Debian Bug report logs - #817067
clamscan large archive DOS protection could be used to hide virus

version graph

Package: clamav; Maintainer for clamav is ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>; Source for clamav is src:clamav (PTS, buildd, popcon).

Reported by: Joey Hess <id@joeyh.name>

Date: Mon, 7 Mar 2016 20:03:02 UTC

Severity: important

Tags: security, upstream

Found in version clamav/0.99+dfsg-2

Fixed in version 0.99.3~snapshot20170704+dfsg-1

Done: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>

Bug is archived. No further changes may be made.

Forwarded to https://bugzilla.clamav.net/show_bug.cgi?id=11522

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#817067; Package clamav. (Mon, 07 Mar 2016 20:03:05 GMT) (full text, mbox, link).

Acknowledgement sent to Joey Hess <id@joeyh.name>:
New Bug report received and forwarded. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>. (Mon, 07 Mar 2016 20:03:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <id@joeyh.name>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: clamscan large archive DOS protection could be used to hide virus
Date: Mon, 7 Mar 2016 15:59:37 -0400
Package: clamav
Version: 0.99+dfsg-2
Severity: important
Tags: security

Any script relying on clamscan's exit status can probably be tricked
with a file that contains a virus, but that uses clamscan's DOS
protection to trick clamscan into not scanning it in full.

Unfortunately, when a file is too large or otherwise triggers the DOS
protections, clamscan exits 0 without checking all of it.

clamscan git-annex.dmg 
git-annex.dmg: OK

----------- SCAN SUMMARY -----------
Known viruses: 4291311
Engine version: 0.99
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 25.35 MB (ratio 0.00:1)
Time: 8.958 sec (0 m 8 s)

The dmg in the example above could contain a virus. It's too large for
clamscan to process it, but there's no indication of that, except
perhaps a hint in the 0 MB scanned line.

Suggested fix: If clamscan doesn't process the whole file content for
any reason, exit with 2, which is documented to mean "some error
occurred".

-- 
see shy jo

Information forwarded to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#817067; Package clamav. (Mon, 07 Mar 2016 20:36:23 GMT) (full text, mbox, link).

Acknowledgement sent to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>. (Mon, 07 Mar 2016 20:36:24 GMT) (full text, mbox, link).

Message #10 received at 817067@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
To: Joey Hess <id@joeyh.name>, 817067@bugs.debian.org
Subject: Re: [Pkg-clamav-devel] Bug#817067: clamscan large archive DOS protection could be used to hide virus
Date: Mon, 7 Mar 2016 21:32:22 +0100
control: forwarded -1 https://bugzilla.clamav.net/show_bug.cgi?id=11522
control: tags -1 + upstream

On 2016-03-07 15:59:37 [-0400], Joey Hess wrote:
> Package: clamav
> Version: 0.99+dfsg-2
> Severity: important
> Tags: security
> 
> Any script relying on clamscan's exit status can probably be tricked
> with a file that contains a virus, but that uses clamscan's DOS
> protection to trick clamscan into not scanning it in full.

This sounds similar to #740059. Here it continues, in the other it
aborts.

> Suggested fix: If clamscan doesn't process the whole file content for
> any reason, exit with 2, which is documented to mean "some error
> occurred".

Sounds reasonable. I forwarded your report upstream.

Sebastian

Set Bug forwarded-to-address to 'https://bugzilla.clamav.net/show_bug.cgi?id=11522'. Request was from Sebastian Andrzej Siewior <sebastian@breakpoint.cc> to 817067-submit@bugs.debian.org. (Mon, 07 Mar 2016 20:36:24 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Sebastian Andrzej Siewior <sebastian@breakpoint.cc> to 817067-submit@bugs.debian.org. (Mon, 07 Mar 2016 20:36:25 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>:
Bug#817067; Package clamav. (Mon, 22 Aug 2016 22:03:08 GMT) (full text, mbox, link).

Acknowledgement sent to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
Extra info received and forwarded to list. Copy sent to ClamAV Team <pkg-clamav-devel@lists.alioth.debian.org>. (Mon, 22 Aug 2016 22:03:08 GMT) (full text, mbox, link).

Message #19 received at 817067@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
To: 817067@bugs.debian.org
Cc: Joey Hess <id@joeyh.name>
Subject: Re: [Pkg-clamav-devel] Bug#817067: Bug#817067: clamscan large archive DOS protection could be used to hide virus
Date: Mon, 22 Aug 2016 23:59:55 +0200
On 2016-03-07 21:32:22 [+0100], Sebastian Andrzej Siewior wrote:
> Sounds reasonable. I forwarded your report upstream.

proxy mode on.

|Kevin Lin 2016-03-10 21:24:37 CET
|Engine limitations, as well as certain non-fatal internal errors, are
|suppressed within the engine. This is done to simplify issues and
|suppress issues caused by a non-clean return code and allow the engine
|to continue parsing the file.
|
|The solution to the issue would be to track the limitation statuses,
|most likely in the scanning context and have clamscan changed to
|interpret the statuses. Note that this mostly likely would affect the
|ABI.

|Steven Morgan 2016-06-24 20:26:42 CEST May use a virus such as
|Heuristic.SizeLimitsExceeded under the control of clamd/clamscan option
|(BlockLimitsExceeded). Rational - its not really an error or a virus,
|but flagging an heuristic fits better within ClamAV processing modes.

proxy mode off.

Sebastian

Reply sent to Sebastian Andrzej Siewior <sebastian@breakpoint.cc>:
You have taken responsibility. (Wed, 06 Sep 2017 19:36:05 GMT) (full text, mbox, link).

Notification sent to Joey Hess <id@joeyh.name>:
Bug acknowledged by developer. (Wed, 06 Sep 2017 19:36:05 GMT) (full text, mbox, link).

Message #24 received at 817067-done@bugs.debian.org (full text, mbox, reply):

From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
To: 817067-done@bugs.debian.org
Cc: Joey Hess <id@joeyh.name>
Subject: Re: Bug#817067: Bug#817067: clamscan large archive DOS protection could be used to hide virus
Date: Wed, 6 Sep 2017 21:33:29 +0200
Version: 0.99.3~snapshot20170704+dfsg-1

On 2016-08-22 23:59:55 [+0200], To 817067@bugs.debian.org wrote:
> |Steven Morgan 2016-06-24 20:26:42 CEST May use a virus such as
> |Heuristic.SizeLimitsExceeded under the control of clamd/clamscan option
> |(BlockLimitsExceeded). Rational - its not really an error or a virus,
> |but flagging an heuristic fits better within ClamAV processing modes.

From the upstream bugzilla:

|Steven Morgan 2017-09-06 18:20:56 CEST
|This issue has been addressed in 0.99.3 with the addition of the
|clamscan --block-max option and the clamd BlockMax directive.

Sebastian

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 05 Oct 2017 07:28:50 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Jul 15 13:25:28 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.