Control: tags -1 + confirmed On Sun, 2019-08-25 at 15:27 +0200, Sebastian Andrzej Siewior wrote: > Clamav upstream released 0.101.4 which is a "security patch release" > only. It is described [0] as: > > > - The zip bomb vulnerability mitigated in 0.101.3 has been assigned > > the CVE > > identifier CVE-2019-12625. Unfortunately, a workaround for the > > zip-bomb > > mitigation was immediately identified. To remediate the zip-bomb > > scan time > > issue, a scan time limit has been introduced in 0.101.4. This > > limit now > > resolves ClamAV's vulnerability to CVE-2019-12625. > > > > - An out of bounds write was possible within ClamAV's NSIS bzip2 > > library when > > attempting decompression in cases where the number of selectors > > exceeded the > > max limit set by the library (CVE-2019-12900). The issue has been > > resolved by > > respecting that limit.
Please go ahead. Regards, Adam
