SUSE-SU-2021:14592-1

Source
https://www.suse.com/support/update/announcement/2021/suse-su-202114592-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2021:14592-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/SUSE-SU-2021:14592-1
Related
Published
2021-01-05T16:32:30Z
Modified
2021-01-05T16:32:30Z
Summary
Security update for clamav
Details

This update for clamav fixes the following issues:

  • Update to 0.103.0 to implement jsc#ECO-3010 and bsc#1118459
  • This update incorporates incompatible changes that were introduced in version 0.101.0.
  • Accumulated security fixes:
    • CVE-2020-3350: Fix a vulnerability wherein a malicious user could replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (eg. a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan, and clamonacc. (bsc#1174255)
    • CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking results in an out-of-bounds read which could cause a crash. The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly resolves the issue.
    • CVE-2020-3481: Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS) condition. Improper error handling may result in a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in versions affected by the vulnerability. (bsc#1174250)
    • CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash. (bsc#1171981)
    • CVE-2020-3123: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature. Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.
References

Affected packages

SUSE:Linux Enterprise Point of Sale 11 SP3 / clamav

Package

Name
clamav
Purl
pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.103.0-0.20.32.1

Ecosystem specific

{
    "binaries": [
        {
            "clamav": "0.103.0-0.20.32.1"
        }
    ]
}

SUSE:Linux Enterprise Server 11 SP4-LTSS / clamav

Package

Name
clamav
Purl
pkg:rpm/suse/clamav&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.103.0-0.20.32.1

Ecosystem specific

{
    "binaries": [
        {
            "clamav": "0.103.0-0.20.32.1"
        }
    ]
}