Chris wrote:
Saw this link at SANS today, anything to it?
http://seclists.org/fulldisclosure/2007/Dec/0625.html
Or is this a rehash of something already known about
I'm not a clam developer, but here's my view about them:
It lists three "vulnerabilities"
1- cli_gentempfd is vulnerable to a race condition attack.
It's a bug. O_EXCL needs to be added to libclamav/others.c line 847. Not
fixed yet on trunk.
Attacker needs a local account.
I'm attaching a patch for it, so you can patch and rebuild your version.
2- ClamAV fails to properly check for base64-UUEncoded files, allowing
bypassing of the scanner through the use of such files.
Not really a bug. Having ClamAV check those files would be an *enhacement*.
3- Sigtool utility overwrites files when utf16-decoding.
I'm not sure that it's a vulnerability. It's run by the user, which
could be willing to overwrite it.
Adding an "overwriting file" warning would be a good idea, but denying
to write an existing file
could break some scripts (and if you were to add an overwrite flag the
"danger" is exactly the same as now).
Only dangerous if you have sigtool suid.
Index: libclamav/others.c
===================================================================
--- libclamav/others.c (revision 3475)
+++ libclamav/others.c (working copy)
@@ -492,7 +492,7 @@
if(!*name)
return CL_EMEM;
- *fd = open(*name, O_RDWR|O_CREAT|O_TRUNC|O_BINARY, S_IRWXU);
+ *fd = open(*name, O_RDWR|O_CREAT|O_TRUNC|O_BINARY|O_EXCL, S_IRWXU);
if(*fd == -1) {
cli_errmsg("cli_gentempfd: Can't create temporary file %s: %s\n",
*name, strerror(errno));
free(*name);
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
