[Pkg-clamav-devel] Bug#934359: clamav: ZIP bomb causes extreme CPU spikes
Hugo Lefeuvre
hle at debian.org
Thu Aug 22 20:36:31 BST 2019
Hi,
> > The zip bomb vulnerability mitigated in 0.101.3 has been assigned the
> > CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-
> > bomb mitigation was immediately identified. To remediate the zip-bomb
> > scan time issue, a scan time limit has been introduced in 0.101.4. This
> > limit now resolves ClamAV's vulnerability to CVE-2019-12625.
> >
> > The default scan time limit is 2 minutes (120000 milliseconds).
> >
> > To customize the time limit:
> > - use the clamscan --max-scantime option
> > - use the clamd MaxScanTime config option
> >
> > Libclamav users may customize the time limit using the cl_engine_set_num
> > function. For example:
> >
> > C
> > cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds)
> >
> > Thanks to David Fifield for reviewing the zip-bomb mitigation in
> > 0.101.3 and reporting the issue.
>
> https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html
Great! Is anybody working on 0.101.4 updates for stretch/buster? I plan to
backport the update to jessie after that.
regards,
Hugo
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20190822/b382f4da/attachment.sig>
More information about the Pkg-clamav-devel
mailing list