Stefan Fritsch wrote:
On Wednesday 27 February 2008, Nick Boyce wrote:
>
But it seems to me that simply enabling the --unrar parameter of
clamscan would not entail incorporating or distributing any unrar
code at all - the code to parse the --unrar parameter and call the
non-free unrar binary if specified surely belongs to ClamAV alone ?
Note that unrar-nonfree has no security support (like all packages in
non-free) . Using it to automatically process potentially malicious
content is a bad idea, IMHO. In fact, unrar-nonfree in stable had a
security issue until the release of etch r3 (CVE-2007-0855).
Ah ... damn, didn't realise that - a bit like Ubuntu's "universe" I
suppose ... security fixes not guaranteed, but are possible as the
source is available.
Don't know what to do now, especially as this is currently still a Sarge
system :-( I might just disable RAR scanning till I upgrade it.
Thanks for the heads up.
Nick Boyce
--
The owls are not what they seem.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
