On Thursday, November 27, 2014 10:32:29 AM Evgeni Golov wrote: > On Thu, Nov 27, 2014 at 09:38:08AM +0100, Evgeni Golov wrote: > > On Tue, Nov 25, 2014 at 04:30:43PM -0500, Scott Kitterman wrote: > > > On Tuesday, November 25, 2014 10:18:21 PM Sebastian Andrzej Siewior wrote: > > > > On Tue, Nov 25, 2014 at 07:07:30PM +0100, Ralf Hildebrandt wrote: > > > > > Version: 0.98.1+dfsg-1+deb6u3 > > > > > > > > > > A heap buffer overflow was reported in [1] in ClamAV when scanning a > > > > > specially crafted y0da Crypter obfuscated PE file. > > > > > Note that this is remotely exploitable when ClamAV is used as a mail > > > > > gateway scanner. > > > > > > > > we are aware of the situtation, a stable upload is already waiting. > > > > Please > > > > note that there won't be an update for Squeeze unless the LTS team > > > > does so. > > > > > > I did add clamav to the list of packages needing an update for the LTS > > > (and > > > libclamunrar too), so the LTS team is aware of it. > > > > Thanks, working on the clamav one now for LTS. > > > > Upstreams patch applies just fine on the version in Squeeze, so I guess > > it would be better to apply it, instead of pulling in the new upstream? > > Sadly, the patch does not solve the issue itself. clamscan -a still > segfaults for me after the patch. > > I'll try to figure out what else is needed.
For clamav it's more trouble than it's worth to try and tease out specific changes, since you need the new capabilities just to stay even with the bad guys anyway. If you want to update clamav for the LTS, the changes the Ubuntu Security team did for Ubuntu 12.04 as it's similar to Squeeze in the relevant areas (Note: the source for clamav is generally in sync between Ubuntu and Debian, so the changes between Stable/Jessie/Testing and the Ubuntu 12.04 update are primarily the ones you'd likely want for Squeeze, but I didn't specifically test this). https://launchpad.net/ubuntu/+archive/primary/+files/clamav_0.98.5%2Baddedllvm-0ubuntu0.12.04.1.dsc Scott K -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
