FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-28 15:43:32 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
2a6106c6-73e5-11ec-8fa2-0800270512f4clamav -- invalid pointer read that may cause a crash

Laurent Delosieres reports:

Fix for invalid pointer read that may cause a crash. This issue affects 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) is enabled.


Discovery 2022-01-12
Entry 2022-01-12
clamav
< 0.104.2,1

clamav-lts
< 0.103.5,1

CVE-2022-20698
https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html
6ade62d9-0f62-11ea-9673-4c72b94353b5clamav -- Denial-of-Service (DoS) vulnerability

Micah Snyder reports:

A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation.


Discovery 2019-09-06
Entry 2019-11-25
clamav
< 0.102.1,1

https://blog.clamav.net/2019/11/clamav-01021-and-01015-patches-have.html
CVE-2019-15961
f7a02651-c798-11ea-81d6-6805cabe6ebbclamav -- multiple vulnerabilities

Micah Snyder reports:

CVE-2020-3350
Fixed a vulnerability a malicious user could exploit to replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (such as a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan and clamonacc.
CVE-2020-3327
Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS) condition. Improper bounds checking resulted in an out-of-bounds read that could cause a crash. The previous fix for this CVE in version 0.102.3 was incomplete. This fix correctly resolves the issue.
CVE-2020-3481
Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 that could cause a denial-of-service (DoS) condition. Improper error handling could cause a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in affected versions.

Discovery 2020-07-16
Entry 2020-07-16
clamav
< 0.102.4,1

https://blog.clamav.net/2020/07/clamav-01024-security-patch-released.html
CVE-2020-3350
CVE-2020-3327
CVE-2020-3481
8b812395-c739-11e8-ab5b-9c5c8e75236aclamav -- multiple vulnerabilities

Joel Esler reports:

  • CVE-2018-15378:
    • Vulnerability in ClamAV's MEW unpacking feature that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
    • Reported by Secunia Research at Flexera.
  • Fix for a 2-byte buffer over-read bug in ClamAV&s PDF parsing code.
    • Reported by Alex Gaynor.
  • CVE-2018-14680:
    • An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames.
  • CVE-2018-14681:
    • An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite.
  • CVE-2018-14682:
    • An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM decompression. Additionally, 0.100.2 reverted 0.100.1's patch for CVE-2018-14679, and applied libmspack's version of the fix in its place.

Discovery 2018-10-03
Entry 2018-10-03
Modified 2020-06-24
clamav
< 0.100.2

https://blog.clamav.net/2018/10/clamav-01002-has-been-released.html
CVE-2018-15378
CVE-2018-14680
CVE-2018-14681
CVE-2018-14682
91ce95d5-cd15-4105-b942-af5ccc7144c1clamav -- multiple vulnerabilities

Micah Snyder reports:

CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.2 that could cause a denial-of-service condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability.

CVE-2020-3341: Fixed a vulnerability in the PDF-parsing module in ClamAV 0.101 - 0.102.2 that could cause a denial-of-service condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read, which may cause a crash. OSS-Fuzz discovered this vulnerability.


Discovery 2020-05-12
Entry 2020-05-14
clamav
< 0.102.3,1

https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html
CVE-2020-3327
CVE-2020-3341
84ce26c3-5769-11e9-abd6-001b217b3468clamav -- multiple vulnerabilities

Clamav reports:

An out-of-bounds heap read condition may occur when scanning PDF documents

An out-of-bounds heap read condition may occur when scanning PE files

An out-of-bounds heap write condition may occur when scanning OLE2 files

An out-of-bounds heap read condition may occur when scanning malformed PDF documents

A path-traversal write condition may occur as a result of improper input validation when scanning RAR archives

A use-after-free condition may occur as a result of improper error handling when scanning nested RAR archives


Discovery 2019-03-29
Entry 2019-04-05
clamav
< 0.101.2,1

https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
CVE-2019-1787
CVE-2019-1789
CVE-2019-1788
CVE-2019-1786
CVE-2019-1785
CVE-2019-1798
b2407db1-d79f-11ec-a15f-589cfc0f81b0clamav -- Multiple vulnerabilities

The ClamAV project reports:

Fixed a possible double-free vulnerability in the OLE2 file parser. Issue affects versions 0.104.0 through 0.104.2. Issue identified by OSS-Fuzz.

Fixed a possible infinite loop vulnerability in the CHM file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

Fixed a possible NULL-pointer dereference crash in the scan verdict cache check. Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2. Thank you to Alexander Patrakov and Antoine Gatineau for reporting this issue.

Fixed a possible infinite loop vulnerability in the TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. The issue only occurs if the "--alert-broken-media" ClamScan option is enabled. For ClamD, the affected option is "AlertBrokenMedia yes", and for libclamav it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option. Thank you to Michał Dardas for reporting this issue.

Fixed a possible memory leak in the HTML file parser / Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

Fixed a possible multi-byte heap buffer overflow write vulnerability in the signature database load module. The fix was to update the vendored regex library to the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.


Discovery 2022-05-04
Entry 2022-05-19
clamav
< 0.104.3,1

clamav-lts
< 0.103.6,1

CVE-2022-20803
CVE-2022-20770
CVE-2022-20796
CVE-2022-20771
CVE-2022-20785
CVE-2022-20792
https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html#more
e7bc2b99-485a-11ea-bff9-9c5c8e75236aclamav -- Denial-of-Service (DoS) vulnerability

Micah Snyder reports:

A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature. Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.


Discovery 2020-02-05
Entry 2020-02-05
clamav
< 0.102.2,1

https://blog.clamav.net/2020/02/clamav-01022-security-patch-released.html
CVE-2020-3123
d1e9d8c5-839b-11e8-9610-9c5c8e75236aclamav -- multiple vulnerabilities

Joel Esler reports:

3 security fixes in this release:

  • CVE-2017-16932: Vulnerability in libxml2 dependency (affects ClamAV on Windows only).
  • CVE-2018-0360: HWP integer overflow, infinite loop vulnerability. Reported by Secunia Research at Flexera.
  • CVE-2018-0361: ClamAV PDF object length check, unreasonably long time to parse relatively small file. Report ed by aCaB.

Discovery 2018-07-09
Entry 2018-07-09
clamav
< 0.100.1

https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html
CVE-2017-16932
CVE-2018-0360
CVE-2018-0361
9ae2c00f-97d0-11eb-8cd6-080027f515eaclamav -- Multiple vulnerabilites

Micah Snyder reports:

CVE-2021-1252
Excel XLM parser infinite loop
CVE-2021-1404
PDF parser buffer over-read; possible crash.
CVE-2021-1405
Mail parser NULL-dereference crash.

Discovery 2021-04-07
Entry 2021-04-07
clamav
< 0.103.2,1

CVE-2021-1252
CVE-2021-1404
CVE-2021-1405
https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html
dbd1f627-c43b-11e9-a923-9c5c8e75236aclamav -- multiple vulnerabilities

Micah Snyder reports:

  • An out of bounds write was possible within ClamAV&s NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900). The issue has been resolved by respecting that limit.
  • The zip bomb vulnerability mitigated in 0.101.3 has been assigned the CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb mitigation was immediately identified. To remediate the zip-bomb scan time issue, a scan time limit has been introduced in 0.101.4. This limit now resolves ClamAV's vulnerability to CVE-2019-12625.

Discovery 2019-08-21
Entry 2019-08-21
clamav
< 0.101.4,1

clamav-milter
< 0.101.4,1

CVE-2019-12625
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
CVE-2019-12900
b464f61b-84c7-4e1c-8ad4-6cf9efffd025clamav -- multiple vulnerabilities

ClamAV project reports:

Join us as we welcome ClamAV 0.99.3 to the family!.

This release is a security release and is recommended for all ClamAV users.

CVE-2017-12374 ClamAV UAF (use-after-free) Vulnerabilities

CVE-2017-12375 ClamAV Buffer Overflow Vulnerability

CVE-2017-12376 ClamAV Buffer Overflow in handle_pdfname Vulnerability

CVE-2017-12377 ClamAV Mew Packet Heap Overflow Vulnerability

CVE-2017-12378 ClamAV Buffer Over Read Vulnerability

CVE-2017-12379 ClamAV Buffer Overflow in messageAddArgument Vulnerability

CVE-2017-12380 ClamAV Null Dereference Vulnerability


Discovery 2018-01-25
Entry 2018-01-26
clamav
< 0.99.3

http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html
CVE-2017-12374
CVE-2017-12375
CVE-2017-12376
CVE-2017-12377
CVE-2017-12378
CVE-2017-12379
CVE-2017-12380