On Wed, 3 Dec 2008 10:48:54 -0800 Michael Tautschnig <[EMAIL PROTECTED]> wrote: >> * Scott Kitterman: >> >> > On Wed, 03 Dec 2008 12:39:59 +0100 Florian Weimer <[EMAIL PROTECTED]> wrote: >> > >> >>Your patch looks fine. Is there a CVE yet? >> > >> > As of two days ago when I put the Ubuntu change together there was not. >> >> Oh well. At least for the other bug, there's a CVE (CVE-2008-5050). >> >> What about CVE-2008-1389? >> > >I've looked at the corresponding patch and the code to-be-patched. It seems like >the version in etch(-security) is not affected, because it does not keep going >if part of the parsing fails (which some versions in between apparently did).
In 0.90 there is a configurable recursion limit, so that's not suprising. The default setting is sane. Users could, however, shoot themselves in the foot. While I wouldn't do an update just for this, it seems reasonable to me to include the fix in with the others. Scott K _______________________________________________ Pkg-clamav-devel mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-clamav-devel
