[Pkg-clamav-devel] Bug#941850: clamav: inconsistent results with "better zip bomb" reproducers

Hugo Lefeuvre hle at debian.org
Mon Oct 7 07:41:51 BST 2019 

Hi Sebastian,

> > clamdscan returns different results when run different times. The first
> > time the file is considered sane, the second time as "infected".
> > 
> > It looks like clamdscan doesn't always hit the OverlappingFiles heuristic.
> > 
> > $ clamdscan /tmp/zbsm.zip
> > /tmp/zbsm.zip: OK
> > 
> > ----------- SCAN SUMMARY -----------
> > Infected files: 0
> > Time: 120.771 sec (2 m 0 s)
> > $ clamdscan /tmp/zbsm.zip
> > /tmp/zbsm.zip: Heuristics.Zip.OverlappingFiles FOUND
> > 
> > ----------- SCAN SUMMARY -----------
> > Infected files: 1
> > Time: 51.885 sec (0 m 51 s)
> 
> I don't understand the difference between the first run vs the second.
> Please note that that clamdscan uses the daemon for scanning which *may*
> cache the last result. A fresh started daemon:
> |$ clamdscan zbsm.zip
> |/home/bigeasy/zbsm.zip: Heuristics.Zip.OverlappingFiles FOUND
> |
> |----------- SCAN SUMMARY -----------
> |Infected files: 1
> |Time: 119.048 sec (1 m 59 s)
> |$ clamdscan zbsm.zip 
> |/home/bigeasy/zbsm.zip: Heuristics.Zip.OverlappingFiles FOUND
> |
> |----------- SCAN SUMMARY -----------
> |Infected files: 1
> |Time: 0.367 sec (0 m 0 s)
> 
> So the first scan was *really* performed, the second one used the
> previous result. The odd-part is "OK" vs "FOUND" for the daemon and I
> can't pin point the 51secs.

OK, so this is not reproducible on your system. I have no idea why
clamdscan behaves like this on my machine, but my knowledge of this code
base is limited.

> zbxl.zip is a different story. It says "Data scanned: 0.00 MB" which
> means it didn't do anything. My guess is that your file limit is 25MiB
> while the file is ~40MiB. That time here is just load the database.
>
> [...]
> 
> Here it scanned something and you see the time it needed is almost the
> same as in the previous example where it did just load its database.

Ack, thanks for pointing that out, I forgot about the file size limit.
 
> So far I don't see anything wrong.

I have discovered this during my regression tests for the jessie update. My
main worry was to have broken something, I'm glad it's not the case.
Thanks for your time!

regards,
Hugo

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-clamav-devel/attachments/20191007/1f910a7a/attachment.sig>

More information about the Pkg-clamav-devel mailing list