The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of ClamAV: infinite loop via Better Zip Bomb Overlapping

Synthesis of the vulnerability 

An attacker can trigger an infinite loop via Zip Bomb of ClamAV, in order to trigger a denial of service (same origin than VIGILANCE-VUL-29701).
Vulnerable software: SNS, ClamAV, NETASQ.
Severity of this announce: 3/4.
Creation date: 06/08/2019.
Références of this computer vulnerability: 12356, CVE-2019-13232, STORM-2019-009, VIGILANCE-VUL-29947.

Description of the vulnerability 

An attacker can trigger an infinite loop via Zip Bomb of ClamAV, in order to trigger a denial of service (same origin than VIGILANCE-VUL-29701).
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat bulletin impacts software or systems such as SNS, ClamAV, NETASQ.

Our Vigil@nce team determined that the severity of this security threat is important.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability alert.

Solutions for this threat 

ClamAV: version 0.101.3.
The version 0.101.3 is fixed:
  http://www.clamav.net/downloads

Pivotal Cloud Foundry ClamAV Add-on: version 1.4.45.
The version 1.4.45 is fixed:
  https://pivotal.io/

Stormshield: solution for Better Zip Bomb Overlapping.
The solution is indicated in information sources.

Wind River Linux: version 10.17.41.19.
The version 10.17.41.19 is fixed.
This bulletin fixes more than 100 vulnerabilities, but only the 100 recent vulnerabilities were associated to this bulletin.

Wind River Linux: version 10.18.44.12.
The version 10.18.44.12 is fixed:
  https://support2.windriver.com/
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computers vulnerabilities analysis. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.