[Pkg-clamav-devel] Bug#773318: clamav dies/hangs

Neil McGovern neil at halon.org.uk
Sat Dec 20 12:49:26 UTC 2014


Hi,

On Sat, Dec 20, 2014 at 12:12:13PM +0100, Andreas Cadhalpun wrote:
> Control: tags 773041 security
> Control: severity 773041 grave
> Justification: causes remote denial of service
> 

For info, I saw this a few days ago and reported it to the security
team. It is indeed available in the wild, and is caused by the malformed
CAB file. The version in wheezy and wheezy-updates will need separate
fixes, as they change how they use libmspack, though the actual fix
seems to be fairly trivial.

The version in sid/jessie uses the packaged libmspack, so it'll need
fixing there.

> As it shows that clamd hangs in libmspack, I think this is bug
> #773041 [1]. A possible fix is mentioned in [2]. We'll have to
> include it in the libmspack copy embedded in clamav, which is used
> in wheezy.
> 
> 1: https://bugs.debian.org/773041
> 2: https://bugs.debian.org/773041#8

Thanks,
Neil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20141220/51c758a5/attachment.sig>


More information about the Pkg-clamav-devel mailing list