CVE-2020-37167

NameCVE-2020-37167
DescriptionClamAV versions prior to 0.103.0-rc contain a vulnerability in function name processing through the ClamBC bytecode interpreter that allows attackers to manipulate bytecode function names. Attackers can exploit the weak input validation in function name encoding to potentially execute malicious bytecode or cause unexpected behavior in the ClamAV engine.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
clamav (PTS)bullseye0.103.10+dfsg-0+deb11u1undetermined
bullseye (security)1.4.3+dfsg-1~deb11u1undetermined
bookworm1.4.3+dfsg-1~deb12u2undetermined
trixie1.4.3+dfsg-1undetermined
sid, forky1.4.3+dfsg-2undetermined

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
clamavsource(unstable)undetermined

Notes

https://www.exploit-db.com/exploits/47687
check upstream status
Search for package or bug name: Reporting problems