Ged, Meaning no offense here - but not every crash is a security vulnerability. You shouldn't trust 3rd party signatures unless you trust the source of the signatures.
We take vulnerabilities in parsing untrusted user input (such as when scanning a file or email) very seriously. Signature databases, on the other hand, should qualify as trusted input. If there is a known defect in how a signature is parsed - we can avoid it until such time as we have the ability to fix the feature. To be clear, Mickey stated that in the ticket that we're leaving the ticket open because it is very clearly a bug that we intend to fix. However, we have a lot on our plates and very few developers. If you have the time to find a good fix for it, we'll take your patch or pull request. Respectfully, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. On Jul 31, 2018, at 1:14 PM, G.W. Haywood <cla...@jubileegroup.co.uk<mailto:cla...@jubileegroup.co.uk>> wrote: Hi there, On Tue, 31 Jul 2018, Steve Basford wrote: My little issue is with this statement: "It wasn't quite clear at the offset of this bug, but ClamAV cannot support unofficial signatures from a development standpoint. For numerous reasons, we do not regress against those signatures, and in cases where sig writers publish non-functional signatures due to insufficient testing (which then cause crashes in newer versions of clam) we cannot devote our resources to fixing that problem." (above Bugzilla) I'll take issue with that statement too. That's a cr@p developer attitude. If an unofficial signature causes (or is even _capable_ of causing) clam to crash, that's a fault in clam that needs to be fixed. If nothing else it means that you're quite likely less secure if you're running clam on Linux than you are if you're _not_ running it. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
