FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

clamav -- multiple vulnerabilities

Affected packages
clamav < 0.102.3,1

Details

VuXML ID 91ce95d5-cd15-4105-b942-af5ccc7144c1
Discovery 2020-05-12
Entry 2020-05-14

Micah Snyder reports:

CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.2 that could cause a denial-of-service condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability.

CVE-2020-3341: Fixed a vulnerability in the PDF-parsing module in ClamAV 0.101 - 0.102.2 that could cause a denial-of-service condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read, which may cause a crash. OSS-Fuzz discovered this vulnerability.

References

CVE Name CVE-2020-3327
CVE Name CVE-2020-3341
URL https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html