SUSE-SU-2021:14592-1: moderate: Security update for clamav

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Tue Jan 5 13:22:30 MST 2021


   SUSE Security Update: Security update for clamav
______________________________________________________________________________

Announcement ID:    SUSE-SU-2021:14592-1
Rating:             moderate
References:         #1118459 #1171981 #1174250 #1174255 ECO-3010 
                    
Cross-References:   CVE-2020-3123 CVE-2020-3327 CVE-2020-3341
                    CVE-2020-3350 CVE-2020-3481
Affected Products:
                    SUSE Linux Enterprise Server 11-SP4-LTSS
                    SUSE Linux Enterprise Point of Sale 11-SP3
                    SUSE Linux Enterprise Debuginfo 11-SP4
                    SUSE Linux Enterprise Debuginfo 11-SP3
______________________________________________________________________________

   An update that fixes 5 vulnerabilities, contains one
   feature is now available.

Description:

   This update for clamav fixes the following issues:

   - Update to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459
   - This update incorporates incompatible changes that were introduced in
     version 0.101.0.
   - Accumulated security fixes:
     * CVE-2020-3350: Fix a vulnerability wherein a malicious user could
       replace a scan target's directory with a symlink to another path to
       trick clamscan, clamdscan, or clamonacc into removing or moving a
       different file (eg. a critical system file). The issue would affect
       users that use the --move or --remove options for clamscan, clamdscan,
       and clamonacc. (bsc#1174255)
     * CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module
       in ClamAV 0.102.3 that could cause a Denial-of-Service (DoS)
       condition. Improper bounds checking results in an
       out-of-bounds read which could cause a crash. The previous fix for
        this CVE in 0.102.3 was incomplete. This fix correctly resolves the
        issue.
     * CVE-2020-3481: Fix a vulnerability in the EGG archive module in ClamAV
       0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS) condition.
       Improper error handling may result in a crash due to a NULL pointer
       dereference. This vulnerability is mitigated for those using the
       official ClamAV signature databases because the file type signatures
       in daily.cvd will not enable the EGG archive parser in versions
       affected by the vulnerability. (bsc#1174250)
     * CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV
       0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition.
       Improper size checking of a buffer used to initialize AES decryption
       routines results in an out-of-bounds read which may cause a crash.
       (bsc#1171981)
     * CVE-2020-3123: A denial-of-service (DoS) condition may occur when
       using the optional credit card data-loss-prevention (DLP) feature.
       Improper bounds checking of an unsigned variable resulted in an
       out-of-bounds read, which causes a crash.


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11-SP4-LTSS:

      zypper in -t patch slessp4-clamav-14592=1

   - SUSE Linux Enterprise Point of Sale 11-SP3:

      zypper in -t patch sleposp3-clamav-14592=1

   - SUSE Linux Enterprise Debuginfo 11-SP4:

      zypper in -t patch dbgsp4-clamav-14592=1

   - SUSE Linux Enterprise Debuginfo 11-SP3:

      zypper in -t patch dbgsp3-clamav-14592=1



Package List:

   - SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64):

      clamav-0.103.0-0.20.32.1

   - SUSE Linux Enterprise Point of Sale 11-SP3 (i586):

      clamav-0.103.0-0.20.32.1

   - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64):

      clamav-debuginfo-0.103.0-0.20.32.1
      clamav-debugsource-0.103.0-0.20.32.1

   - SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64):

      clamav-debuginfo-0.103.0-0.20.32.1
      clamav-debugsource-0.103.0-0.20.32.1


References:

   https://www.suse.com/security/cve/CVE-2020-3123.html
   https://www.suse.com/security/cve/CVE-2020-3327.html
   https://www.suse.com/security/cve/CVE-2020-3341.html
   https://www.suse.com/security/cve/CVE-2020-3350.html
   https://www.suse.com/security/cve/CVE-2020-3481.html
   https://bugzilla.suse.com/1118459
   https://bugzilla.suse.com/1171981
   https://bugzilla.suse.com/1174250
   https://bugzilla.suse.com/1174255



More information about the sle-security-updates mailing list