Fedora 30 : clamav (2019-5c2dc50262)

2019-08-26T00:00:00
ID FEDORA_2019-5C2DC50262.NASL
Type nessus
Reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-01-02T00:00:00

Description

ClamAV 0.101.4 is a security patch release that addresses the following issues.

  • An out of bounds write was possible within ClamAV's NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900). The issue has been resolved by respecting that limit.

    Thanks to Martin Simmons for reporting the issue here.

  • The zip bomb vulnerability mitigated in 0.101.3 has been assigned the CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb mitigation was immediately identified. To remediate the zip-bomb scan time issue, a scan time limit has been introduced in 0.101.4. This limit now resolves ClamAV's vulnerability to CVE-2019-12625.

    The default scan time limit is 2 minutes (120000 milliseconds).

    To customize the time limit :

  • use the clamscan --max-scantime option

  • use the clamd MaxScanTime config option

    Libclamav users may customize the time limit using the cl_engine_set_num function. For example :

    C cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds)

    Thanks to David Fifield for reviewing the zip-bomb mitigation in 0.101.3 and reporting the issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2019-5c2dc50262.
#

include("compat.inc");

if (description)
{
  script_id(128132);
  script_version("1.3");
  script_cvs_date("Date: 2020/01/02");

  script_cve_id("CVE-2019-12625", "CVE-2019-12900");
  script_xref(name:"FEDORA", value:"2019-5c2dc50262");

  script_name(english:"Fedora 30 : clamav (2019-5c2dc50262)");
  script_summary(english:"Checks rpm output for the updated package.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"ClamAV 0.101.4 is a security patch release that addresses the
following issues.

  - An out of bounds write was possible within ClamAV's NSIS
    bzip2 library when attempting decompression in cases
    where the number of selectors exceeded the max limit set
    by the library (CVE-2019-12900). The issue has been
    resolved by respecting that limit.

    Thanks to Martin Simmons for reporting the issue here.

  - The zip bomb vulnerability mitigated in 0.101.3 has been
    assigned the CVE identifier CVE-2019-12625.
    Unfortunately, a workaround for the zip-bomb mitigation
    was immediately identified. To remediate the zip-bomb
    scan time issue, a scan time limit has been introduced
    in 0.101.4. This limit now resolves ClamAV's
    vulnerability to CVE-2019-12625.

    The default scan time limit is 2 minutes (120000
    milliseconds).

    To customize the time limit :

  - use the clamscan --max-scantime option

  - use the clamd MaxScanTime config option

    Libclamav users may customize the time limit using the
    cl_engine_set_num function. For example :

    C cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME,
    time_limit_milliseconds)

    Thanks to David Fifield for reviewing the zip-bomb
    mitigation in 0.101.3 and reporting the issue.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-5c2dc50262"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected clamav package."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:clamav");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/06/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/08/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/26");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC30", reference:"clamav-0.101.4-1.fc30")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "clamav");
}