[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Possible FP 17390
From: Joel Esler <jesler () sourcefire ! com>
Date: 2011-09-20 22:13:48
Message-ID: 45793F7E-093D-4A4E-BFF8-886045466696 () sourcefire ! com
[Download RAW message or body]
Nope. It shows the power of the open source community. We wish more people would report this kind of thing.
We have a special link just for it: http://www.snort.org/uploads
Joel
On Sep 20, 2011, at 5:45 PM, Lay, James wrote:
>
>> -----Original Message-----
>> From: Joel Esler [mailto:jesler@sourcefire.com]
>> Sent: Tuesday, September 20, 2011 3:30 PM
>> To: rmkml
>> Cc: Lay, James; snort-sigs@lists.sourceforge.net
>> Subject: Re: [Snort-sigs] Possible FP 17390
>>
>> Rmkml,
>>
>> Actually none of the above.
>>
>> The vulnerability has to do with two particular ResourceID's that
> could be
>> present in an APP13 section of a jpeg. This will cause ClamAV 94.2
> and
>> prior to go into infinite recursion when trying to process a jpeg
> thumbnail.
>> Eventually clamd will shutdown, thusly, a DoS.
>>
>> James --
>>
>> After looking at the pcap you sent me offlist, the pcap DOES contain a
>> vulnerable jpeg that would DoS an older version of ClamAV. (read:
> This
>> isn't a false positive)
>>
>> If you don't have ClamAV on the network (or it's >94.2) you can shut
> the
>> rule off. Otherwise... :)
>>
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>
>
> Awesome...thanks for checking on this...hope it wasn't waste of time for
> all.
>
> James
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic