[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Clam AntiVirus Base64 MIME Attachments Denial of Service

This one time, at band camp, Tomasz Kojm said:
> On Tue, 12 Dec 2006 13:37:30 +0100
> Secunia Research <vuln@secunia.com> wrote:
> > Hi,
> > 
> > we are about to issue an advisory for Clam AntiVirus based on the
> > following Debian Security Advisory:
> > 
> > http://www.us.debian.org/security/2006/dsa-1232
> > 
> > Is this issue already fixed in a recent ClamAV release? If so, which
> > release or which CVS commit?
> Hello,
> the issue was fixed in ClamAV 0.87.1 released on November 3, 2005 (two
> thousand five). We can't understand why Debian published the advisory right
> now.

The short version is that it is probably my fault.

When each new version of clamav is released, I go through the changelog,
looking for things that could potentially affect the security of the
version we are stuck with in stable.  At the time this was fixed and
released, I must have just entirely missed it as a potential denial of
service issue.

It was then recently brought to my attention by one of our users that
a certain email was causing segfaults.  It was only then that I noticed
that this issue had already been addressed a year ago.  I contacted the
security team and told them this was fixed long ago upstream, but they
decided for procedural reasons that it would be better to go ahead and
get a CVE for the issue anyway.

Sorry about the fuss,
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |

Attachment: signature.asc
Description: Digital signature

Reply to: