[Pkg-clamav-devel] Bugfix for #507624 prepared
Scott Kitterman
debian at kitterman.com
Wed Dec 3 21:14:01 UTC 2008
On Wed, 3 Dec 2008 10:48:54 -0800 Michael Tautschnig <mt at debian.org> wrote:
>> * Scott Kitterman:
>>
>> > On Wed, 03 Dec 2008 12:39:59 +0100 Florian Weimer <fw at deneb.enyo.de>
wrote:
>> >
>> >>Your patch looks fine. Is there a CVE yet?
>> >
>> > As of two days ago when I put the Ubuntu change together there was not.
>>
>> Oh well. At least for the other bug, there's a CVE (CVE-2008-5050).
>>
>> What about CVE-2008-1389?
>>
>
>I've looked at the corresponding patch and the code to-be-patched. It
seems like
>the version in etch(-security) is not affected, because it does not keep
going
>if part of the parsing fails (which some versions in between apparently
did).
In 0.90 there is a configurable recursion limit, so that's not suprising.
The default setting is sane. Users could, however, shoot themselves in the
foot. While I wouldn't do an update just for this, it seems reasonable to
me to include the fix in with the others.
Scott K
More information about the Pkg-clamav-devel
mailing list