[Pkg-clamav-devel] Bug#817067: clamscan large archive DOS protection could be used to hide virus
Joey Hess
id at joeyh.name
Mon Mar 7 19:59:37 UTC 2016
Package: clamav
Version: 0.99+dfsg-2
Severity: important
Tags: security
Any script relying on clamscan's exit status can probably be tricked
with a file that contains a virus, but that uses clamscan's DOS
protection to trick clamscan into not scanning it in full.
Unfortunately, when a file is too large or otherwise triggers the DOS
protections, clamscan exits 0 without checking all of it.
clamscan git-annex.dmg
git-annex.dmg: OK
----------- SCAN SUMMARY -----------
Known viruses: 4291311
Engine version: 0.99
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 25.35 MB (ratio 0.00:1)
Time: 8.958 sec (0 m 8 s)
The dmg in the example above could contain a virus. It's too large for
clamscan to process it, but there's no indication of that, except
perhaps a hint in the 0 MB scanned line.
Suggested fix: If clamscan doesn't process the whole file content for
any reason, exit with 2, which is documented to mean "some error
occurred".
--
see shy jo
More information about the Pkg-clamav-devel
mailing list