CVE-2018-1000085

Publication date 27 February 2018

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

5.5 · Medium

Score breakdown

ClamAV version version 0.99.3 contains a Out of bounds heap memory read vulnerability in XAR parser, function xar_hash_check() that can result in Leaking of memory, may help in developing exploit chains.. This attack appear to be exploitable via The victim must scan a crafted XAR file. This vulnerability appears to have been fixed in after commit d96a6b8bcc7439fa7e3876207aa0a8e79c8451b6.

Read the notes from the security team

Status

Package Ubuntu Release Status
clamav 17.10 artful
Fixed 0.99.4+addedllvm-0ubuntu0.17.10.1
16.04 LTS xenial
Fixed 0.99.4+addedllvm-0ubuntu0.16.04.1
14.04 LTS trusty
Fixed 0.99.4+addedllvm-0ubuntu0.14.04.1

Notes


mdeslaur

not included in final 0.99.3 release

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
clamav

Severity score breakdown

Parameter Value
Base score 5.5 · Medium
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

Related Ubuntu Security Notices (USN)

Other references