[SECURITY] Fedora 31 Update: clamav-0.102.3-1.fc31

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2020-b0acd7b66e 2020-05-23 02:50:34.907158 -------------------------------------------------------------------------------- Name : clamav Product : Fedora 31 Version : 0.102.3 Release : 1.fc31 URL : https://www.clamav.net/ Summary : End-user tools for the Clam Antivirus scanner Description : Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. The virus database is based on the virus database from OpenAntiVirus, but contains additional signatures (including signatures for popular polymorphic viruses, too) and is KEPT UP TO DATE. -------------------------------------------------------------------------------- Update Information: ClamAV 0.102.3 is a bug patch release to address the following issues. - CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability. - CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash. Bug found by OSS-Fuzz. - Fix "Attempt to allocate 0 bytes" error when parsing some PDF documents. - Fix a couple of minor memory leaks. ---- - Add upstream patch to fix "Attempt to allocate 0 bytes" errors while scanning certain PDFs - Do not log freshclam output to syslog by default - creates double entries in the journal (bz#1822012) - (#1820069) add try-restart clamav- freshclam.service on logrotate - Enable prelude support (bz#1829726) - Move /etc/clamd.d/scan.conf to clamav-filesystem -------------------------------------------------------------------------------- ChangeLog: * Thu May 14 2020 Orion Poplawski <orion(a)nwra.com&gt; - 0.102.3-1 - Update to 0.102.3 (bz#1834910) - Security fixes CVE-2020-3341 * Sat May 2 2020 Orion Poplawski <orion(a)nwra.com&gt; - 0.102.2-9 - Add upstream patch to fix "Attempt to allocate 0 bytes" errors while scanning certain PDFs * Thu Apr 30 2020 Orion Poplawski <orion(a)nwra.com&gt; - 0.102.2-8 - Enable prelude support (bz#1829726) * Wed Apr 29 2020 Orion Poplawski <orion(a)nwra.com&gt; - 0.102.2-7 - Move /etc/clamd.d/scan.conf to clamav-filesystem - Add patch to build with EL7 libcurl - re-enable on-access scanning (bz#1820395) - Add clamonacc.service * Tue Apr 21 2020 Bj��rn Esser <besser82(a)fedoraproject.org&gt; - 0.102.2-6 - Rebuild (json-c) * Wed Apr 8 2020 Orion Poplawski <orion(a)nwra.com&gt; - 0.102.2-5 - Do not log freshclam output to syslog by default - creates double entries in the journal (bz#1822012) - (#1820069) add try-restart clamav-freshclam.service on logrotate -------------------------------------------------------------------------------- References: [ 1 ] Bug #1837665 - CVE-2020-3327 clamav: heap-based buffer overflow via a crafted ARJ file https://bugzilla.redhat.com/show_bug.cgi?id=1837665 [ 2 ] Bug #1837669 - CVE-2020-3341 clamav: stack-based buffer overflow via a crafted PDF file https://bugzilla.redhat.com/show_bug.cgi?id=1837669 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-b0acd7b66e' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------