Off-by-one error in the cli_hm_scan function in matcher-hash.c in libclamav
in ClamAV before 0.97.2 allows remote attackers to cause a denial of service
(daemon crash) via an e-mail message that is not properly handled during
certain hash calculations.
Maintainers, can we stabilize 0.97.2?
Arches, please test & mark stable version 0.97.2; you can use the EICAR test pattern if you want to make sure that the detection engine is functional. Further details here:
EICAR test passed.
Anyway, @maintainers, check the init script, that not says anything when I start the service:
amd64box ~ # /etc/init.d/clamd start
amd64box ~ #
+ 17 Aug 2011; Tony Vroon <email@example.com> clamav-0.97.2.ebuild:
+ Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in
+ security bug #378815.
Builds and runs fine on x86. Please mark stable for x86.
x86 stable, thanks Myckel
Stable for HPPA.
Thanks, everyone. Added to existing GLSA request.
This issue was resolved and addressed in
GLSA 201110-20 at http://security.gentoo.org/glsa/glsa-201110-20.xml
by GLSA coordinator Tim Sammut (underling).