[Pkg-clamav-devel] Patch to re-enable disabled modules
Scott Kitterman
debian at kitterman.com
Sat Jan 31 15:36:27 UTC 2009
On Sat, 31 Jan 2009 12:34:06 +0100 Michael Tautschnig <mt at debian.org> wrote:
>Hi Scott,
>
>> The attached is for Ubuntu's 0.92.1. It should be very similar (make
sure to
>> set the correct CL_FLEVEL) for 0.90.1. I did verify that the modules
are re-
>> enabled, but that capability didn't change looking at the output of
clamscan
>> --debug.
>>
>
>[...]
>
>Would you mind giving some more background information? I'm somewhat
confused
>about this, is this some known security issue? Could you add some links?
>
IIRC (I'm away from my computer and reasonable access to reference
material) I left the upstream changelog entry in the diff and it references
a clamav bug that has the background. Here's the short version...
Since the 0.9x series of clamav, clamav signature updates have not only
delivered new signatures, but have also had the ability to remotely disable
different code modules. You can see what's disabled in the clamscan
--debug output.
The effect of this has been that when we did a security patch, we would
block the vulnerability, but the code would remain disabled.
There was not a way to indicate that modules should be reenabled because in
the released versions of clamav the same variable is used to describe the
functional capability of the scanning engine and the presence of security
fixes.
Based on the bug I mentioned above, upstream disambiguated these two
concepts. The code change is small, but it allows us to express that we've
fixed stuff and modules should run.
I so think it's a security issue because all the functionality disabled due
to these past security fixes is still not available to users. I'd treat
this as finishing an incomplete security fix.
Scott K
More information about the Pkg-clamav-devel
mailing list