Ubuntu
clamav package

CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser.

Bug #2007456 reported by Keath Nupuf
346
This bug affects 13 people
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Fix Released
Undecided
David Fernandez Gonzalez
Bionic
Fix Released
Undecided
David Fernandez Gonzalez
Focal
Fix Released
Undecided
David Fernandez Gonzalez
Jammy
Fix Released
Undecided
David Fernandez Gonzalez
Kinetic
Fix Released
Undecided
David Fernandez Gonzalez
Lunar
Fix Released
Undecided
David Fernandez Gonzalez

Bug Description

CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.

https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html

--

Read this online at https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
-----------------

Today, we are releasing the following critical patch versions for ClamAV:

    0.103.8
    0.105.2
    1.0.1

ClamAV 0.104 has reached end-of-life according to the ClamAV End of Life (EOL) policy and will not be patched. Anyone using ClamAV 0.104 must switch to a supported version. All users should update as soon as possible to patch for two remote code execution vulnerabilities that we recently discovered and patched.

The release files are available for download on ClamAV.net, on the Github Release page, and through Docker Hub.
1.0.1

ClamAV 1.0.1 is a critical patch release with the following fixes:

    CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

    CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

    Fix an allmatch detection issue with the preclass bytecode hook.

        GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/825

    Update the vendored libmspack library to version 0.11alpha.

        GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/828

0.105.2

ClamAV 0.105.2 is a critical patch release with the following fixes:

    CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

    CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

    Fixed an issue loading Yara rules containing regex strings with an escaped forward-slash (\/) followed by a colon (:).

        GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/695

    Moved the ClamAV Docker files for building containers to a new Git repository. The Docker files are now in https://github.com/Cisco-Talos/clamav-docker. This change enables us to fix issues with the images and with the supporting scripts used to publish and update the images without committing changes directly to files in the ClamAV release branches.

        GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/765

    Update the vendored libmspack library to version 0.11alpha.

        GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/829

0.103.8

ClamAV 0.103.8 is a critical patch release with the following fixes:

    CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

    CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

    Update the vendored libmspack library to version 0.11alpha.

        GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/830

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.

_______________________________________________

clamav-announce mailing list
<email address hidden>
https://lists.clamav.net/mailman/listinfo/clamav-announce

http://www.clamav.net/contact.html#ml

CVE References

David Fernandez Gonzalez (litios)
Changed in clamav (Ubuntu):
assignee: nobody → David Fernandez Gonzalez (litios)
Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Changed in clamav (Ubuntu Bionic):
status: New → In Progress
Changed in clamav (Ubuntu Focal):
status: New → In Progress
Changed in clamav (Ubuntu Jammy):
status: New → In Progress
Changed in clamav (Ubuntu Kinetic):
status: New → In Progress
Changed in clamav (Ubuntu Lunar):
status: New → In Progress
Changed in clamav (Ubuntu Kinetic):
assignee: nobody → David Fernandez Gonzalez (litios)
Changed in clamav (Ubuntu Jammy):
assignee: nobody → David Fernandez Gonzalez (litios)
Changed in clamav (Ubuntu Focal):
assignee: nobody → David Fernandez Gonzalez (litios)
Changed in clamav (Ubuntu Bionic):
assignee: nobody → David Fernandez Gonzalez (litios)
Revision history for this message
David W (dmwhite823) wrote :

Is there anything that I, and/or others, can do to help resolve this CVE? As its a critical (9.8 CVE) RCE, I'm quite concerned about running ClamAV right now with any exposure to the internet, and have begun looking into compiling a drop-in replacement of ClamAV for this existing package.

If there's anything I can do to help test or compile the upstream code with different options, please let me know. I'm happy to help, as I want to see this resolved as quickly as possible.

Revision history for this message
Jan Kellermann (jan-kellermann) wrote :

We did a temporary inplace-replacement with the 1.0.1 LTS clamav:
https://blog.werk21.de/en/2023/02/20/update-place-replacement-clamav-ubuntu

We have package-dependencies and were not able to purge the original packages so we decided to override the bins and libs temporary. Maybe you want to switch to the LTS-deb from https://www.clamav.net/downloads

Revision history for this message
Marc Deslauriers (mdeslaur) wrote (last edit ):

We are currently working on updates, and they should be released within the next few days.

Revision history for this message
David Fernandez Gonzalez (litios) wrote :

Updated 0.103.8 versions have been pushed to the security-proposed PPA (https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages?field.name_filter=clamav&field.status_filter=published&field.series_filter=)

Feel free to test them and communicate any possible issues.

Thanks for the help!

Revision history for this message
JonH (jh-ml) wrote :

https://ubuntu.com/security/CVE-2023-20032 lists this CVE as a medium priority.
The Google security-research team rates it as high severity and has a POC zip file that will crash ClamAV in default configuration when it scans it.
https://github.com/google/security-research/security/advisories/GHSA-r6g3-3wqj-m3c8
So can the priority be raised and updates for older versions of Ubuntu as well be released quickly?

Revision history for this message
Keath Nupuf (keathmon) wrote :

I'm sorry,... but why is this critical bug taking so long?
It's in the wild and effects a large population... (since the 16'th)

This is the type of thing that kills distros (i.e. Gentoo)

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Keath,

It takes time because it is a newer version update. As you can see in comment #4 it is currently available for testing on security-proposed ppa. If you could test it and give us a feedback that it is working properly that would be much appreciated. Also we are currently having issues with clamav and lunar but we hope to have it done by next week and everything publish.
Please bear with us in the meantime.

Revision history for this message
David Fernandez Gonzalez (litios) wrote (last edit ):

Updated versions have been published:

Ubuntu 22.10
 * clamav - 0.103.8+dfsg-0ubuntu0.22.10.1
Ubuntu 22.04
 * clamav - 0.103.8+dfsg-0ubuntu0.22.04.1
Ubuntu 20.04
 * clamav - 0.103.8+dfsg-0ubuntu0.20.04.1
Ubuntu 18.04
 * clamav - 0.103.8+dfsg-0ubuntu0.18.04.1

More information in: https://ubuntu.com/security/notices/USN-5887-1

Changed in clamav (Ubuntu Bionic):
status: In Progress → Fix Released
Changed in clamav (Ubuntu Focal):
status: In Progress → Fix Released
Changed in clamav (Ubuntu Jammy):
status: In Progress → Fix Released
Changed in clamav (Ubuntu Kinetic):
status: In Progress → Fix Released
Changed in clamav (Ubuntu Lunar):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Related questions

Remote bug watches

Bug watches keep track of this bug in other bug trackers.