Описание
Security update for clamav
This update for clamav fixes the following issues:
- CVE-2022-20770: Fixed a possible infinite loop vulnerability in the CHM file parser (bsc#1199242).
- CVE-2022-20796: Fixed a possible NULL-pointer dereference crash in the scan verdict cache check (bsc#1199246).
- CVE-2022-20771: Fixed a possible infinite loop vulnerability in the TIFF file parser (bsc#1199244).
- CVE-2022-20785: Fixed a possible memory leak in the HTML file parser / Javascript normalizer (bsc#1199245).
- CVE-2022-20792: Fixed a possible multi-byte heap buffer overflow write vulnerability in the signature database load module (bsc#1199274).
Список пакетов
Image SLES15-SP1-SAP-Azure-LI-BYOS-Production
Image SLES15-SP1-SAP-Azure-VLI-BYOS-Production
Image SLES15-SP2-SAP-Azure-LI-BYOS-Production
Image SLES15-SP2-SAP-Azure-VLI-BYOS-Production
SUSE Linux Enterprise Module for Basesystem 15 SP3
SUSE Linux Enterprise Module for Basesystem 15 SP4
openSUSE Leap 15.3
openSUSE Leap 15.4
Ссылки
- Link for SUSE-SU-2022:1644-1
- E-Mail link for SUSE-SU-2022:1644-1
- SUSE Security Ratings
- SUSE Bug 1199242
- SUSE Bug 1199244
- SUSE Bug 1199245
- SUSE Bug 1199246
- SUSE Bug 1199274
- SUSE CVE CVE-2022-20770 page
- SUSE CVE CVE-2022-20771 page
- SUSE CVE CVE-2022-20785 page
- SUSE CVE CVE-2022-20792 page
- SUSE CVE CVE-2022-20796 page
Описание
On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in CHM file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.
Затронутые продукты
Ссылки
- CVE-2022-20770
- SUSE Bug 1199242
Описание
On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in the TIFF file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.
Затронутые продукты
Ссылки
- CVE-2022-20771
- SUSE Bug 1199244
Описание
On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in HTML file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.
Затронутые продукты
Ссылки
- CVE-2022-20785
- SUSE Bug 1199245
Описание
A vulnerability in the regex module used by the signature database load module of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an authenticated, local attacker to crash ClamAV at database load time, and possibly gain code execution. The vulnerability is due to improper bounds checking that may result in a multi-byte heap buffer overwflow write. An attacker could exploit this vulnerability by placing a crafted CDB ClamAV signature database file in the ClamAV database directory. An exploit could allow the attacker to run code as the clamav user.
Затронутые продукты
Ссылки
- CVE-2022-20792
- SUSE Bug 1199274
Описание
On May 4, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in Clam AntiVirus (ClamAV) versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2 could allow an authenticated, local attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog.
Затронутые продукты
Ссылки
- CVE-2022-20796
- SUSE Bug 1199246