[Pkg-clamav-devel] clamav llvm 3.6 dependency
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Sun Mar 27 21:05:53 UTC 2016
On 2016-03-25 10:18:53 [+0100], harald at a-little-linux-box.at wrote:
> Dear clamav maintainers,
Hi Harald,
> I just wanted to ask if it would be possible to adapt clamav to llvm 3.7
> as 3.6 (at least the Debian package) contains a vulnerability which
> seems to impair (at least according to the security tracker) the
> security of clamav. As it is often used in a network context (mail and
Are you talking about CVE-2015-2305 / Henry Spencer BSD regex library? It
looks hard to trigger (it was the case in clamav usage of the library). It
would be probably best if you ping the llvm maintainer to get it fixed.
According to the tracker 3.5 for instance has the same problem and this is
part of stable. So the best thing to do seems to get llvm fixed.
I am not even sure whether clamav compiles against 3.7. But I was not
aware (until now) that 3.7 is part of testing. It wasn't the last time I
looked at it.
BTW: llvm is only used for the bytecode interreter which becomes jit. If you
disable bytecode thingy then it should be not used. The bytecode data comes
from clamav.
> web proxy scanning) this seems to be a not very desirable situation.
> When answering please keep me cc as I'm not subscribed to your list.
>
> Thanks for your time
> Kind regards
> Harald Jenny
Sebastian
More information about the Pkg-clamav-devel
mailing list