Ged,

Meaning no offense here - but not every crash is a security vulnerability.  You 
shouldn't trust 3rd party signatures unless you trust the source of the 
signatures.

We take vulnerabilities in parsing untrusted user input (such as when scanning 
a file or email) very seriously.  Signature databases, on the other hand, 
should qualify as trusted input.

If there is a known defect in how a signature is parsed - we can avoid it until 
such time as we have the ability to fix the feature.  To be clear, Mickey 
stated that in the ticket that we're leaving the ticket open because it is very 
clearly a bug that we intend to fix.  However, we have a lot on our plates and 
very few developers.  If you have the time to find a good fix for it, we'll 
take your patch or pull request.

Respectfully,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Jul 31, 2018, at 1:14 PM, G.W. Haywood 
<cla...@jubileegroup.co.uk<mailto:cla...@jubileegroup.co.uk>> wrote:

Hi there,

On Tue, 31 Jul 2018, Steve Basford wrote:

My little issue is with this statement:
"It wasn't quite clear at the offset of this bug, but ClamAV cannot
support unofficial signatures from a development standpoint. For numerous
reasons, we do not regress against those signatures, and in cases where
sig writers publish non-functional signatures due to insufficient testing
(which then cause crashes in newer versions of clam) we cannot devote our
resources to fixing that problem." (above Bugzilla)

I'll take issue with that statement too.  That's a cr@p developer attitude.

If an unofficial signature causes (or is even _capable_ of causing) clam
to crash, that's a fault in clam that needs to be fixed.

If nothing else it means that you're quite likely less secure if you're
running clam on Linux than you are if you're _not_ running it.

--

73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to