[Pkg-clamav-devel] Patch to re-enable disabled modules

Scott Kitterman debian at kitterman.com
Sat Jan 31 15:36:27 UTC 2009


On Sat, 31 Jan 2009 12:34:06 +0100 Michael Tautschnig <mt at debian.org> wrote:
>Hi Scott,
>
>> The attached is for Ubuntu's 0.92.1.  It should be very similar (make 
sure to 
>> set the correct CL_FLEVEL) for 0.90.1.  I did verify that the modules 
are re-
>> enabled, but that capability didn't change looking at the output of 
clamscan 
>> --debug.
>> 
>
>[...]
>
>Would you mind giving some more background information? I'm somewhat 
confused
>about this, is this some known security issue? Could you add some links?
>
IIRC (I'm away from my computer and reasonable access to reference 
material) I left the upstream changelog entry in the diff and it references 
a clamav bug that has the background.  Here's the short version...

Since the 0.9x series of clamav, clamav signature updates have not only 
delivered new signatures, but have also had the ability to remotely disable 
different code modules.  You can see what's disabled in the clamscan 
--debug output.

The effect of this has been that when we did a security patch, we would 
block the vulnerability, but the code would remain disabled.

There was not a way to indicate that modules should be reenabled because in 
the released versions of clamav the same variable is used to describe the 
functional capability of the scanning engine and the presence of security 
fixes.

Based on the bug I mentioned above, upstream disambiguated these two 
concepts.  The code change is small, but it allows us to express that we've 
fixed stuff and modules should run.

I so think it's a security issue because all the functionality disabled due 
to these past security fixes is still not available to users.  I'd treat 
this as finishing an incomplete security fix.

Scott K



More information about the Pkg-clamav-devel mailing list