On 3/29/11 11:39 AM, "Tomasz Kojm" <tk...@clamav.net> wrote:
> On Tue, 29 Mar 2011 10:06:09 -0700 Al Varnell <alvarn...@mac.com> wrote: > >> I know clamav (freshclam) needs bzip2 to decompressing signature database >> .cvd files. The scanners undoubtedly use it to decompress .bz2 files they >> encounter. If any of these files are malformed to trigger the security bug, >> then they could potentially be a problem, but I have no idea how common such >> files are. > > > bzip2 is optional, the .cvd files are compressed using zlib. > Evidently I was misinformed. So from that I gather the only impact of having a bugged bzip2 with regard to clamav is the possibility of scanning a malformed .bz2 file that would trigger integer overflow, causing a denial of service (application crash) or possibly execute arbitrary code. And if omitted entirely from the OS clamav would be unable to scan any bzip2 compressed files. -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
