low

low

low

low