Mageia alert MGASA-2015-0190 (clamav)

From:
    	     
 
Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	     
 
updates-announce@ml.mageia.org 
Subject:
    	     
 
[updates-announce] MGASA-2015-0190: Updated clamav packages fix security vulnerabilities 
Date:
    	     
 
Tue, 5 May 2015 15:37:18 +0200
Message-ID:
    	     
 
<20150505133718.610BA41BDF@valstar.mageia.org>
MGASA-2015-0190 - Updated clamav packages fix security vulnerabilities

Publication date: 05 May 2015
URL: http://advisories.mageia.org/MGASA-2015-0190.html
Type: security
Affected Mageia releases: 4
CVE: CVE-2015-2221,
     CVE-2015-2222,
     CVE-2015-2668,
     CVE-2015-2305,
     CVE-2015-2170

Description:
This updates fixes the following security issues:

Fix infinite loop condition on crafted y0da cryptor file. Identified and
patch suggested by Sebastian Andrzej Siewior. CVE-2015-2221

Fix crash on crafted petite packed file. Reported and patch supplied by
Sebastian Andrzej Siewior. CVE-2015-2222.

Fix an infinite loop condition on a crafted "xz" archive file. This was
reported by Dimitri Kirchner and Goulven Guiheux.CVE-2015-2668

Apply upstream patch for possible heap overflow in Henry Spencer's regex
library. CVE-2015-2305

Fix crash in upx decoder with crafted file. Discovered and patch supplied
by Sebastian Andrzej Siewior. CVE-2015-2170

References:
- https://bugs.mageia.org/show_bug.cgi?id=15792
- http://openwall.com/lists/oss-security/2015/05/03/1
- http://openwall.com/lists/oss-security/2015/05/03/2
- http://openwall.com/lists/oss-security/2015/05/03/3
- http://openwall.com/lists/oss-security/2015/05/03/4
- http://openwall.com/lists/oss-security/2015/05/03/5
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2221
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2222
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2668
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2305
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2170

SRPMS:
- 4/core/clamav-0.98.7-1.mga4