FEDORA-EPEL-2019-fabd190d13 created by mstevens 5 months ago for Fedora EPEL 8
stable

ClamAV 0.101.4 is a security patch release that addresses the following issues.

  • An out of bounds write was possible within ClamAV's NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900). The issue has been resolved by respecting that limit.

    Thanks to Martin Simmons for reporting the issue here.

  • The zip bomb vulnerability mitigated in 0.101.3 has been assigned the CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb mitigation was immediately identified. To remediate the zip-bomb scan time issue, a scan time limit has been introduced in 0.101.4. This limit now resolves ClamAV's vulnerability to CVE-2019-12625.

    The default scan time limit is 2 minutes (120000 milliseconds).

    To customize the time limit: - use the clamscan --max-scantime option - use the clamd MaxScanTime config option

    Libclamav users may customize the time limit using the cl_engine_set_num function. For example:

    C cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds)

    Thanks to David Fifield for reviewing the zip-bomb mitigation in 0.101.3 and reporting the issue.

This update has been submitted for testing by mstevens.

5 months ago

This update's test gating status has been changed to 'waiting'.

5 months ago

This update's test gating status has been changed to 'ignored'.

5 months ago

This update has been pushed to testing.

5 months ago
User Icon mattvw commented & provided feedback 5 months ago
karma

Works for me.

Test Case ClamAV
User Icon liedekef commented & provided feedback 5 months ago
karma

Works fine

This update can be pushed to stable now if the maintainer wishes

5 months ago

This update has been submitted for stable by mstevens.

4 months ago

This update has been pushed to stable.

4 months ago

Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
2
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
5 months ago
in testing
5 months ago
in stable
4 months ago

Automated Test Results

Test Cases

0 1 Test Case ClamAV