-----------------------------------------------------------------------
Debian Stable Updates Announcement SUA 134-1 https://www.debian.org
debian-release@lists.debian.org Scott Kitterman
January 29th, 2018 Sebastian A. Siewior
-----------------------------------------------------------------------
Package : clamav
Version : 0.99.2+dfsg-6+deb9u1 [stretch]
0.99.2+dfsg-0+deb8u3 [jessie]
Importance : medium
Multiple vulnerabilities have been discovered in clamav, the ClamAV
AntiVirus toolkit for Unix. Effects range from denial of service to
potential arbitrary code execution. Additionally, on jessie, this
version fixes a longstanding issue that has recently resurfaced
whereby a malformed virus signature database can cause an application
crash and denial of service.
CVE-2017-12374
ClamAV has a use-after-free condition arising from a lack of input
validation. A remote attacker could exploit this vulnerability with
a crafted email message to cause a denial of service.
CVE-2017-12375
ClamAV has a buffer overflow vulnerability arising from a lack of
input validation. An unauthenticated remote attacker could send a
crafted email message to the affected device, triggering a buffer
overflow and potentially a denial of service when the malicious
message is scanned.
CVE-2017-12376
ClamAV has a buffer overflow vulnerability arising from improper
input validation when handling Portable Document Format (PDF) files.
An unauthenticated remote attacker could send a crafted PDF file to
the affected device, triggering a buffer overflow and potentially a
denial of service or arbitrary code execution when the malicious
file is scanned.
CVE-2017-12377
ClamAV has a heap overflow vulnerability arising from improper input
validation when handling mew packets. An attacker could exploit this
by sending a crafted message to the affected device, triggering a
denial of service or possible arbitrary code execution when the
malicious file is scanned.
CVE-2017-12378
ClamAV has a buffer overread vulnerability arising from improper
input validation when handling tape archive (TAR) files. An
unauthenticated remote attacker could send a crafted TAR file to
the affected device, triggering a buffer overread and potentially a
denial of service when the malicious file is scanned.
CVE-2017-12379
ClamAV has a buffer overflow vulnerability arising from improper
input validation in the message parsing function. An unauthenticated
remote attacker could send a crafted email message to the affected
device, triggering a buffer overflow and potentially a denial of
service or arbitrary code execution when the malicious message is
scanned.
CVE-2017-12380
ClamAV has a NULL dereference vulnerability arising from improper
input validation in the message parsing function. An unauthenticated
remote attacker could send a crafted email message to the affected
device, triggering a NULL pointer dereference, which may result in a
denial of service.
Upgrade Instructions
--------------------
You can get the updated packages by adding the stable-updates archive
for your distribution to your /etc/apt/sources.list:
deb http://ftp.debian.org/debian stretch-updates main
deb-src http://ftp.debian.org/debian stretch-updates main
or
deb http://ftp.debian.org/debian jessie-updates main
deb-src http://ftp.debian.org/debian jessie-updates main
You can also use any of the Debian archive mirrors. See
https://www.debian.org/mirrors/list for the full list of mirrors.
For further information about stable-updates, please refer to
https://lists.debian.org/debian-devel-announce/2011/03/msg00010.html
If you encounter any issues, please don't hesitate to get in touch with
the Debian Release Team at debian-release@lists.debian.orgAttachment:
signature.asc
Description: This is a digitally signed message part