Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 691546 - <app-antivirus/clamav-0.101.4: multiple vulnerabilities
Summary: <app-antivirus/clamav-0.101.4: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://blog.clamav.net/2019/08/clama...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-06 07:28 UTC by Hanno Böck
Modified: 2020-03-19 20:50 UTC (History)
2 users (show)

See Also:
Package list:
app-antivirus/clamav-0.101.4
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2019-08-06 07:28:45 UTC
Clamav 0.101.3 fixes a denial of service vulnerability:
https://blog.clamav.net/2019/08/clamav-01013-security-patch-release-and.html

Recently someone has created some ZIP files that use overlapping file segments to create enormous compression ratios:
https://www.bamsoftware.com/hacks/zipbomb/

Passing these files to clamscan or clamdscan will cause enormous CPU usage.

While this is "only" DoS it can practically take a server down that is scanning incoming mails with clamav.

Please update.
Comment 1 Hanno Böck gentoo-dev 2019-08-06 08:42:47 UTC
Though it looks like the fix is incomplete:
https://bugzilla.clamav.net/show_bug.cgi?id=12356

Probably we should still bump to 0.101.3, but expect a new release soon.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2019-11-01 10:04:08 UTC
arm stable
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-11-07 00:10:42 UTC
arm64 stable
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-19 20:50:13 UTC
Repository is clean, all done!