Bug#935708: stretch-pu: package clamav/0.101.4+dfsg-0+deb9u1

To: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>, 935708@bugs.debian.org
Subject: Bug#935708: stretch-pu: package clamav/0.101.4+dfsg-0+deb9u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sun, 25 Aug 2019 15:00:55 +0100
Message-id: <[🔎] 9dfb53db19917c321ba46c4fe9ef313265fb575f.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 935708@bugs.debian.org
In-reply-to: <[🔎] 20190825132754.vutgric6apjdusrr@flow>
References: <[🔎] 20190825132754.vutgric6apjdusrr@flow> <[🔎] 20190825132754.vutgric6apjdusrr@flow>

Control: tags -1 + confirmed

On Sun, 2019-08-25 at 15:27 +0200, Sebastian Andrzej Siewior wrote:
> Clamav upstream released 0.101.4 which is a "security patch release"
> only. It is described [0] as:
> 
> > - The zip bomb vulnerability mitigated in 0.101.3 has been assigned
> > the CVE
> >  identifier CVE-2019-12625. Unfortunately, a workaround for the
> > zip-bomb
> >  mitigation was immediately identified. To remediate the zip-bomb
> > scan time
> >  issue, a scan time limit has been introduced in 0.101.4. This
> > limit now
> >  resolves ClamAV's vulnerability to CVE-2019-12625.
> > 
> > - An out of bounds write was possible within ClamAV's NSIS bzip2
> > library when
> >  attempting decompression in cases where the number of selectors
> > exceeded the
> >  max limit set by the library (CVE-2019-12900). The issue has been
> > resolved by
> >  respecting that limit.

Please go ahead.

Regards,

Adam

Reply to:

References:
- Bug#935708: stretch-pu: package clamav/0.101.4+dfsg-0+deb9u1
  - From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Prev by Date: Bug#935707: buster-pu: package clamav/0.101.4+dfsg-0+deb10u1
Next by Date: Processed: Re: Bug#935707: buster-pu: package clamav/0.101.4+dfsg-0+deb10u1
Previous by thread: Bug#935708: stretch-pu: package clamav/0.101.4+dfsg-0+deb9u1
Next by thread: Processed: Re: Bug#935708: stretch-pu: package clamav/0.101.4+dfsg-0+deb9u1
Index(es):
- Date
- Thread