Bug#935708: stretch-pu: package clamav/0.101.4+dfsg-0+deb9u1
Control: tags -1 + confirmed
On Sun, 2019-08-25 at 15:27 +0200, Sebastian Andrzej Siewior wrote:
> Clamav upstream released 0.101.4 which is a "security patch release"
> only. It is described [0] as:
>
> > - The zip bomb vulnerability mitigated in 0.101.3 has been assigned
> > the CVE
> > identifier CVE-2019-12625. Unfortunately, a workaround for the
> > zip-bomb
> > mitigation was immediately identified. To remediate the zip-bomb
> > scan time
> > issue, a scan time limit has been introduced in 0.101.4. This
> > limit now
> > resolves ClamAV's vulnerability to CVE-2019-12625.
> >
> > - An out of bounds write was possible within ClamAV's NSIS bzip2
> > library when
> > attempting decompression in cases where the number of selectors
> > exceeded the
> > max limit set by the library (CVE-2019-12900). The issue has been
> > resolved by
> > respecting that limit.
Please go ahead.
Regards,
Adam
Reply to: