[Pkg-clamav-devel] Bug#747425: Further information

Andreas Cadhalpun andreas.cadhalpun at googlemail.com
Mon Jun 23 19:39:25 UTC 2014


Control: tags -1 moreinfo

Hi Karl,

On 09.05.2014 05:41, Karl Schmidt wrote:
> I can provide some of the other files producing the errors - is there a
> way to get clamav to log the file names - it is very time consuming to
> find which file is causing the errors.  This error did not exist earlier ..

clamav logs the file names already. The file name before the warning is 
the affected file. You can easily grep for that:
cat clamav.log | grep -B 1 "scancws"

That the file is marked as 'OK' just means that no virus was found.

> I think the error started here when I upgraded to the latest - as seen
> in this dpkg log line:
> 2014-04-27 14:55:19 upgrade libclamav6:amd64 0.97.8+dfsg-1
> 0.98.1+dfsg-1+deb7u3
> (associated lib files were updated at the same time. )

This informational message (LibClamAV info: scancws: ...) didn't appear 
with clamav versions older than 0.98, because they didn't check 
Flash/SWF files at all.

I have now taken a closer look at the sample PDF file you provided.

$ clamscan --debug V2000flyer.pdf
[...]
LibClamAV debug: pdf_extract_obj: obj 4605 0
LibClamAV debug: cli_pdf: dumping obj 4605 0
LibClamAV debug: cli_pdf: deflate len 142 (orig 142)
LibClamAV debug: cli_pdf: extracted 138 bytes 4605 0 obj to 
/tmp/clamav-9a08478e53340b2538c51387859ef9f8.tmp/pdf4498
LibClamAV debug: in cli_magic_scandesc (reclevel: 1/16)
LibClamAV debug: Recognized SWF (compressed) file
LibClamAV debug: cache_check: a35a6e5068f61f4dc5c09936d1306151 is negative
LibClamAV debug: in cli_scanswf()
LibClamAV debug: SWF: Compressed file
LibClamAV info: scancws: Error decompressing SWF file
[...]

This means that clamav found object 4605 in the PDF file, extracted it 
to the file pdf4498 (attached), recognized it as compressed SWF file, 
tried to scan it and failed to decompress it.
Testing with flasm reveals:
$ flasm -d pdf4498
Error -3 decompressing SWF: incorrect header check

movie 'pdf4498' compressed // flash 57, total frames: 65535, frame rate: 
-1.00391 fps, 3276.75x3276.75 px
end

So this file is definitively no valid SWF file. Also 'flash 57' doesn't 
exist and a negative frame rate doesn't make any sense.

But on the other hand a flash file of 138 Byte size doesn't make sense 
anyway, so more likely this isn't supposed to be an embedded SWF file, 
but rather some other object.

Indeed, the object metadata in the PDF file shows:
4605 0 obj<</Length 142/Filter/FlateDecode/Width 46/Height 
1/BitsPerComponent 8/ColorSpace 12243 0 R/Type/XObject/Subtype/Image>>

So this is supposed to be a 46x1 image.

Now the question is, why the data starts with the letters 'CWS', which 
is the magic number indicating a compressed SWF file.
Do you have any idea?

You indicated that several files were affected.
How many files give such a warning?
Are all of these files PDF files?
Are they coming from the same source (i.e. is it a problem with that 
source)?
Can you share some more files that emit this warning?

As it is, I don't think this bug is about a problem in clamav, but 
rather in the PDF files giving this warning.
Additionally I have scanned several thousand of my PDF files and never 
saw this warning.

Therefore I'm inclined to close this bug report.
But if you can prove somehow that the PDF files are valid or can give a 
reason, why the object starts with 'CWS', but is no Flash/SWF, I can 
forward this to upstream.

Best regards,
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pdf4498
Type: application/octet-stream
Size: 138 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-clamav-devel/attachments/20140623/944ef563/attachment.obj>


More information about the Pkg-clamav-devel mailing list