Debian Long Term Support / LTS Security Information / 2019 / Security Information -- DLA-1759-1 clamav

Debian Security Advisory

DLA-1759-1 clamav -- LTS security update

Date Reported:

22 Apr 2019

Affected Packages:

clamav

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2019-1787, CVE-2019-1788, CVE-2019-1789.

More information:

Out-of-bounds read and write conditions have been fixed in clamav.

• CVE-2019-1787

  An out-of-bounds heap read condition may occur when scanning PDF documents. The defect is a failure to correctly keep track of the number of bytes remaining in a buffer when indexing file data.

• CVE-2019-1788

  An out-of-bounds heap write condition may occur when scanning OLE2 files such as Microsoft Office 97-2003 documents. The invalid write happens when an invalid pointer is mistakenly used to initialize a 32bit integer to zero. This is likely to crash the application.

• CVE-2019-1789

  An out-of-bounds heap read condition may occur when scanning PE files (i.e. Windows EXE and DLL files) that have been packed using Aspack as a result of inadequate bound-checking.

For Debian 8 Jessie, these problems have been fixed in version 0.100.3+dfsg-0+deb8u1.

We recommend that you upgrade your clamav packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS