On Mon, 29 Jan 2007 19:15:10 +0100 Torsten Nitschke <[EMAIL PROTECTED]> wrote:
> Hi, > > when looking for the bug which still exists in 0.88.7 as of Hendrik > Weimer - see http://www.quantenblog.net/security/virus-scanner-bypass > I was able to reproduced that thing (virus can passed uncatched) but > wondered how to fix it. > > There are two reasons a virus can tunnel through ClamAV: > a) parseEmailBody reports "success" instead of "failure" when it > reaches the maximum recursion level > b) cli_magic_scandesc turns any format error it detects (CL_EFORMAT) > into CL_CLEAN. > > Unfortunately b) is a general rule applied for any format supported by > cli_magic_scandesc. Thus I do not think that b) is a fine security > policy: It lets pass what can not be understood. Thus an attacker > just needs to find an error in clamavs understanding of a packer's > format and the virus can tunnel through. > > Because it is a deep cut to change b) I ask: > What do you think about the attached patch? (I diffed it against plain > 0.88.7.) http://cvsweb.clamav.net/bin/cgi/viewvc.cgi/clamav-devel/libclamav/mbox.c?revision=1.372&view=markup > > Probably b) has been coded with full intent. Have I missed anything? b) is a completely different story -- oo ..... Tomasz Kojm <[EMAIL PROTECTED]> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Jan 29 19:37:47 CET 2007 _______________________________________________ http://lurker.clamav.net/list/clamav-devel.html
