Mageia alert MGASA-2022-0187 (clamav)
| From: | Mageia Updates <buildsystem-daemon@mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2022-0187: Updated clamav packages fix security vulnerability | |
| Date: | Sun, 15 May 2022 12:07:46 +0200 | |
| Message-ID: | <20220515100746.9F9D49FFF9@duvel.mageia.org> | |
| Archive-link: | Article |
MGASA-2022-0187 - Updated clamav packages fix security vulnerability Publication date: 15 May 2022 URL: https://advisories.mageia.org/MGASA-2022-0187.html Type: security Affected Mageia releases: 8 CVE: CVE-2022-20770, CVE-2022-20771, CVE-2022-20785, CVE-2022-20792, CVE-2022-20796 Description: Infinite loop vulnerability in the CHM file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. (CVE-2022-20770) Infinite loop vulnerability in the TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. The issue only occurs if the "--alert-broken-media" ClamScan option is enabled. For ClamD, the affected option is "AlertBrokenMedia yes", and for libclamav it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option. (CVE-2022-20771) Memory leak in the HTML file parser / Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. (CVE-2022-20785) Multi-byte heap buffer overflow write vulnerability in the signature database load module. The fix was to update the vendored regex library to the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. (CVE-2022-20792) NULL-pointer dereference crash in the scan verdict cache check. Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2. (CVE-2022-20796) References: - https://bugs.mageia.org/show_bug.cgi?id=30417 - https://blog.clamav.net/2022/05/clamav-01050-01043-01036-... - https://www.suse.com/support/update/announcement/2022/sus... - https://lists.opensuse.org/archives/list/security-announc... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2... SRPMS: - 8/core/clamav-0.103.6-1.mga8