Security update for clamav SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:2597-1 Final 1 1 2019-11-30T23:15:50Z current 2019-11-30T23:15:50Z 2019-11-30T23:15:50Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for clamav This update for clamav fixes the following issues: Security issue fixed: - CVE-2019-12625: Fixed a ZIP bomb issue by adding detection and heuristics for zips with overlapping files (bsc#1144504). - CVE-2019-12900: Fixed an out-of-bounds write in decompress.c with many selectors (bsc#1149458). Non-security issues fixed: - Added the --max-scantime clamscan option and MaxScanTime clamd configuration option (bsc#1144504). - Increased the startup timeout of clamd to 5 minutes to cater for the grown virus database as a workaround until clamd has learned to talk to systemd to extend the timeout as long as needed (bsc#1151839). This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2019-2597 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FTGJC4PRXW7J6W3FBYBCGEFTYIR4LIV6/#FTGJC4PRXW7J6W3FBYBCGEFTYIR4LIV6 E-Mail link for openSUSE-SU-2019:2597-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1144504 SUSE Bug 1144504 https://bugzilla.suse.com/1149458 SUSE Bug 1149458 https://bugzilla.suse.com/1151839 SUSE Bug 1151839 https://www.suse.com/security/cve/CVE-2019-12625/ SUSE CVE CVE-2019-12625 page https://www.suse.com/security/cve/CVE-2019-12900/ SUSE CVE CVE-2019-12900 page openSUSE Leap 15.0 clamav-0.100.3-lp150.2.13.1 clamav-devel-0.100.3-lp150.2.13.1 libclamav7-0.100.3-lp150.2.13.1 libclammspack0-0.100.3-lp150.2.13.1 clamav-0.100.3-lp150.2.13.1 as a component of openSUSE Leap 15.0 clamav-devel-0.100.3-lp150.2.13.1 as a component of openSUSE Leap 15.0 libclamav7-0.100.3-lp150.2.13.1 as a component of openSUSE Leap 15.0 libclammspack0-0.100.3-lp150.2.13.1 as a component of openSUSE Leap 15.0 ClamAV versions prior to 0.101.3 are susceptible to a zip bomb vulnerability where an unauthenticated attacker can cause a denial of service condition by sending crafted messages to an affected system. CVE-2019-12625 openSUSE Leap 15.0:clamav-0.100.3-lp150.2.13.1 openSUSE Leap 15.0:clamav-devel-0.100.3-lp150.2.13.1 openSUSE Leap 15.0:libclamav7-0.100.3-lp150.2.13.1 openSUSE Leap 15.0:libclammspack0-0.100.3-lp150.2.13.1 important 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FTGJC4PRXW7J6W3FBYBCGEFTYIR4LIV6/#FTGJC4PRXW7J6W3FBYBCGEFTYIR4LIV6 https://www.suse.com/security/cve/CVE-2019-12625.html CVE-2019-12625 https://bugzilla.suse.com/1144504 SUSE Bug 1144504 BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors. CVE-2019-12900 openSUSE Leap 15.0:clamav-0.100.3-lp150.2.13.1 openSUSE Leap 15.0:clamav-devel-0.100.3-lp150.2.13.1 openSUSE Leap 15.0:libclamav7-0.100.3-lp150.2.13.1 openSUSE Leap 15.0:libclammspack0-0.100.3-lp150.2.13.1 important 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/FTGJC4PRXW7J6W3FBYBCGEFTYIR4LIV6/#FTGJC4PRXW7J6W3FBYBCGEFTYIR4LIV6 https://www.suse.com/security/cve/CVE-2019-12900.html CVE-2019-12900 https://bugzilla.suse.com/1139083 SUSE Bug 1139083 https://bugzilla.suse.com/1141513 SUSE Bug 1141513 https://bugzilla.suse.com/1149458 SUSE Bug 1149458