advisories/24704.adv

type: security
subject: Updated clamav packages fix security vulnerabilities
CVE:
 - CVE-2019-1787
 - CVE-2019-1788
 - CVE-2019-1789
src:
  6:
   core:
     - clamav-0.100.3-1.mga6
description: |
  The updated packages fix security vulnerabilities:

  A vulnerability in the Portable Document Format (PDF) scanning functionality
  of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow
  an unauthenticated, remote attacker to cause a denial of service (DoS)
  condition on an affected device. The vulnerability is due to a lack of
  proper data handling mechanisms within the device buffer while indexing
  remaining file data on an affected device. An attacker could exploit this
  vulnerability by sending crafted PDF files to an affected device. A
  successful exploit could allow the attacker to cause a heap buffer
  out-of-bounds read condition, resulting in a crash that could result in a
  denial of service condition on an affected device. (CVE-2019-1787)

  A vulnerability in the Object Linking & Embedding (OLE2) file scanning
  functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior
  could allow an unauthenticated, remote attacker to cause a denial of service
  condition on an affected device. The vulnerability is due to a lack of
  proper input and validation checking mechanisms for OLE2 files sent an
  affected device. An attacker could exploit this vulnerability by sending
  malformed OLE2 files to the device running an affected version ClamAV
  Software. An exploit could allow the attacker to cause an out-of-bounds
  write condition, resulting in a crash that could result in a denial of
   service condition on an affected device. (CVE-2019-1788)

  An out-of-bounds heap read condition when scanning PE files. (CVE-2019-1789)
references:
 - https://bugs.mageia.org/show_bug.cgi?id=24704
 - https://usn.ubuntu.com/3940-1/
1	type: security
2	subject: Updated clamav packages fix security vulnerabilities
3	CVE:
4	- CVE-2019-1787
5	- CVE-2019-1788
6	- CVE-2019-1789
7	src:
8	6:
9	core:
10	- clamav-0.100.3-1.mga6
11	description: \|
12	The updated packages fix security vulnerabilities:
13
14	A vulnerability in the Portable Document Format (PDF) scanning functionality
15	of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior could allow
16	an unauthenticated, remote attacker to cause a denial of service (DoS)
17	condition on an affected device. The vulnerability is due to a lack of
18	proper data handling mechanisms within the device buffer while indexing
19	remaining file data on an affected device. An attacker could exploit this
20	vulnerability by sending crafted PDF files to an affected device. A
21	successful exploit could allow the attacker to cause a heap buffer
22	out-of-bounds read condition, resulting in a crash that could result in a
23	denial of service condition on an affected device. (CVE-2019-1787)
24
25	A vulnerability in the Object Linking & Embedding (OLE2) file scanning
26	functionality of Clam AntiVirus (ClamAV) Software versions 0.101.1 and prior
27	could allow an unauthenticated, remote attacker to cause a denial of service
28	condition on an affected device. The vulnerability is due to a lack of
29	proper input and validation checking mechanisms for OLE2 files sent an
30	affected device. An attacker could exploit this vulnerability by sending
31	malformed OLE2 files to the device running an affected version ClamAV
32	Software. An exploit could allow the attacker to cause an out-of-bounds
33	write condition, resulting in a crash that could result in a denial of
34	service condition on an affected device. (CVE-2019-1788)
35
36	An out-of-bounds heap read condition when scanning PE files. (CVE-2019-1789)
37	references:
38	- https://bugs.mageia.org/show_bug.cgi?id=24704
39	- https://usn.ubuntu.com/3940-1/