Bug #643682 “DoS due to PDF parsing issues” : Bugs : clamav package : Ubuntu

Scott Kitterman (kitterman) on 2010-09-20

visibility:	private → public
Changed in clamav (Ubuntu):
importance:	Undecided → Medium
status:	New → Triaged
milestone:	none → ubuntu-10.10

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-09-21:

#1

This bug was fixed in the package clamav - 0.96.3+dfsg-1ubuntu1

---------------
clamav (0.96.3+dfsg-1ubuntu1) maverick; urgency=low

    * Merge new upstream release from Debian Unstable. FFe (LP: #644707).
      Also fixes (LP: #643682). Remaining Ubuntu changes:
      - Drop initial signature definitions from clamav-base
      - Drop build-dep on electric-fence (in Universe)
      - Add apparmor profiles for clamd and freshclam along with maintainer
        script changes
    * Fix NotifyClamd configurate in debian/clamav-freshclam.postinst
      - Cherry pick from Debian pkg-clamav Git, Thanks to Stephen Gran

clamav (0.96.3+dfsg-1) unstable; urgency=high

[ Stephen Gran ]
* Fixed NotifyClamd config options handling.

  [ Alberto WU ]
  * New upstream release
    - urgency=high as this addresses CVE-2010-0405
    - Reset MaxFileSize to default value if set to 0 (closes: #585479)
    - New config option ExtendedDetectionInfo (clamd.conf)

  [ Michael Tautschnig ]
  * Set data segment limit in tests to 524288 to make kfreebsd-i386 systems
    happy (closes: #591245).
  * Bumped Standards-Version to 3.9.1, no changes needed.
  * Preserve order of database mirrors (closes: #592322).
  * Added Vcs-Git and Vcs-Browser control fields.
  * Debconf translation updates
    - Italian (closes: #597307)
  * We'll stay with 1.0 Debian source format for now, added proper
    debian/source/format
-- Scott Kitterman <email address hidden> Mon, 20 Sep 2010 15:41:38 -0400

Changed in clamav (Ubuntu Maverick):
status:	Triaged → Fix Released

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-10-22:

#2

Download full text (8.2 KiB)

This bug was fixed in the package clamav - 0.96.3+dfsg-2ubuntu1.0.10.04.1

---------------
clamav (0.96.3+dfsg-2ubuntu1.0.10.04.1) lucid-proposed; urgency=low

* Microversion update to 0.96.3 for Lucid (LP: #653738)

clamav (0.96.3+dfsg-2ubuntu1.1) maverick-proposed; urgency=low

* PDF clamdscan crash fix (LP: #658341) - Cherry pick from Clamav git commit
e142504b07d7f81435f6ac99ec1eedf6c08f2188, will be part of 0.96.4

clamav (0.96.3+dfsg-2ubuntu1) maverick; urgency=low

  * Merge from Debian Unstable. Remaining Ubuntu changes:
    - Drop initial signature definitions from clamav-base
    - Drop build-dep on electric-fence (in Universe)
    - Add apparmor profiles for clamd and freshclam along with maintainer
      script changes

clamav (0.96.3+dfsg-2) unstable; urgency=low

[ Stephen Gran ]
* Add NotifyClamd only if set to nonempty value.

  [ Michael Tautschnig ]
  * Cherry-pick from upstream: Only enable RLIMIT_DATA warning on *BSD
    (already included in Ubuntu's 1ubuntu3) (closes: #598083).
  * Do rmdir /etc/clamav, /var/log/clamav, /var/lib/clamav in all postrms as
    we cannot count on clamav-base's postrm to be the last one being called
    (thanks piuparts).
  * Remove trailing / in freshclam's DatabaseDirectory default value
    (closes: #598084).

clamav (0.96.3+dfsg-1ubuntu4) maverick; urgency=low

  * debian/usr.sbin.clamd: updated to give read access to
    @{PROC}/[0-9]*/status and @{PROC}/filesystems. The latter is covered by
    the base abstraction, but we add it here to ease backporting.
    - LP: #645956

clamav (0.96.3+dfsg-1ubuntu3) maverick; urgency=low

  * Change from upstream to fix clamd/clamd.c to only check RLIMIT_DATA on
    FreeBSD since the check is not relevant to Linux (See clamav bug #1941 for
    details)

clamav (0.96.3+dfsg-1ubuntu2) maverick; urgency=low

  * debian/usr.bin.freshclam: updated to give read access to
    @{PROC}/[0-9]*/status and @{PROC}/filesystems. The latter is covered by
    the base abstraction, but we add it here to ease backporting.
    - LP: #645061

clamav (0.96.3+dfsg-1ubuntu1) maverick; urgency=low

    * Merge new upstream release from Debian Unstable. FFe (LP: #644707).
      Also fixes (LP: #643682). Remaining Ubuntu changes:
      - Drop initial signature definitions from clamav-base
      - Drop build-dep on electric-fence (in Universe)
      - Add apparmor profiles for clamd and freshclam along with maintainer
        script changes
    * Fix NotifyClamd configurate in debian/clamav-freshclam.postinst
      - Cherry pick from Debian pkg-clamav Git, Thanks to Stephen Gran

clamav (0.96.3+dfsg-1) unstable; urgency=high

[ Stephen Gran ]
* Fixed NotifyClamd config options handling.

  [ Alberto WU ]
  * New upstream release
    - urgency=high as this addresses CVE-2010-0405
    - Reset MaxFileSize to default value if set to 0 (closes: #585479)
    - New config option ExtendedDetectionInfo (clamd.conf)

  [ Michael Tautschnig ]
  * Set data segment limit in tests to 524288 to make kfreebsd-i386 systems
    happy (closes: #591245).
  * Bumped Standards-Version to 3.9.1, no changes needed.
  * Preserve order of database mirrors (closes: #592322).
  * Added...

This bug was fixed in the package clamav - 0.96.3+dfsg-2ubuntu1.0.10.04.1

---------------
clamav (0.96.3+dfsg-2ubuntu1.0.10.04.1) lucid-proposed; urgency=low

* Microversion update to 0.96.3 for Lucid (LP: #653738)

clamav (0.96.3+dfsg-2ubuntu1.1) maverick-proposed; urgency=low

* PDF clamdscan crash fix (LP: #658341) - Cherry pick from Clamav git commit
    e142504b07d7f81435f6ac99ec1eedf6c08f2188, will be part of 0.96.4

clamav (0.96.3+dfsg-2ubuntu1) maverick; urgency=low

* Merge from Debian Unstable.  Remaining Ubuntu changes:
    - Drop initial signature definitions from clamav-base
    - Drop build-dep on electric-fence (in Universe)
    - Add apparmor profiles for clamd and freshclam along with maintainer
      script changes

clamav (0.96.3+dfsg-2) unstable; urgency=low

[ Stephen Gran ]
  * Add NotifyClamd only if set to nonempty value.

[ Michael Tautschnig ]
  * Cherry-pick from upstream: Only enable RLIMIT_DATA warning on *BSD
    (already included in Ubuntu's 1ubuntu3) (closes: #598083).
  * Do rmdir /etc/clamav, /var/log/clamav, /var/lib/clamav in all postrms as
    we cannot count on clamav-base's postrm to be the last one being called
    (thanks piuparts).
  * Remove trailing / in freshclam's DatabaseDirectory default value
    (closes: #598084).

clamav (0.96.3+dfsg-1ubuntu4) maverick; urgency=low

* debian/usr.sbin.clamd: updated to give read access to
    @{PROC}/[0-9]*/status and @{PROC}/filesystems. The latter is covered by
    the base abstraction, but we add it here to ease backporting.
    - LP: #645956

clamav (0.96.3+dfsg-1ubuntu3) maverick; urgency=low

* Change from upstream to fix clamd/clamd.c to only check RLIMIT_DATA on
    FreeBSD since the check is not relevant to Linux (See clamav bug #1941 for
    details)

clamav (0.96.3+dfsg-1ubuntu2) maverick; urgency=low

* debian/usr.bin.freshclam: updated to give read access to
    @{PROC}/[0-9]*/status and @{PROC}/filesystems. The latter is covered by
    the base abstraction, but we add it here to ease backporting.
    - LP: #645061

clamav (0.96.3+dfsg-1ubuntu1) maverick; urgency=low

* Merge new upstream release from Debian Unstable. FFe (LP: #644707).
      Also fixes (LP: #643682).  Remaining Ubuntu changes:
      - Drop initial signature definitions from clamav-base
      - Drop build-dep on electric-fence (in Universe)
      - Add apparmor profiles for clamd and freshclam along with maintainer
        script changes
    * Fix NotifyClamd configurate in debian/clamav-freshclam.postinst
      - Cherry pick from Debian pkg-clamav Git, Thanks to Stephen Gran

clamav (0.96.3+dfsg-1) unstable; urgency=high

[ Stephen Gran ]
  * Fixed NotifyClamd config options handling.

[ Alberto WU ]
  * New upstream release
    - urgency=high as this addresses CVE-2010-0405
    - Reset MaxFileSize to default value if set to 0 (closes: #585479)
    - New config option ExtendedDetectionInfo (clamd.conf)

[ Michael Tautschnig ]
  * Set data segment limit in tests to 524288 to make kfreebsd-i386 systems
    happy (closes: #591245).
  * Bumped Standards-Version to 3.9.1, no changes needed.
  * Preserve order of database mirrors (closes: #592322).
  * Added Vcs-Git and Vcs-Browser control fields.
  * Debconf translation updates
    - Italian (closes: #597307)
  * We'll stay with 1.0 Debian source format for now, added proper
    debian/source/format

clamav (0.96.1+dfsg-3ubuntu5.1) maverick; urgency=low

* SECURITY UPDATE: fix integer overflow in BZ2_decompress()
    - libclamav/nsis/bzlib.c: return error if N is larger than 2*1024^2 which
      keeps us from overflowing but leaves enough room for the 900k maximum
      value of the RUNA/RUNB encoding
    - patch based on upstream bzip2
    - LP: #625849
    - CVE-2010-0405

clamav (0.96.1+dfsg-3ubuntu5) maverick; urgency=low

* Revert bump in debhelper version requirement since we aren't using
    dh_apparmor

clamav (0.96.1+dfsg-3ubuntu4) maverick; urgency=low

* debian/rules, debian/clamav-daemon.post{inst.in,rm},
    debian/clamav-freshclam.post{inst.in,rm}: don't use dh_apparmor but
    instead put it would dh_apparmor would do, since dh_apparmor isn't
    available in backports. Thanks to Scott Kitterman for pointint this
    out.

clamav (0.96.1+dfsg-3ubuntu3) maverick; urgency=low

* debian/rules: move dh_apparmor before dh_installinit
  * debian/clamav-freshclam.postinst: move #DEBHELPER# to top, so it is
    added before starting freshclam

clamav (0.96.1+dfsg-3ubuntu2) maverick; urgency=low

* update to use dh_apparmor:
    - debian/rules, debian/clamav-daemon.post{inst.in,rm},
      debian/clamav-freshclam.post{inst.in,rm}: updated to use dh_apparmor
    - debian/control: Build-Depends on debhelper >= 7.4.20ubuntu5
  * debian/usr.sbin.clamd and debian/usr.bin.freshclam: updated to use local
    include

clamav (0.96.1+dfsg-3ubuntu1) maverick; urgency=low

* Merge from Debian Unstable.  Remaining Ubuntu changes:
    - Drop initial signature definitions from clamav-base
    - Drop build-dep on electric-fence (in Universe)
    - Add apparmor profiles for clamd and freshclam along with maintainer
      script changes
    - Detect incorrect value for clamav-freshclam/NotifyClamd and set it to
      true
    - Correct for differences between the Ubuntu and Debian orig.tar.gz in
      diff.gz (added win32 makefile targets, contrib/split-tarball.sh, and
      docs/man/clambc.1)

clamav (0.96.1+dfsg-3) unstable; urgency=low

[ Michael Tautschnig ]
  * Increase memory limit for tests (closes: #590271).

clamav (0.96.1+dfsg-2) unstable; urgency=low

[ Michael Tautschnig ]
  * Really ship clamav-milter.conf man page (closes: #585160)
  * Really fix PowerPC issue (closes: #587738, #579960)
  * Debconf translation updates
    - German (closes: #585482)
    - Russian (closes: #585691)
    - French (closes: #585894)
  * Copied BSD license text from concerned files into debian/copyright, as
    suggested by lintian.
  * Bumped Standards-Version to 3.9.0, no changes needed.

clamav (0.96.1+dfsg-1) unstable; urgency=medium

[ Stephen Gran ]
  * Only manipulate /etc/aliases on fresh install (closes: #580020)
  * Handle RejectMsg with special care when upgrading (closes: #581410)
  * 0 is a valid value for StreamMaxLength, handle it properly (closes: #581408)

[ Alberto WU ]
  * New upstream release
    - Includes PowerPC workaround (closes: #579960)
    - Ships clamav-milter.conf man page (closes: #565208)
    - Fixes CVE-2010-1639, CVE-2010-1640 (closes: #584183)

[ Scott Kitterman ]
  * Add support for new TestDatabases option in
    debian/clamav-freshclam.postinst.in (match upstream default of yes)
  * Add VirusAction option to debian/clamav-milter.postinst.in

[ Michael Tautschnig ]
  * Debconf translation updates
    - French (closes: #579827)
    - Swedish (closes: #580143)
    - Spanish (closes: #581735)

clamav (0.96.1+dfsg-0ubuntu2) maverick; urgency=low

* Enhance README.Debian discssion of apparmor profiles to include Freshclam
    based on the discussion in lp #585026

clamav (0.96.1+dfsg-0ubuntu1) maverick; urgency=low

* New upstream release
    - Remove non-free libclamunrar directory and repack +dfsg tarball
    - Remove win32/ for size reasons since the tarball is repacked already and
      adjust Makefile.in/am
    - Add support for new TestDatabases option in debian/clamav-
      freshclam.postinst.in (match upstream default of yes)
    - Add VirusAction option to debian/clamav-milter.postinst.in
    - Drop powerpc clamd fix, incorporated upstream
    - Drop diff in docs/man/clamd.conf.5.in, incorporated upstream
    - Drop addition of COPYING.llvm, incorporated upstream
  * Remaining differences from Debian:
    - Drop initial signature definitions from clamav-base
    - Drop build-dep on electric-fence (in Universe)
    - Add apparmor profiles for clamd and freshclam along with maintainer
      script changes
    - Detect incorrect value for clamav-freshclam/NotifyClamd and set it to true

clamav (0.96+dfsg-4) unstable; urgency=low

[ Stephen Gran ]
  * Fixed typo in clamav-milter's postinst

[ Michael Tautschnig ]
  * Fixed typo in clamav-freshclam's postinst (closes: #579271)
  * Debconf translation updates
    - Portuguese (closes: #579068)
 -- Scott Kitterman <scott@kitterman.com>   Mon, 11 Oct 2010 09:33:08 -0400

Changed in clamav (Ubuntu Lucid):
status:	New → Fix Released

Revision history for this message

Clint Byrum (clint-fewbar) wrote on 2011-02-12:

#3

Since Jaunty is EOL, closing Jaunty task as Won't Fix.

Changed in clamav (Ubuntu Jaunty):
status:	New → Won't Fix

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-05-26:

#4

These were all fixed in http://www.ubuntu.com/usn/usn-945-1/ and http://www.ubuntu.com/usn/usn-986-2/.

Changed in clamav (Ubuntu Jaunty):
status:	Won't Fix → Fix Released
Changed in clamav (Ubuntu Dapper):
status:	New → Fix Released
Changed in clamav (Ubuntu Hardy):
status:	New → Fix Released
Changed in clamav (Ubuntu Karmic):
status:	New → Fix Released

Ubuntu
clamav package

DoS due to PDF parsing issues

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to	Milestone
clamav (Ubuntu)	Fix Released	Medium	Unassigned	Ubuntu ubuntu-10.10
Dapper	Fix Released	Undecided	Unassigned
Hardy	Fix Released	Undecided	Unassigned
Jaunty	Fix Released	Undecided	Unassigned
Karmic	Fix Released	Undecided	Unassigned
Lucid	Fix Released	Undecided	Unassigned
Maverick	Fix Released	Medium	Unassigned	Ubuntu ubuntu-10.10

Ubuntuclamav package

DoS due to PDF parsing issues

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
clamav package