From patchwork Fri Aug 23 16:49:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 2372 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 7FC8682EF6 for ; Fri, 23 Aug 2019 17:49:12 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 46FS6H5hk3z5DgB7; Fri, 23 Aug 2019 17:49:11 +0100 (BST) Received: from Devel.localdomain (p4FF56DD1.dip0.t-ipconnect.de [79.245.109.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 46FS6D64V5z5DYHC for ; Fri, 23 Aug 2019 17:49:08 +0100 (BST) From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] clamav: Update to 0.101.4 Date: Fri, 23 Aug 2019 18:49:04 +0200 Message-Id: <20190823164904.24488-1-matthias.fischer@ipfire.org> X-Mailer: git-send-email 2.18.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=mfischer smtp.mailfrom=matthias.fischer@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" For details see: https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html "An out of bounds write was possible within ClamAV's NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900). The issue has been resolved by respecting that limit. Thanks to Martin Simmons for reporting the issue here. The zip bomb vulnerability mitigated in 0.101.3 has been assigned the CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb mitigation was immediately identified. To remediate the zip-bomb scan time issue, a scan time limit has been introduced in 0.101.4. This limit now resolves ClamAV's vulnerability to CVE-2019-12625." Signed-off-by: Matthias Fischer --- lfs/clamav | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lfs/clamav b/lfs/clamav index d6f8164b7..aa7715763 100644 --- a/lfs/clamav +++ b/lfs/clamav @@ -24,7 +24,7 @@ include Config -VER = 0.101.3 +VER = 0.101.4 THISAPP = clamav-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = clamav -PAK_VER = 45 +PAK_VER = 46 DEPS = "" @@ -50,7 +50,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = 1981c5bd299c1f3cbf3f74095a00524c +$(DL_FILE)_MD5 = b6e6891035ce3e3f35830154bd280311 install : $(TARGET)