openSUSE Security Update: Security update for clamav ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:0906-1 Rating: moderate References: #929192 Cross-References: CVE-2015-2170 CVE-2015-2221 CVE-2015-2222 CVE-2015-2305 CVE-2015-2668 Affected Products: openSUSE 13.2 openSUSE 13.1 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: The ClamAV antivirus engine was updated to version 0.98.7 to fix several security and non-security issues. The following vulnerabilities were fixed (bsc#929192): * CVE-2015-2170: Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. * CVE-2015-2221: Fix infinite loop condition on crafted y0da cryptor file. Identified and patch suggested by Sebastian Andrzej Siewior. * CVE-2015-2222: Fix crash on crafted petite packed file. Reported and patch supplied by Sebastian Andrzej Siewior. * CVE-2015-2668: Fix an infinite loop condition on a crafted "xz" archive file. This was reported by Dimitri Kirchner and Goulven Guiheux. * CVE-2015-2305: Apply upstream patch for possible heap overflow in Henry Spencer's regex library. The following bugfixes were applyed (bsc#929192): * Fix false negatives on files within iso9660 containers. This issue was reported by Minzhuan Gong. * Fix a couple crashes on crafted upack packed file. Identified and patches supplied by Sebastian Andrzej Siewior. * Fix a crash during algorithmic detection on crafted PE file. Identified and patch supplied by Sebastian Andrzej Siewior. * Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. * Fix segfault scanning certain HTML files. Reported with sample by Kai Risku. * Improve detections within xar/pkg files. * Improvements to PDF processing: decryption, escape sequence handling, and file property collection. * Scanning/analysis of additional Microsoft Office 2003 XML format. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-366=1 - openSUSE 13.1: zypper in -t patch openSUSE-2015-366=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): clamav-0.98.7-2.16.1 clamav-debuginfo-0.98.7-2.16.1 clamav-debugsource-0.98.7-2.16.1 - openSUSE 13.1 (i586 x86_64): clamav-0.98.7-33.1 clamav-debuginfo-0.98.7-33.1 clamav-debugsource-0.98.7-33.1 References: https://www.suse.com/security/cve/CVE-2015-2170.html https://www.suse.com/security/cve/CVE-2015-2221.html https://www.suse.com/security/cve/CVE-2015-2222.html https://www.suse.com/security/cve/CVE-2015-2305.html https://www.suse.com/security/cve/CVE-2015-2668.html https://bugzilla.suse.com/929192