Re: Bug#934359: clamav: ZIP bomb causes extreme CPU spikes
On 2019-08-10 09:39:22 [+0200], Hugo Lefeuvre wrote:
> Source: clamav
> Version: 0.101.2+dfsg-3
> Severity: important
> Tags: security upstream
> Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=12356
>
> Hi,
>
> clamav is affected by a DoS vulnerability caused by crafted, extremely
> compressed ZIP files.
>
> Even though this issue is marked as fixed in unstable, the current patch is
> incomplete (see upstream bug report). Upstream is actively working on a
> more advanced patch.
I am aware of the situation. I uploaded to unstable what upstream
released as 0.101.3 (the latest one) and prepared an update for stable.
_After_ that, the bugtracker got updated claiming that the fix is not
perfect and other zip bomb was added to the backtracker.
> regards,
> Hugo
Sebastian
Reply to: