CVE-2021-1405

NameCVE-2021-1405
DescriptionA vulnerability in the email parsing module in Clam AntiVirus (ClamAV) Software version 0.103.1 and all prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper variable initialization that may result in an NULL pointer read. An attacker could exploit this vulnerability by sending a crafted email to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2626-1
Debian Bugs986622, 986790

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
clamav (PTS)stretch0.102.3+dfsg-0~deb9u1vulnerable
stretch (security)0.102.4+dfsg-0+deb9u2fixed
buster0.102.4+dfsg-0+deb10u1vulnerable
bullseye0.103.0+dfsg-3.1vulnerable
sid0.103.2+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
clamavsourcestretch0.102.4+dfsg-0+deb9u2DLA-2626-1
clamavsource(unstable)0.103.2+dfsg-1986622, 986790

Notes

[buster] - clamav <no-dsa> (clamav is updated via -updates)
https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html

Search for package or bug name: Reporting problems