CVE-2019-15961

NameCVE-2019-15961
DescriptionA vulnerability in the email parsing module Clam AntiVirus (ClamAV) Software versions 0.102.0, 0.101.4 and prior could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. The vulnerability is due to inefficient MIME parsing routines that result in extremely long scan times of specially formatted email files. An attacker could exploit this vulnerability by sending a crafted email file to an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to scan the crafted email file indefinitely, resulting in a denial of service condition.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2108-1
NVD severityhigh
Debian Bugs945265

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
clamav (PTS)stretch0.102.1+dfsg-0+deb9u2fixed
buster0.102.2+dfsg-0+deb10u1fixed
bullseye, sid0.102.3+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
clamavsource(unstable)0.102.1+dfsg-1945265
clamavsourcebuster0.102.1+dfsg-0+deb10u1
clamavsourcejessie0.101.5+dfsg-0+deb8u1DLA-2108-1
clamavsourcestretch0.102.1+dfsg-0+deb9u2

Notes

https://blog.clamav.net/2019/11/clamav-01021-and-01015-patches-have.html

Search for package or bug name: Reporting problems