MGASA-2022-0187 - Updated clamav packages fix security vulnerability

Publication date: 15 May 2022
URL: https://advisories.mageia.org/MGASA-2022-0187.html
Type: security
Affected Mageia releases: 8
CVE: CVE-2022-20770,
     CVE-2022-20771,
     CVE-2022-20785,
     CVE-2022-20792,
     CVE-2022-20796

Infinite loop vulnerability in the CHM file parser. Issue affects versions
0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions.
(CVE-2022-20770)

Infinite loop vulnerability in the TIFF file parser. Issue affects versions
0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. The
issue only occurs if the "--alert-broken-media" ClamScan option is enabled.
For ClamD, the affected option is "AlertBrokenMedia yes", and for libclamav
it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option. (CVE-2022-20771)

Memory leak in the HTML file parser / Javascript normalizer. Issue affects
versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior
versions. (CVE-2022-20785)

Multi-byte heap buffer overflow write vulnerability in the signature
database load module. The fix was to update the vendored regex library to
the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS
version 0.103.5 and prior versions. (CVE-2022-20792)

NULL-pointer dereference crash in the scan verdict cache check. Issue
affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2. (CVE-2022-20796)

References:
- https://bugs.mageia.org/show_bug.cgi?id=30417
- https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html
- https://www.suse.com/support/update/announcement/2022/suse-su-20221647-1/
- https://lists.opensuse.org/archives/list/[email protected]/thread/OQIRF7L5ZKGSRUC6DDORCDJYKMVJMCEB/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20770
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20771
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20785
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20792
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20796

SRPMS:
- 8/core/clamav-0.103.6-1.mga8