CVE-2021-1405

NameCVE-2021-1405
DescriptionA vulnerability in the email parsing module in Clam AntiVirus (ClamAV) Software version 0.103.1 and all prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to improper variable initialization that may result in an NULL pointer read. An attacker could exploit this vulnerability by sending a crafted email to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process crash, resulting in a denial of service condition.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2626-1, ELA-404-1
Debian Bugs986622, 986790

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
clamav (PTS)jessie, jessie (lts)0.103.9+dfsg-0+deb8u1fixed
stretch (security)0.103.6+dfsg-0+deb9u1fixed
stretch (lts), stretch0.103.9+dfsg-0+deb9u1fixed
buster (security), buster, buster (lts)0.103.9+dfsg-0+deb10u1fixed
bullseye0.103.10+dfsg-0+deb11u1fixed
bookworm1.0.7+dfsg-1~deb12u1fixed
sid, trixie1.4.1+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
clamavsourcejessie0.102.4+dfsg-0+deb8u2ELA-404-1
clamavsourcestretch0.102.4+dfsg-0+deb9u2DLA-2626-1
clamavsourcebuster0.103.2+dfsg-0+deb10u1
clamavsource(unstable)0.103.2+dfsg-1986622, 986790

Notes

https://blog.clamav.net/2021/04/clamav-01032-security-patch-release.html
Search for package or bug name: Reporting problems