Date: Thu, 19 May 2022 18:33:23 GMT From: Florian Smeets <flo@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: af9915b7952a - main - security/vuxml: Document ClamAV vulnerabilities Message-ID: <202205191833.24JIXNb4097757@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by flo: URL: https://cgit.FreeBSD.org/ports/commit/?id=af9915b7952a5072ceebd7c1038d3c026f543b13 commit af9915b7952a5072ceebd7c1038d3c026f543b13 Author: Florian Smeets <flo@FreeBSD.org> AuthorDate: 2022-05-19 18:26:30 +0000 Commit: Florian Smeets <flo@FreeBSD.org> CommitDate: 2022-05-19 18:28:37 +0000 security/vuxml: Document ClamAV vulnerabilities --- security/vuxml/vuln-2022.xml | 58 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml index 9ca328997ba8..da11801bd86b 100644 --- a/security/vuxml/vuln-2022.xml +++ b/security/vuxml/vuln-2022.xml @@ -1,3 +1,61 @@ + <vuln vid="b2407db1-d79f-11ec-a15f-589cfc0f81b0"> + <topic>clamav -- Multiple vulnerabilities</topic> + <affects> + <package> + <name>clamav</name> + <range><lt>0.104.3</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The ClamAV project reports:</p> + <blockquote cite="https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html">; + <p>Fixed a possible double-free vulnerability in the OLE2 file + parser. Issue affects versions 0.104.0 through 0.104.2. Issue + identified by OSS-Fuzz.</p> + <p>Fixed a possible infinite loop vulnerability in the CHM file + parser. Issue affects versions 0.104.0 through 0.104.2 and LTS + version 0.103.5 and prior versions. Thank you to Michał Dardas + for reporting this issue.</p> + <p>Fixed a possible NULL-pointer dereference crash in the scan + verdict cache check. Issue affects versions 0.103.4, 0.103.5, + 0.104.1, and 0.104.2. Thank you to Alexander Patrakov and + Antoine Gatineau for reporting this issue.</p> + <p>Fixed a possible infinite loop vulnerability in the TIFF file + parser. Issue affects versions 0.104.0 through 0.104.2 and LTS + version 0.103.5 and prior versions. The issue only occurs if the + "--alert-broken-media" ClamScan option is enabled. For ClamD, + the affected option is "AlertBrokenMedia yes", and for libclamav + it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option. Thank + you to Michał Dardas for reporting this issue.</p> + <p>Fixed a possible memory leak in the HTML file parser / + Javascript normalizer. Issue affects versions 0.104.0 through + 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to + Michał Dardas for reporting this issue.</p> + <p>Fixed a possible multi-byte heap buffer overflow write + vulnerability in the signature database load module. The fix was + to update the vendored regex library to the latest version. + Issue affects versions 0.104.0 through 0.104.2 and LTS version + 0.103.5 and prior versions. Thank you to Michał Dardas for + reporting this issue.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2022-20803</cvename> + <cvename>CVE-2022-20770</cvename> + <cvename>CVE-2022-20796</cvename> + <cvename>CVE-2022-20771</cvename> + <cvename>CVE-2022-20785</cvename> + <cvename>CVE-2022-20792</cvename> + <url>https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html#more</url>; + </references> + <dates> + <discovery>2022-05-04</discovery> + <entry>2022-05-19</entry> + </dates> + </vuln> + <vuln vid="a1360138-d446-11ec-8ea1-10c37b4ac2ea"> <topic>go -- syscall.Faccessat checks wrong group on Linux</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202205191833.24JIXNb4097757>