Security update for clamav

SUSE Security Update: Security update for clamav
Announcement ID: SUSE-SU-2021:14592-1
Rating: moderate
References: #1118459 #1171981 #1174250 #1174255
Cross-References:CVE-2020-3123 CVE-2020-3327 CVE-2020-3341 CVE-2020-3350 CVE-2020-3481
Affected Products:
  • SUSE Linux Enterprise Server 11-SP4-LTSS
  • SUSE Linux Enterprise Point of Sale 11-SP3
  • SUSE Linux Enterprise Debuginfo 11-SP4
  • SUSE Linux Enterprise Debuginfo 11-SP3

An update that fixes 5 vulnerabilities, contains one feature is now available.

Description:

This update for clamav fixes the following issues:

  • Update to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459
  • This update incorporates incompatible changes that were introduced in version 0.101.0.
  • Accumulated security fixes: * CVE-2020-3350: Fix a vulnerability wherein a malicious user could replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (eg. a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan, and clamonacc. (bsc#1174255) * CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking results in an out-of-bounds read which could cause a crash. The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly resolves the issue. * CVE-2020-3481: Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS) condition. Improper error handling may result in a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in versions affected by the vulnerability. (bsc#1174250) * CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash. (bsc#1171981) * CVE-2020-3123: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature. Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE Linux Enterprise Server 11-SP4-LTSS:
    zypper in -t patch slessp4-clamav-14592=1
  • SUSE Linux Enterprise Point of Sale 11-SP3:
    zypper in -t patch sleposp3-clamav-14592=1
  • SUSE Linux Enterprise Debuginfo 11-SP4:
    zypper in -t patch dbgsp4-clamav-14592=1
  • SUSE Linux Enterprise Debuginfo 11-SP3:
    zypper in -t patch dbgsp3-clamav-14592=1

Package List:

  • SUSE Linux Enterprise Server 11-SP4-LTSS (i586 ppc64 s390x x86_64):
    • clamav-0.103.0-0.20.32.1
  • SUSE Linux Enterprise Point of Sale 11-SP3 (i586):
    • clamav-0.103.0-0.20.32.1
  • SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ppc64 s390x x86_64):
    • clamav-debuginfo-0.103.0-0.20.32.1
    • clamav-debugsource-0.103.0-0.20.32.1
  • SUSE Linux Enterprise Debuginfo 11-SP3 (i586 s390x x86_64):
    • clamav-debuginfo-0.103.0-0.20.32.1
    • clamav-debugsource-0.103.0-0.20.32.1

References: