On 5/13/20 8:51 AM, Marius Schwarz wrote:
Hi All, this somehow went undetected, so i mail it here to speed things up: CLAMAV < 102.3 with DOS vulnerability on ARJ and PDF files. https://blog.clamav.net/2020/05/clamav-01023-security-patch-released.html * CVE-2020-3341 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3341>: Fixed a vulnerability in the PDF-parsing module in ClamAV 0.101 - 0.102.2 that could cause a denial-of-service condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read, which may cause a crash. OSS-Fuzz discovered this vulnerability. * Fixed "Attempt to allocate 0 bytes" error when parsing some PDF documents. * Fixed a couple of minor memory leaks.We need a build for 30-32 asap. Sending a message with malicouse file is all it takes to take out the daemon.related: BR#1834910 best regards, Marius Schwarz
It was not undetected. People just have lives :) Updates submitted: https://bodhi.fedoraproject.org/updates/?packages=clamav -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@xxxxxxxx Boulder, CO 80301 https://www.nwra.com/
<<attachment: smime.p7s>>
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
