Discussion:
Bug#934359: clamav: ZIP bomb causes extreme CPU spikes
Add Reply
Hugo Lefeuvre
2019-08-10 07:50:01 UTC
Reply
Permalink
Source: clamav
Version: 0.101.2+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=12356

Hi,

clamav is affected by a DoS vulnerability caused by crafted, extremely
compressed ZIP files.

Even though this issue is marked as fixed in unstable, the current patch is
incomplete (see upstream bug report). Upstream is actively working on a
more advanced patch.

regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Sebastian Andrzej Siewior
2019-08-11 22:10:02 UTC
Reply
Permalink
Post by Hugo Lefeuvre
Source: clamav
Version: 0.101.2+dfsg-3
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=12356
Hi,
clamav is affected by a DoS vulnerability caused by crafted, extremely
compressed ZIP files.
Even though this issue is marked as fixed in unstable, the current patch is
incomplete (see upstream bug report). Upstream is actively working on a
more advanced patch.
I am aware of the situation. I uploaded to unstable what upstream
released as 0.101.3 (the latest one) and prepared an update for stable.
_After_ that, the bugtracker got updated claiming that the fix is not
perfect and other zip bomb was added to the backtracker.
Post by Hugo Lefeuvre
regards,
Hugo
Sebastian
Hugo Lefeuvre
2019-08-12 06:30:01 UTC
Reply
Permalink
Hi Sebastian,
Post by Sebastian Andrzej Siewior
Post by Hugo Lefeuvre
Even though this issue is marked as fixed in unstable, the current patch is
incomplete (see upstream bug report). Upstream is actively working on a
more advanced patch.
I am aware of the situation. I uploaded to unstable what upstream
released as 0.101.3 (the latest one) and prepared an update for stable.
_After_ that, the bugtracker got updated claiming that the fix is not
perfect and other zip bomb was added to the backtracker.
I'm sorry if this sounded insistent, it was not intended like that.

thanks for your work!

cheers,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Sebastian Andrzej Siewior
2019-08-12 06:40:01 UTC
Reply
Permalink
control: found -1 0.98.6+dfsg-1
Post by Hugo Lefeuvre
Hi Sebastian,
Hi,
Post by Hugo Lefeuvre
I'm sorry if this sounded insistent, it was not intended like that.
No problem, everything is okay. I was planning to open a similar bug
just to point out that the issue is not completly fixed so the release
team is aware while processing the pu bug.
I just wanted to make clear that we have what upstream has in their
latest release and we don't lack a patch or so and we are waiting for an
update.
Post by Hugo Lefeuvre
cheers,
Hugo
Sebastian

Loading...