Re: Bug#934359: clamav: ZIP bomb causes extreme CPU spikes

To: Hugo Lefeuvre <hle@debian.org>, 934359@bugs.debian.org
Cc: debian-release@lists.debian.org
Subject: Re: Bug#934359: clamav: ZIP bomb causes extreme CPU spikes
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Sun, 11 Aug 2019 23:36:09 +0200
Message-id: <[🔎] 20190811213609.cawxvag4gjvhyyid@flow>
In-reply-to: <20190810073922.GB9353@behemoth.owl.eu.com.local>
References: <20190810073922.GB9353@behemoth.owl.eu.com.local>

On 2019-08-10 09:39:22 [+0200], Hugo Lefeuvre wrote:
> Source: clamav
> Version: 0.101.2+dfsg-3
> Severity: important
> Tags: security upstream
> Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=12356
> 
> Hi,
> 
> clamav is affected by a DoS vulnerability caused by crafted, extremely
> compressed ZIP files.
> 
> Even though this issue is marked as fixed in unstable, the current patch is
> incomplete (see upstream bug report). Upstream is actively working on a
> more advanced patch.

I am aware of the situation. I uploaded to unstable what upstream
released as 0.101.3 (the latest one) and prepared an update for stable.
_After_ that, the bugtracker got updated claiming that the fix is not
perfect and other zip bomb was added to the backtracker.

> regards,
> Hugo

Sebastian

Reply to:

Prev by Date: Processed: retitle 934518 to stretch-pu: package libebml/1.3.4-1+deb9u1
Next by Date: Re: process-upload issue (was: Re: Bits from the Release Team: ride like the wind, Bullseye!)
Previous by thread: Processed: retitle 934518 to stretch-pu: package libebml/1.3.4-1+deb9u1
Next by thread: Bug#934537: buster-pu: package basez/1.6-3+deb10u1
Index(es):
- Date
- Thread