FEDORA-2019-aabcb53ec6 created by orion 8 months ago for Fedora 29
stable

ClamAV 0.101.4 is a security patch release that addresses the following issues.

  • An out of bounds write was possible within ClamAV's NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900). The issue has been resolved by respecting that limit.

    Thanks to Martin Simmons for reporting the issue here.

  • The zip bomb vulnerability mitigated in 0.101.3 has been assigned the CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb mitigation was immediately identified. To remediate the zip-bomb scan time issue, a scan time limit has been introduced in 0.101.4. This limit now resolves ClamAV's vulnerability to CVE-2019-12625.

    The default scan time limit is 2 minutes (120000 milliseconds).

    To customize the time limit: - use the clamscan --max-scantime option - use the clamd MaxScanTime config option

    Libclamav users may customize the time limit using the cl_engine_set_num function. For example:

    C cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds)

    Thanks to David Fifield for reviewing the zip-bomb mitigation in 0.101.3 and reporting the issue.

How to install

sudo dnf upgrade --advisory=FEDORA-2019-aabcb53ec6

This update has been submitted for testing by orion.

8 months ago

This update's test gating status has been changed to 'waiting'.

8 months ago

This update's test gating status has been changed to 'ignored'.

8 months ago

This update has been pushed to testing.

8 months ago

This update can be pushed to stable now if the maintainer wishes

8 months ago

This update has been submitted for stable by bodhi.

8 months ago

This update has been pushed to stable.

7 months ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
8 months ago
in testing
8 months ago
in stable
7 months ago
BZ#1744273 clamav-0.101.4 is available
0
0

Automated Test Results

Test Cases

0 0 Test Case ClamAV