ClamAV: quick security build needed

Marius Schwarz <fedoradev@xxxxxxxxxxxx> · Wed, 13 May 2020 16:51:17 +0200



    Hi All, 

    
    this somehow went undetected, so i mail it here to speed things up:

    
    CLAMAV < 102.3 with DOS vulnerability on ARJ and PDF files.
    

https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html

    
      CVE-2020-3341: Fixed a
        vulnerability in the PDF-parsing module in ClamAV 0.101 -
        0.102.2 that could cause a denial-of-service condition. Improper
        size checking of a buffer used to initialize AES decryption
        routines results in an out-of-bounds read, which may cause a
        crash. OSS-Fuzz discovered this vulnerability.
      Fixed "Attempt to allocate 0 bytes" error when parsing some
        PDF documents.
      Fixed a couple of minor memory leaks.
    
    
    We need a build for 30-32 asap. Sending a message with malicouse
    file is all it takes to take out the daemon.

    
    related: BR#1834910

    
    best regards,

    Marius Schwarz

    
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx