Discussion:
Bug#934359: clamav: ZIP bomb causes extreme CPU spikes
(too old to reply)
Hugo Lefeuvre
2019-08-10 07:50:01 UTC
Permalink
Source: clamav
Version: 0.101.2+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=12356

Hi,

clamav is affected by a DoS vulnerability caused by crafted, extremely
compressed ZIP files.

Even though this issue is marked as fixed in unstable, the current patch is
incomplete (see upstream bug report). Upstream is actively working on a
more advanced patch.

regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Sebastian Andrzej Siewior
2019-08-11 22:10:02 UTC
Permalink
Post by Hugo Lefeuvre
Source: clamav
Version: 0.101.2+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=12356
Hi,
clamav is affected by a DoS vulnerability caused by crafted, extremely
compressed ZIP files.
Even though this issue is marked as fixed in unstable, the current patch is
incomplete (see upstream bug report). Upstream is actively working on a
more advanced patch.
I am aware of the situation. I uploaded to unstable what upstream
released as 0.101.3 (the latest one) and prepared an update for stable.
_After_ that, the bugtracker got updated claiming that the fix is not
perfect and other zip bomb was added to the backtracker.
Post by Hugo Lefeuvre
regards,
Hugo
Sebastian
Hugo Lefeuvre
2019-08-12 06:30:01 UTC
Permalink
Hi Sebastian,
Post by Sebastian Andrzej Siewior
Post by Hugo Lefeuvre
Even though this issue is marked as fixed in unstable, the current patch is
incomplete (see upstream bug report). Upstream is actively working on a
more advanced patch.
I am aware of the situation. I uploaded to unstable what upstream
released as 0.101.3 (the latest one) and prepared an update for stable.
_After_ that, the bugtracker got updated claiming that the fix is not
perfect and other zip bomb was added to the backtracker.
I'm sorry if this sounded insistent, it was not intended like that.

thanks for your work!

cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Sebastian Andrzej Siewior
2019-08-12 06:40:01 UTC
Permalink
control: found -1 0.98.6+dfsg-1
Post by Hugo Lefeuvre
Hi Sebastian,
Hi,
Post by Hugo Lefeuvre
I'm sorry if this sounded insistent, it was not intended like that.
No problem, everything is okay. I was planning to open a similar bug
just to point out that the issue is not completly fixed so the release
team is aware while processing the pu bug.
I just wanted to make clear that we have what upstream has in their
latest release and we don't lack a patch or so and we are waiting for an
update.
Post by Hugo Lefeuvre
cheers,
Hugo
Sebastian
Salvatore Bonaccorso
2019-08-22 19:10:02 UTC
Permalink
Hi,
Post by Sebastian Andrzej Siewior
control: found -1 0.98.6+dfsg-1
Post by Hugo Lefeuvre
Hi Sebastian,
Hi,
Post by Hugo Lefeuvre
I'm sorry if this sounded insistent, it was not intended like that.
No problem, everything is okay. I was planning to open a similar bug
just to point out that the issue is not completly fixed so the release
team is aware while processing the pu bug.
I just wanted to make clear that we have what upstream has in their
latest release and we don't lack a patch or so and we are waiting for an
update.
There is now CVE-2019-12625 specifically assigned for
Post by Sebastian Andrzej Siewior
The zip bomb vulnerability mitigated in 0.101.3 has been assigned the
CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-
bomb mitigation was immediately identified. To remediate the zip-bomb
scan time issue, a scan time limit has been introduced in 0.101.4. This
limit now resolves ClamAV's vulnerability to CVE-2019-12625.
The default scan time limit is 2 minutes (120000 milliseconds).
- use the clamscan --max-scantime option
- use the clamd MaxScanTime config option
Libclamav users may customize the time limit using the cl_engine_set_num
C
cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds)
Thanks to David Fifield for reviewing the zip-bomb mitigation in
0.101.3 and reporting the issue.
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html

Regards,
Salvatore
Hugo Lefeuvre
2019-08-22 19:40:01 UTC
Permalink
Hi,
Post by Salvatore Bonaccorso
Post by Sebastian Andrzej Siewior
The zip bomb vulnerability mitigated in 0.101.3 has been assigned the
CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-
bomb mitigation was immediately identified. To remediate the zip-bomb
scan time issue, a scan time limit has been introduced in 0.101.4. This
limit now resolves ClamAV's vulnerability to CVE-2019-12625.
The default scan time limit is 2 minutes (120000 milliseconds).
- use the clamscan --max-scantime option
- use the clamd MaxScanTime config option
Libclamav users may customize the time limit using the cl_engine_set_num
C
cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds)
Thanks to David Fifield for reviewing the zip-bomb mitigation in
0.101.3 and reporting the issue.
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
Great! Is anybody working on 0.101.4 updates for stretch/buster? I plan to
backport the update to jessie after that.

regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Sebastian Andrzej Siewior
2019-08-23 21:30:01 UTC
Permalink
Post by Hugo Lefeuvre
Great! Is anybody working on 0.101.4 updates for stretch/buster? I plan to
backport the update to jessie after that.
I'm tired now but I plan to take care of this over the weekend.
Post by Hugo Lefeuvre
regards,
Hugo
Sebastian

Loading...