[Pkg-clamav-devel] Bug#934359: clamav: ZIP bomb causes extreme CPU spikes
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Sun Aug 11 22:36:09 BST 2019
On 2019-08-10 09:39:22 [+0200], Hugo Lefeuvre wrote:
> Source: clamav
> Version: 0.101.2+dfsg-3
> Severity: important
> Tags: security upstream
> Forwarded: https://bugzilla.clamav.net/show_bug.cgi?id=12356
>
> Hi,
>
> clamav is affected by a DoS vulnerability caused by crafted, extremely
> compressed ZIP files.
>
> Even though this issue is marked as fixed in unstable, the current patch is
> incomplete (see upstream bug report). Upstream is actively working on a
> more advanced patch.
I am aware of the situation. I uploaded to unstable what upstream
released as 0.101.3 (the latest one) and prepared an update for stable.
_After_ that, the bugtracker got updated claiming that the fix is not
perfect and other zip bomb was added to the backtracker.
> regards,
> Hugo
Sebastian
More information about the Pkg-clamav-devel
mailing list