FEDORA-EPEL-2019-ae72f875d9 created by orion 3 months ago for Fedora EPEL 7
stable

ClamAV 0.101.4 is a security patch release that addresses the following issues.

  • An out of bounds write was possible within ClamAV's NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900). The issue has been resolved by respecting that limit.

    Thanks to Martin Simmons for reporting the issue here.

  • The zip bomb vulnerability mitigated in 0.101.3 has been assigned the CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb mitigation was immediately identified. To remediate the zip-bomb scan time issue, a scan time limit has been introduced in 0.101.4. This limit now resolves ClamAV's vulnerability to CVE-2019-12625.

    The default scan time limit is 2 minutes (120000 milliseconds).

    To customize the time limit: - use the clamscan --max-scantime option - use the clamd MaxScanTime config option

    Libclamav users may customize the time limit using the cl_engine_set_num function. For example:

    C cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds)

    Thanks to David Fifield for reviewing the zip-bomb mitigation in 0.101.3 and reporting the issue.

This update has been submitted for testing by orion. 3 months ago
This update's test gating status has been changed to 'waiting'. 3 months ago
This update's test gating status has been changed to 'ignored'. 3 months ago
This update has been pushed to testing. 3 months ago
User Icon mattvw commented & provided feedback 3 months ago
karma

Works for me.

BZ#1744273 clamav-0.101.4 is available
Test Case ClamAV
User Icon liedekef commented & provided feedback 3 months ago
karma

Works fine

This update can be pushed to stable now if the maintainer wishes 3 months ago
User Icon ortayus provided feedback 3 months ago
karma
BZ#1744273 clamav-0.101.4 is available
This update has been submitted for stable by bodhi. 3 months ago
This update has been pushed to stable. 3 months ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
3
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
3 months ago
in testing
3 months ago
in stable
3 months ago
BZ#1744273 clamav-0.101.4 is available
0
2

Automated Test Results

Test Cases

0 1 Test Case ClamAV