[Pkg-clamav-devel] Bug#934359: marked as done (clamav: ZIP bomb causes extreme CPU spikes)

Sun, 25 Aug 2019 06:51:57 -0700 

Your message dated Sun, 25 Aug 2019 13:49:56 +0000
with message-id <[email protected]>
and subject line Bug#934359: fixed in clamav 0.101.4+dfsg-1
has caused the Debian Bug report #934359,
regarding clamav: ZIP bomb causes extreme CPU spikes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
934359: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934359
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: clamav
Version: 0.101.2+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=12356

Hi,

clamav is affected by a DoS vulnerability caused by crafted, extremely
compressed ZIP files.

Even though this issue is marked as fixed in unstable, the current patch is
incomplete (see upstream bug report). Upstream is actively working on a
more advanced patch.

regards,
Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: clamav
Source-Version: 0.101.4+dfsg-1

We believe that the bug you reported is fixed in the latest version of
clamav, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Andrzej Siewior <[email protected]> (supplier of updated clamav 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 25 Aug 2019 12:38:25 +0200
Source: clamav
Architecture: source
Version: 0.101.4+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team <[email protected]>
Changed-By: Sebastian Andrzej Siewior <[email protected]>
Closes: 934359
Changes:
 clamav (0.101.4+dfsg-1) unstable; urgency=medium
 .
   * Import 0.101.4
    - CVE-2019-12625 (Add scan time limit to limit the processing zip-bombs)
      (Closes:934359)
    - CVE-2019-12900 (An out of bounds write was possible within ClamAV's
      NSIS bzip)
    - update symbols file (bump to 101.4 and drop unused cli_strnstr).
Checksums-Sha1:
 1c882d179ee3ecd60ac67cd41a5964dc83f7d592 2771 clamav_0.101.4+dfsg-1.dsc
 ae609c30ebf523a2f5e1b5f3cf25332cbb48686d 4975416 
clamav_0.101.4+dfsg.orig.tar.xz
 07ca10c3158674427d261098abeb054defb3a019 217848 
clamav_0.101.4+dfsg-1.debian.tar.xz
 618cc5d7afac78b4b29b388f32bf6b1a1c0e7391 6104 
clamav_0.101.4+dfsg-1_source.buildinfo
Checksums-Sha256:
 861dc4fd3158c063e3851c2cbf857015515c31b8475710f9159f615afa131683 2771 
clamav_0.101.4+dfsg-1.dsc
 f97e09180cf15391db8b5c9db18a1409b748a417861a6aa4621db8844dde3c23 4975416 
clamav_0.101.4+dfsg.orig.tar.xz
 85021345fcdd18aab840e2a53c7483ce091adb016dc117fd191273d8244a9478 217848 
clamav_0.101.4+dfsg-1.debian.tar.xz
 f260bb725a22f078a9ab584e19a688556d3697d44d4b03a7790bcda97720318d 6104 
clamav_0.101.4+dfsg-1_source.buildinfo
Files:
 89754b37ec601512fa1d4f0c2740a47b 2771 utils optional clamav_0.101.4+dfsg-1.dsc
 915d7b2d6113055a31d8adcca1e0d0dd 4975416 utils optional 
clamav_0.101.4+dfsg.orig.tar.xz
 8f152c7398d8907799b14a2c2aab369f 217848 utils optional 
clamav_0.101.4+dfsg-1.debian.tar.xz
 100a5b60924ee5b4ff7d56480209f562 6104 utils optional 
clamav_0.101.4+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAl1iiyoACgkQBWQfF1cS
+lsW2gwAlaSyG1XodyoFvrUrMwrz5lfOv+DRvfO5fluI/TNcvB7AmQP5B3ueJ+s8
UPsiOepuWrp2sP/b3vJ4CBMOal7x8HAL2yPcFLRv6cA7EmZMe06akZYhswdnU1Uj
oI9UyjMCFRfvSpgUQQwUBysY/WDQ3dkX2FnbRJGFrDqOEbmtGc85pf9fgdxG2/MD
cmb1lZdf6LPoPZO1twdJABfSLynfM/uvXBtvRUj4DUcu+I8B10ZzniDh9RGJGgzR
Nzx3cfElIWicWqzNqxy5KrrSRjTAShPsGDqiHoWoF0h6d7k8xSWiINjXY4TDmqjS
0o0RCF0PT2kXWpVBUEsBn8IOHY3GBPUbGdE83g3whsldHDBmmojGkSuBrl/1A8e3
X+8lbSTzTvOFpXUFf2fPYjvNJf13V+TRZ2OfX7VNgJezmzqAXVjnh1+SEv8G2s9+
ZZe/2iyucvNSDnfR2aE28cXPM3qdqv3kc+IZhv4ig/kt3xlDZbWlEUKOIE0BcJNm
98S8Rt23
=gHNl
-----END PGP SIGNATURE-----

--- End Message ---
_______________________________________________
Pkg-clamav-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-clamav-devel

Reply via email to