ClamAV 0.102.3 is a bug patch release to address the following issues.
CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash.
Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability.
CVE-2020-3341: Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS) condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read which may cause a crash. Bug found by OSS-Fuzz.
Fix "Attempt to allocate 0 bytes" error when parsing some PDF documents.
Fix a couple of minor memory leaks.
Add upstream patch to fix "Attempt to allocate 0 bytes" errors while scanning
certain PDFs
Do not log freshclam output to syslog by default - creates double entries
in the journal (bz#1822012)
(#1820069) add try-restart clamav-freshclam.service on logrotate
This update has been submitted for testing by orion.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'ignored'.
This update has obsoleted clamav-0.102.2-9.fc31, and has inherited its bugs and notes.
This update has been pushed to testing.
Thanks!
orion edited this update.
This update can be pushed to stable now if the maintainer wishes
This update has been submitted for stable by bodhi.
This update has been pushed to stable.