'Re: [Snort-sigs] Possible FP 17390'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Possible FP 17390
From:       Joel Esler <jesler () sourcefire ! com>
Date:       2011-09-20 22:13:48
Message-ID: 45793F7E-093D-4A4E-BFF8-886045466696 () sourcefire ! com
[Download RAW message or body]

Nope.  It shows the power of the open source community.  We wish more people would report this kind of thing.


We have a special link just for it:  http://www.snort.org/uploads

Joel

On Sep 20, 2011, at 5:45 PM, Lay, James wrote:

> 
>> -----Original Message-----
>> From: Joel Esler [mailto:jesler@sourcefire.com]
>> Sent: Tuesday, September 20, 2011 3:30 PM
>> To: rmkml
>> Cc: Lay, James; snort-sigs@lists.sourceforge.net
>> Subject: Re: [Snort-sigs] Possible FP 17390
>> 
>> Rmkml,
>> 
>> Actually none of the above.
>> 
>> The vulnerability has to do with two particular ResourceID's that
> could be
>> present in an APP13 section of a jpeg.  This will cause ClamAV 94.2
> and
>> prior to go into infinite recursion when trying to process a jpeg
> thumbnail.
>> Eventually clamd will shutdown, thusly, a DoS.
>> 
>> James --
>> 
>> After looking at the pcap you sent me offlist, the pcap DOES contain a
>> vulnerable jpeg that would DoS an older version of ClamAV.  (read:
> This
>> isn't a false positive)
>> 
>> If you don't have ClamAV on the network (or it's >94.2) you can shut
> the
>> rule off.  Otherwise... :)
>> 
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
> 
> 
> Awesome...thanks for checking on this...hope it wasn't waste of time for
> all.
> 
> James


------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic