[Pkg-clamav-devel] Bug#714132: Signature Ignore Problem

Richard Laager rlaager at wiktel.com
Wed Jun 26 05:20:49 UTC 2013 

Package: clamav-unofficial-sigs
Version: 3.7.1-3

I have ignored the MBL_311364 signature. The MBL_400944 signature is a
strict superset of this signature. Because the greps in
clamav-unofficial-sigs use unanchored regular expressions when looking
up signatures by their hex value, it finds both of them, and the script
falls apart.

Steps to reproduce:
    echo MBL_311364 | clamav-unofficial-sigs -b
    clamav-unofficial-sigs
    cat /var/lib/clamav-unofficial-sigs/configs/local.ign

Expected results:
    No message from clamav-unofficial-sigs about a changed signature.

    This output from the cat command:
    mbl.ndb:922:MBL_311364

Actual results:
    This message from clamav-unofficial-sigs (note the two signatures
    listed):

    MBL_311364 hexadecimal is signature unchanged, however signature name and/or line placement
    in mbl.ndb has change to MBL_311364
    MBL_400944 - updated local.ign to reflect this change.

    This output from the cat command:
    mbl.ndb:922:MBL_311364
    mbl.ndb:2214:MBL_400944

With every invocation of clamav-unofficial-sigs, we get another
MBL_400944 line in the ignore file.

The attached patch and series file can be dropped into a (newly created)
debian/patches directory in the package to fix this.

This still doesn't address the possibility that a signature could be
100% duplicated exactly (i.e. two signatures with different names, but
the exact same hex value). I'm not sure how to best address that,
exactly, other than perhaps to just add a " | head -n1" after the grep.
Also, I'm not sure if this scenario will ever occur in real-life
databases, but the one I outlined above is happening to us right now.

-- 
Richard
-------------- next part --------------
signature-lookup-exact-match
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature-lookup-exact-match
Type: text/x-patch
Size: 1017 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20130626/530717b0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20130626/530717b0/attachment.sig>

More information about the Pkg-clamav-devel mailing list