Attachment #216497 for bug #248027

View | Details | Raw Unified | Return to bug 248027
Collapse All | Expand All




  * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
  <vuln vid="f7a02651-c798-11ea-81d6-6805cabe6ebb">
    <topic>clamav -- multiple vulnerabilities</topic>
    <affects>
      <package>
	<name>clamav</name>
	<range><lt>0.102.4,1</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Micah Snyder reports:</p>
	<blockquote cite="https://blog.clamav.net/2020/07/clamav-01024-security-patch-released.html">
	  <dl>
	    <dt>CVE-2020-3350</dt>
	    <dd>
	      Fixed a vulnerability a malicious user could exploit to replace
	      a scan target's directory with a symlink to another path to trick
	      clamscan, clamdscan, or clamonacc into removing or moving a different
	      file (such as a critical system file). The issue would affect users
	      that use the --move or --remove options for clamscan, clamdscan and
	      clamonacc.
	    </dd>
	    <dt>CVE-2020-3327</dt>
	    <dd>
	      Fixed a vulnerability in the ARJ archive-parsing module in ClamAV
	      0.102.3 that could cause a denial-of-service (DoS) condition.
	      Improper bounds checking resulted in an out-of-bounds read that could
	      cause a crash. The previous fix for this CVE in version 0.102.3 was
	      incomplete. This fix correctly resolves the issue.
	    </dd>
	    <dt>CVE-2020-3481</dt>
	    <dd>
	      Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0
	      - 0.102.3 that could cause a denial-of-service (DoS) condition.
	      Improper error handling could cause a crash due to a NULL pointer
	      dereference. This vulnerability is mitigated for those using the
	      official ClamAV signature databases because the file type signatures
	      in daily.cvd will not enable the EGG archive parser in affected
	      versions.
	    </dd>
	  </dl>
	</blockquote>
      </body>
    </description>
    <references>
      <url>https://blog.clamav.net/2020/07/clamav-01024-security-patch-released.html</url>
      <cvename>CVE-2020-3350</cvename>
      <cvename>CVE-2020-3327</cvename>
      <cvename>CVE-2020-3481</cvename>
    </references>
    <dates>
      <discovery>2020-07-16</discovery>
      <entry>2020-07-16</entry>
    </dates>
  </vuln>

  <vuln vid="870d59b0-c6c4-11ea-8015-e09467587c17">
    <topic>chromium -- multiple vulnerabilities</topic>
    <affects>

Return to bug 248027

Lines 58-63 Link Here

(-)security/vuxml/vuln.xml (+56 lines)
58	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)	58	* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
59	-->	59	-->
60	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">	60	<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
		61	<vuln vid="f7a02651-c798-11ea-81d6-6805cabe6ebb">
		62	<topic>clamav -- multiple vulnerabilities</topic>
		63	<affects>
		64	<package>
		65	<name>clamav</name>
		66	<range><lt>0.102.4,1</lt></range>
		67	</package>
		68	</affects>
		69	<description>
		70	<body xmlns="http://www.w3.org/1999/xhtml">
		71	<p>Micah Snyder reports:</p>
		72	<blockquote cite="https://blog.clamav.net/2020/07/clamav-01024-security-patch-released.html">
		73	<dl>
		74	<dt>CVE-2020-3350</dt>
		75	<dd>
		76	Fixed a vulnerability a malicious user could exploit to replace
		77	a scan target's directory with a symlink to another path to trick
		78	clamscan, clamdscan, or clamonacc into removing or moving a different
		79	file (such as a critical system file). The issue would affect users
		80	that use the --move or --remove options for clamscan, clamdscan and
		81	clamonacc.
		82	</dd>
		83	<dt>CVE-2020-3327</dt>
		84	<dd>
		85	Fixed a vulnerability in the ARJ archive-parsing module in ClamAV
		86	0.102.3 that could cause a denial-of-service (DoS) condition.
		87	Improper bounds checking resulted in an out-of-bounds read that could
		88	cause a crash. The previous fix for this CVE in version 0.102.3 was
		89	incomplete. This fix correctly resolves the issue.
		90	</dd>
		91	<dt>CVE-2020-3481</dt>
		92	<dd>
		93	Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0
		94	- 0.102.3 that could cause a denial-of-service (DoS) condition.
		95	Improper error handling could cause a crash due to a NULL pointer
		96	dereference. This vulnerability is mitigated for those using the
		97	official ClamAV signature databases because the file type signatures
		98	in daily.cvd will not enable the EGG archive parser in affected
		99	versions.
		100	</dd>
		101	</dl>
		102	</blockquote>
		103	</body>
		104	</description>
		105	<references>
		106	<url>https://blog.clamav.net/2020/07/clamav-01024-security-patch-released.html</url>
		107	<cvename>CVE-2020-3350</cvename>
		108	<cvename>CVE-2020-3327</cvename>
		109	<cvename>CVE-2020-3481</cvename>
		110	</references>
		111	<dates>
		112	<discovery>2020-07-16</discovery>
		113	<entry>2020-07-16</entry>
		114	</dates>
		115	</vuln>
		116
61	<vuln vid="870d59b0-c6c4-11ea-8015-e09467587c17">	117	<vuln vid="870d59b0-c6c4-11ea-8015-e09467587c17">
62	<topic>chromium -- multiple vulnerabilities</topic>	118	<topic>chromium -- multiple vulnerabilities</topic>
63	<affects>	119	<affects>