On Sat, Feb 14, 2015 at 03:37:44PM +0100, Luciano Bello wrote: > Please, can you confirm if the binary packages are affected?
Yes, the code could be patched. In order to exploit it (or chrash it) the attacker should have full control over the pattern. Now lets see - clamav-milter: the admin specifies whitelists, no remote - phishcheck.c: static, no remote - readdb.c: reads virus databases. .zmd, .rmd, .cdb databases can feed part of the file into the function in question. .wdb, .pdb as well (phishing db). - sigtool.c: for manually creating signatures - command line arguments :) > Are stable and > testing affected? They are affected in terms that the patch can be applied. The only way this could be triggered by a non-admin is via a database update (according to my code grepping the last few minutes). And this means an entry (within the database) has to contain a regex-pattern and it should be atleast 682 MiB in size. The public / default databases are edited by the clamav team so I doubt someone can sneak this in there. All in all I would say not very applicable and no need for immediate action. If you or anyone else feels different please let me now. I prepared this patch [0]. It is the one you pointed out applied on the clamav tree with minory changes to get it applied. I will however forward this report to clamav upstream including the patch since it is probably best to include it in future anyway. [0] https://anonscm.debian.org/cgit/pkg-clamav/clamav.git/commit/?id=a2344cea2a22089ff0bac16c16e060ebb06425b0 > Cheers, luciano Sebastian -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
