2232508 – (CVE-2023-20197) CVE-2023-20197 fedora: ClamAV File Scanning Infinite Loop Denial of Service Vulnerability

Bug 2232508 (CVE-2023-20197) - CVE-2023-20197 fedora: ClamAV File Scanning Infinite Loop Denial of Service Vulnerability

Summary: CVE-2023-20197 fedora: ClamAV File Scanning Infinite Loop Denial of Service V...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2023-20197
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2232509 2232510
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-17 07:52 UTC by Rohit Keshri
Modified:	2023-08-17 11:58 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.
Clone Of:
Environment:
Last Closed:	2023-08-17 11:58:10 UTC
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2023-08-17 07:52:24 UTC

A vulnerability in the filesystem image parser for Hierarchical File System Plus (HFS+) of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device.

 This vulnerability is due to an incorrect check for completion when a file is decompressed, which may result in a loop condition that could cause the affected software to stop responding. An attacker could exploit this vulnerability by submitting a crafted HFS+ filesystem image to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to stop responding, resulting in a DoS condition on the affected software and consuming available system resources.

 For a description of this vulnerability, see the ClamAV blog .

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-rNwNEEee

Comment 1 Rohit Keshri 2023-08-17 07:53:45 UTC

Created clamav tracking bugs for this issue:

Affects: epel-all [bug 2232510]
Affects: fedora-all [bug 2232509]

Comment 2 Product Security DevOps Team 2023-08-17 11:58:08 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.