[clamav-users] ClamAV® blog: ClamAV 0.101.4 security patch release has been published

Joel Esler (jesler) jesler at cisco.com
Wed Aug 21 13:02:10 EDT 2019


> 
> https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html <https://blog.clamav.net/2019/08/clamav-01014-security-patch-release-has.html>
> 
> ClamAV 0.101.4 security patch release has been published
> 
> Today we have published the ClamAV 0.101.4 security patch release.
> 
> 0.101.4
> 
> 
> ClamAV 0.101.4 is a security patch release that addresses the following issues.
>  An out of bounds write was possible within ClamAV's NSIS bzip2 library when attempting decompression in cases where the number of selectors exceeded the max limit set by the library (CVE-2019-12900). The issue has been resolved by respecting that limit.
> 
> Thanks to Martin Simmons for reporting the issue here <https://bugzilla.clamav.net/show_bug.cgi?id=12371>.
>  The zip bomb vulnerability mitigated in 0.101.3 has been assigned the CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb mitigation was immediately identified. To remediate the zip-bomb scan time issue, a scan time limit has been introduced in 0.101.4. This limit now resolves ClamAV's vulnerability to CVE-2019-12625.
> 
> The default scan time limit is 2 minutes (120000 milliseconds).
> 
> To customize the time limit:
> - use the clamscan  --max-scantime option
> - use the clamd  MaxScanTime config option
> 
> Libclamav users may customize the time limit using the cl_engine_set_num function. For example:
> 
> C
>     cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds)
> 
> Thanks to David Fifield for reviewing the zip-bomb mitigation in 0.101.3 and reporting the issue.
> As usual, ClamAV may be downloaded from https://www.clamav.net/downloads <https://www.clamav.net/downloads>, and discussion should take place on the ClamAV-Users list <https://www.clamav.net/contact#ml>.  Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190821/9bef7c3f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3010 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190821/9bef7c3f/attachment.bin>


More information about the clamav-users mailing list