[Pkg-clamav-devel] Bug#941850: clamav: inconsistent results with "better zip bomb" reproducers
Hugo Lefeuvre
hle at debian.org
Sun Oct 6 15:14:15 BST 2019
Package: clamav
Version: clamav/0.101.4+dfsg-1
Severity: normal
Hi,
clamdscan returns surprising results for "better zip bomb" reproducers[0]:
* Inconsistent results with zbsm.zip:
clamdscan returns different results when run different times. The first
time the file is considered sane, the second time as "infected".
It looks like clamdscan doesn't always hit the OverlappingFiles heuristic.
$ clamdscan /tmp/zbsm.zip
/tmp/zbsm.zip: OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 120.771 sec (2 m 0 s)
$ clamdscan /tmp/zbsm.zip
/tmp/zbsm.zip: Heuristics.Zip.OverlappingFiles FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 51.885 sec (0 m 51 s)
* zbxl.zip
clamdscan returns OK for zbxl.zip after 0.000 sec. clamscan needs more than
one minute. This difference is surprising to me.
$ clamdscan /tmp/zbxl.zip
/tmp/zbxl.zip: OK
----------- SCAN SUMMARY -----------
Infected files: 0
Time: 0.000 sec (0 m 0 s)
$ clamscan /tmp/zbxl.zip
/tmp/zbxl.zip: OK
----------- SCAN SUMMARY -----------
Known viruses: 6354861
Engine version: 0.101.4
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 43.75 MB (ratio 0.00:1)
Time: 66.032 sec (1 m 6 s)
This is reproducible with 0.101.4 in unstable (not a VM), stretch and
jessie (both VMs).
cheers,
Hugo
[0] https://www.bamsoftware.com/hacks/zipbomb/
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20191006/829c8442/attachment.sig>
More information about the Pkg-clamav-devel
mailing list