——————————————————————————–
Fedora Update Notification
FEDORA-2020-dd0c20d985
2020-07-28 15:00:49.911952
——————————————————————————–

Name : clamav
Product : Fedora 31
Version : 0.102.4
Release : 1.fc31
URL : https://www.clamav.net/
Summary : End-user tools for the Clam Antivirus scanner
Description :
Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this
software is the integration with mail servers (attachment scanning). The
package provides a flexible and scalable multi-threaded daemon, a command
line scanner, and a tool for automatic updating via Internet. The programs
are based on a shared library distributed with the Clam AntiVirus package,
which you can use with your own software. The virus database is based on
the virus database from OpenAntiVirus, but contains additional signatures
(including signatures for popular polymorphic viruses, too) and is KEPT UP
TO DATE.

——————————————————————————–
Update Information:

ClamAV 0.102.4 is a bug patch release to address the following issues:
CVE-2020-3350 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3350>
Fixed a vulnerability a malicious user could exploit to replace a scan target’s
directory with a symlink to another path to trick clamscan, clamdscan, or
clamonacc into removing or moving a different file (such as a critical system
file). The issue would affect users that use the –move or –remove options for
clamscan, clamdscan and clamonacc. For more information about AV quarantine
attacks using links, see RACK911 Lab’s report
<https://www.rack911labs.com/research/exploiting-almost-every-antivirus-
software>. CVE-2020-3327 <https://cve.mitre.org/cgi-
bin/cvename.cgi?name=CVE-2020-3327> Fixed a vulnerability in the ARJ archive-
parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS)
condition. Improper bounds checking resulted in an out-of-bounds read that could
cause a crash. The previous fix for this CVE in version 0.102.3 was incomplete.
This fix correctly resolves the issue. CVE-2020-3481
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3481> Fixed a
vulnerability in the EGG archive module in ClamAV 0.102.0 – 0.102.3 that could
cause a denial-of-service (DoS) condition. Improper error handling could cause a
crash due to a NULL pointer dereference. This vulnerability is mitigated for
those using the official ClamAV signature databases because the file type
signatures in daily.cvd will not enable the EGG archive parser in affected
versions.
——————————————————————————–
ChangeLog:

* Fri Jul 17 2020 Orion Poplawski <orion@nwra.com> – 0.102.4-1
– Update to 0.102.4 (bz#1857867,1858262,1858263,1858265,1858266)
– Security fixes CVE-2020-3327 CVE-2020-3350 CVE-2020-3481
* Thu May 28 2020 Orion Poplawski <orion@nwra.com> – 0.102.3-2
– Update clamd README file (bz#1798369)
——————————————————————————–
References:

[ 1 ] Bug #1858261 – CVE-2020-3350 clamav: malicious user exploit to replace scan target’s directory with symlink
https://bugzilla.redhat.com/show_bug.cgi?id=1858261
[ 2 ] Bug #1858264 – CVE-2020-3481 clamav: improper error handling causing crash due to NULL pointer dereference
https://bugzilla.redhat.com/show_bug.cgi?id=1858264
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2020-dd0c20d985’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org