Re: Possible FP 17390

["Lay, James" <james.lay () wincofoods com>]

> -----Original Message-----
> From: Joel Esler [mailto:jesler () sourcefire com]
> Sent: Tuesday, September 20, 2011 3:30 PM
> To: rmkml
> Cc: Lay, James; snort-sigs () lists sourceforge net
> Subject: Re: [Snort-sigs] Possible FP 17390
>
> Rmkml,
>
> Actually none of the above.
>
> The vulnerability has to do with two particular ResourceID's that
could be
> present in an APP13 section of a jpeg.  This will cause ClamAV 94.2
and
> prior to go into infinite recursion when trying to process a jpeg
thumbnail.
> Eventually clamd will shutdown, thusly, a DoS.
>
> James --
>
> After looking at the pcap you sent me offlist, the pcap DOES contain a
> vulnerable jpeg that would DoS an older version of ClamAV.  (read:
This
> isn't a false positive)
>
> If you don't have ClamAV on the network (or it's >94.2) you can shut
the
> rule off.  Otherwise... :)
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire


Awesome...thanks for checking on this...hope it wasn't waste of time for
all.

James

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2dcopy1
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!