[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
PR/54420 CVS commit: pkgsrc/security/clamav
The following reply was made to PR pkg/54420; it has been noted by GNATS.
From: "Patrick Welche" <prlw1%netbsd.org@localhost>
Subject: PR/54420 CVS commit: pkgsrc/security/clamav
Date: Mon, 5 Aug 2019 14:44:20 +0000
Module Name: pkgsrc
Committed By: prlw1
Date: Mon Aug 5 14:44:20 UTC 2019
pkgsrc/security/clamav: Makefile Makefile.common PLIST buildlink3.mk
pkgsrc/security/clamav/patches: patch-Makefile.in patch-ab
Update clamav to 0.101.2
Remove rar support to workaround PR pkg/54420
This release includes 3 extra security related bug fixes that do not
apply to prior versions. In addition, it includes a number of minor bug
fixes and improvements.
* Fixes for the following vulnerabilities affecting 0.101.1 and
+ CVE-2019-1787: An out-of-bounds heap read condition may occur
when scanning PDF documents. The defect is a failure to
correctly keep track of the number of bytes remaining in a
buffer when indexing file data.
+ CVE-2019-1789: An out-of-bounds heap read condition may occur
when scanning PE files (i.e. Windows EXE and DLL files) that
have been packed using Aspack as a result of inadequate
+ CVE-2019-1788: An out-of-bounds heap write condition may occur
when scanning OLE2 files such as Microsoft Office 97-2003
documents. The invalid write happens when an invalid pointer
is mistakenly used to initialize a 32bit integer to zero. This
is likely to crash the application.
* Fixes for the following ClamAV vulnerabilities:
+ CVE-2018-15378: Vulnerability in ClamAV's MEW unpacking
feature that could allow an unauthenticated, remote attacker
to cause a denial of service (DoS) condition on an affected
device. Reported by Secunia Research at Flexera.
+ Fix for a 2-byte buffer over-read bug in ClamAV's PDF parsing
code. Reported by Alex Gaynor.
* Fixes for the following vulnerabilities in bundled third-party
+ CVE-2018-14680: An issue was discovered in mspack/chmd.c in
libmspack before 0.7alpha. It does not reject blank CHM
+ CVE-2018-14681: An issue was discovered in kwajd_read_headers
in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file
header extensions could cause a one or two byte overwrite.
+ CVE-2018-14682: An issue was discovered in mspack/chmd.c in
libmspack before 0.7alpha. There is an off-by-one error in the
TOLOWER() macro for CHM decompression.
+ Additionally, 0.100.2 reverted 0.100.1's patch for
CVE-2018-14679, and applied libmspack's version of the fix in
* Fixes for the following CVE's:
+ CVE-2017-16932: Vulnerability in libxml2 dependency (affects
ClamAV on Windows only).
+ CVE-2018-0360: HWP integer overflow, infinite loop
vulnerability. Reported by Secunia Research at Flexera.
+ CVE-2018-0361: ClamAV PDF object length check, unreasonably
long time to parse relatively small file. Reported by aCaB.
For the full release notes, see:
To generate a diff of this commit:
cvs rdiff -u -r1.50 -r1.51 pkgsrc/security/clamav/Makefile
cvs rdiff -u -r1.10 -r1.11 pkgsrc/security/clamav/Makefile.common
cvs rdiff -u -r1.6 -r1.7 pkgsrc/security/clamav/PLIST
cvs rdiff -u -r1.7 -r1.8 pkgsrc/security/clamav/buildlink3.mk
cvs rdiff -u -r1.27 -r1.28 pkgsrc/security/clamav/distinfo
cvs rdiff -u -r1.5 -r1.6 pkgsrc/security/clamav/options.mk
cvs rdiff -u -r1.4 -r1.5 pkgsrc/security/clamav/patches/patch-Makefile.in
cvs rdiff -u -r126.96.36.199 -r1.2 pkgsrc/security/clamav/patches/patch-ab
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Main Index |
Thread Index |