release of the free antivirus package ClamAV 0.101.4, which eliminates the vulnerability () in the bzip2 archive decompressor implementation, which can lead to overwriting memory areas outside the allocated buffer when processing too many selectors.
The new version also blocks the workaround for creating
non-recursive "", protection against which was proposed in . The protection added earlier was focused on limiting resource consumption, but did not take into account the possibility of creating βzip bombsβ that manipulate the duration of the file processing process. The time to scan a file is now limited to two minutes. To change the set limit, the βclamscan βmax-scantimeβ option and the MaxScanTime directive for the clamd configuration file are proposed.
Source: opennet.ru