On 2008-09-17 16:34, Clayton Keller wrote: > Roberto Ullfig wrote: >> Paul Bijnens wrote: >>> On 2008-09-05 17:11, SM wrote: >>> >>>> At 01:11 05-09-2008, Tilman Schmidt wrote: >>>> >>>>> But even a manual "yum update" finds nothing to update. I cannot >>>>> imagine Redhat/CentOS neglecting to provide a patch for that >>>>> >>>> Why not? :-) >>>> >>>> The response was that "this issue can only result in a crash of the >>>> bunzip2 process, which we do not consider to have any security impact." >>>> >>>> >>>>> vulnerability, so I am probably doing something wrong. But what? >>>>> >>>> You are not doing anything wrong. Get a newer version of bzip2. >>>> >>> I believe the situation is this: >>> >>> Apparently Redhat believes it is not a security bug: >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=438118#c6 >>> >>> The crashing of bzip2 itself is not a security bug. But clamav >>> (which is NOT included in the package list by RedHat) uses bzip2 >>> to unpack an archive and assert no harmful content is inside. >>> Clamav cannot verify such an archive in this case. This could be >>> used by a virusmaker to bypass the virusscanner on the mailserver. >>> >>> There exist updated bzip2 packages for FC7 and FC8. >>> >>> When some Real Paying Customer for Redhat Enterprise logs a bug, and >>> convinces them it *is* a security bug, then the machinery for >>> backporting the fix will be started, I guess, resulting in a fixed >>> bzip2 for the RHEL series (or is this wishful thinking?). >>> >>> >>> >> Rhetorical question: Why does it have to be a _security_ bug in order >> for redhat to fix it? >> > > I wanted to ask for those of you using CentOS and ClamAv-0.94 if you've > had any issues with bunzip2 process crashing or experiencing any issues > with ClamAV on these systems running the earlier version of bunzip2?
A fixed bzip2 package was released on sep 16: See comment nr 10: https://bugzilla.redhat.com/show_bug.cgi?id=438118#c10 https://rhn.redhat.com/errata/RHSA-2008-0893.html -- Paul Bijnens, xplanation Technology Services Tel +32 16 397.511 Technologielaan 21 bus 2, B-3001 Leuven, BELGIUM Fax +32 16 397.512 http://www.xplanation.com/ email: [EMAIL PROTECTED] *********************************************************************** * I think I've got the hang of it now: exit, ^D, ^C, ^\, ^Z, ^Q, ^^, * * F6, quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, * * stop, end, F3, ~., ^]c, +++ ATH, disconnect, halt, abort, hangup, * * PF4, F20, ^X^X, :D::D, KJOB, F14-f-e, F8-e, kill -1 $$, shutdown, * * init 0, kill -9 1, Alt-F4, Ctrl-Alt-Del, AltGr-NumLock, Stop-A, ... * * ... "Are you sure?" ... YES ... Phew ... I'm out * *********************************************************************** _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
