FreeBSD: VID-F7A02651-C798-11EA-81D6-6805CABE6EBB (CVE-2020-3481): clamav -- multiple vulnerabilities

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-F7A02651-C798-11EA-81D6-6805CABE6EBB:

Micah Snyder reports:

CVE-2020-3350

Fixed a vulnerability a malicious user could exploit to replace

a scan target's directory with a symlink to another path to trick

clamscan, clamdscan, or clamonacc into removing or moving a different

file (such as a critical system file). The issue would affect users

that use the --move or --remove options for clamscan, clamdscan and

clamonacc.

CVE-2020-3327

Fixed a vulnerability in the ARJ archive-parsing module in ClamAV

0.102.3 that could cause a denial-of-service (DoS) condition.

Improper bounds checking resulted in an out-of-bounds read that could

cause a crash. The previous fix for this CVE in version 0.102.3 was

incomplete. This fix correctly resolves the issue.

CVE-2020-3481

Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0

- 0.102.3 that could cause a denial-of-service (DoS) condition.

Improper error handling could cause a crash due to a NULL pointer

dereference. This vulnerability is mitigated for those using the

official ClamAV signature databases because the file type signatures

in daily.cvd will not enable the EGG archive parser in affected

versions.