-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2020-dd0c20d985 2020-07-28 15:00:49.911952 --------------------------------------------------------------------------------
Name : clamav Product : Fedora 31 Version : 0.102.4 Release : 1.fc31 URL : https://www.clamav.net/ Summary : End-user tools for the Clam Antivirus scanner Description : Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers (attachment scanning). The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs are based on a shared library distributed with the Clam AntiVirus package, which you can use with your own software. The virus database is based on the virus database from OpenAntiVirus, but contains additional signatures (including signatures for popular polymorphic viruses, too) and is KEPT UP TO DATE.
-------------------------------------------------------------------------------- Update Information:
ClamAV 0.102.4 is a bug patch release to address the following issues: CVE-2020-3350 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3350 Fixed a vulnerability a malicious user could exploit to replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (such as a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan and clamonacc. For more information about AV quarantine attacks using links, see RACK911 Lab's report https://www.rack911labs.com/research/exploiting-almost-every-antivirus- software. CVE-2020-3327 https://cve.mitre.org/cgi- bin/cvename.cgi?name=CVE-2020-3327 Fixed a vulnerability in the ARJ archive- parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS) condition. Improper bounds checking resulted in an out-of-bounds read that could cause a crash. The previous fix for this CVE in version 0.102.3 was incomplete. This fix correctly resolves the issue. CVE-2020-3481 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3481 Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 that could cause a denial-of-service (DoS) condition. Improper error handling could cause a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in affected versions. -------------------------------------------------------------------------------- ChangeLog:
* Fri Jul 17 2020 Orion Poplawski orion@nwra.com - 0.102.4-1 - Update to 0.102.4 (bz#1857867,1858262,1858263,1858265,1858266) - Security fixes CVE-2020-3327 CVE-2020-3350 CVE-2020-3481 * Thu May 28 2020 Orion Poplawski orion@nwra.com - 0.102.3-2 - Update clamd README file (bz#1798369) -------------------------------------------------------------------------------- References:
[ 1 ] Bug #1858261 - CVE-2020-3350 clamav: malicious user exploit to replace scan target's directory with symlink https://bugzilla.redhat.com/show_bug.cgi?id=1858261 [ 2 ] Bug #1858264 - CVE-2020-3481 clamav: improper error handling causing crash due to NULL pointer dereference https://bugzilla.redhat.com/show_bug.cgi?id=1858264 --------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2020-dd0c20d985' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------