[Pkg-clamav-devel] ClamAV. again

Devin Carraway devin at debian.org
Mon Sep 8 16:47:14 UTC 2008


On Fri, Sep 05, 2008 at 05:06:30PM +0100, Stephen Gran wrote:
> I realize none of these are critical vulnerabilities, so if you don't
> want me to upload, that's fine.  The upload is prepared if you want it.
[...]
> +  * [CVE-2008-3912]: libclamav/mbox.c, libclamav/message.c: out-of-memory null
> +    dereferences
> +  * [CVE-2008-3914]: libclamav/htmlnorm.c, libclamav/others.c,
> +    libclamav/sis.c: fd leaks
> +  * [CVE-2008-3913]: freshclam/manager.c: memory leaks

CVE-2008-3912 and CVE-2008-3913 don't seem critical on the face of it, but do
you know the (normal or induceable) rate of fd leakage caused by
CVE-2008-3914?  Reviewing the patch it looks like it's correcting the
detection of error cases; if an error on one fd can prevent the closing of
another then it's definitely a leak, but whether that leak poses a thread
worth fixing in stable seems to depend on whether it could be induced
remotely (or if it happens under common conditions; leaking 1 fd per HTML
message wouldn't be tolerable, since many mailservers will exhaust the fd
limit within a day or two at that rate.  Do you have any more detail?


Devin

-- 
Devin  \ aqua(at)devin.com, IRC:Requiem; http://www.devin.com
Carraway \ 1024D/E9ABFCD2: 13E7 199E DD1E 65F0 8905 2E43 5395 CA0D E9AB FCD2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20080908/b3682362/attachment.pgp 


More information about the Pkg-clamav-devel mailing list