[Pkg-clamav-devel] Bug#934359: clamav: ZIP bomb causes extreme CPU spikes
Salvatore Bonaccorso
carnil at debian.org
Thu Aug 22 19:59:39 BST 2019
Hi,
On Mon, Aug 12, 2019 at 08:35:25AM +0200, Sebastian Andrzej Siewior wrote:
> control: found -1 0.98.6+dfsg-1
>
> On 2019-08-12 08:21:22 [+0200], Hugo Lefeuvre wrote:
> > Hi Sebastian,
> Hi,
>
> > I'm sorry if this sounded insistent, it was not intended like that.
>
> No problem, everything is okay. I was planning to open a similar bug
> just to point out that the issue is not completly fixed so the release
> team is aware while processing the pu bug.
> I just wanted to make clear that we have what upstream has in their
> latest release and we don't lack a patch or so and we are waiting for an
> update.
There is now CVE-2019-12625 specifically assigned for
> The zip bomb vulnerability mitigated in 0.101.3 has been assigned the
> CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-
> bomb mitigation was immediately identified. To remediate the zip-bomb
> scan time issue, a scan time limit has been introduced in 0.101.4. This
> limit now resolves ClamAV's vulnerability to CVE-2019-12625.
>
> The default scan time limit is 2 minutes (120000 milliseconds).
>
> To customize the time limit:
> - use the clamscan --max-scantime option
> - use the clamd MaxScanTime config option
>
> Libclamav users may customize the time limit using the cl_engine_set_num
> function. For example:
>
> C
> cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds)
>
> Thanks to David Fifield for reviewing the zip-bomb mitigation in
> 0.101.3 and reporting the issue.
https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
Regards,
Salvatore
More information about the Pkg-clamav-devel
mailing list