[Clamav-devel] ClamAV thinks it can decompress zip method 9 files, but can't

Wed, 11 May 2005 17:03:06 -0700

I have found the source of the issue I reported to clamav-users last week (originally with a subject of "Input/Output error with .zip file under 0.84"), with the help of a pointer from Andrey Melnikoff.

The issue is: If an unencrypted .zip file over 32KB in size is compressed using the PKZIP "deflate64" algorithm (zip method 9), ClamAV's built-in unzip mechanism can't handle it because it doesn't really support deflate64, even though line 196 of zzip-file.c has code that checks for this method and thinks it is supported.

Version 0.85 of ClamAV returns the following output for such a file:

  $ ./clamscan eicardeflate64.zip
  eicardeflate64.zip: Zip module failure
  eicardeflate64.zip: OK

  ----------- SCAN SUMMARY -----------
  Known viruses: 34257
  Engine version: 0.85
  Scanned directories: 0
  Scanned files: 1
  Infected files: 0
  Data scanned: 0.00 MB
  Time: 0.481 sec (0 m 0 s)

(If you're trying this yourself, use --debug for more technical info; it shows the nature of the decompression failure in detail.)

This may well be harmless if clients detect the failure, but I wonder if the fact that ClamAV returns both "Zip module failure" and "OK" could potentially confuse some clients into thinking the file is clean when it isn't. I have no evidence to suggest that that is (or isn't) the case, but if so, that could be a problem, since all popular unzip clients can decompress such a file with no trouble.

If anyone is interested, the file I used for testing (which is the EICAR test file appended with 70 KB or so of random data to ensure it's big enough to trigger the decompression failure) is available at:

  http://www.tigertech.net/eicardeflate64.zip

Or you can create your own such files with a trial version of PKZIP with the compression level set to "custom" and the method set to "deflate64"; just make sure the files are greater than 32 KB in size (otherwise zzip will decompress them successfully).

I'm not quite sure what the "solution" to this is (or if one is even needed), but if nothing else, zzip-file.c should probably be changed to not think it can decompress zip method 9 files, because it doesn't seem like it can if they're bigger than 32 KB.

--
Robert L Mathews, Tiger Technologies         http://www.tigertech.net/
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html

Reply via email to