We are having problems with amavis checking RAR, LHA, ARC and ZOO
files. Some debugging shows that it's barfing at the exec() in
fh_copy(), called by store_mgr(), called by do_unrar() and buddies.
Evidence: (running amavis from command line, with debugging on)
----------------------------------------------------------------
Aug 7 22:11:05 mymailserver-mail amavis[27957]: Extracting mime components
Aug 7 22:11:05 mymailserver-mail amavis[27957]: Level: 1, parts: 2
Aug 7 22:11:05 mymailserver-mail amavis[27957]: Archive nesting depth: 0
Aug 7 22:11:05 mymailserver-mail amavis[27957]: File-type of
msg-27957-1.txt: ASCII text
Aug 7 22:11:05 mymailserver-mail amavis[27957]: msg-27957-1.txt is atomic
Aug 7 22:11:05 mymailserver-mail amavis[27957]: File-type of
msg-27957-2.rar: RAR archive data, v1d, os: Unix
Aug 7 22:11:05 mymailserver-mail amavis[27957]: Expanding RAR archive
msg-27957-2.rar
Aug 7 22:11:05 mymailserver-mail amavis[27962]: Decoding of
msg-27957-2.rar (RAR archive data, v1d, os: Unix) failed, leaving it
unpacked: Insecure dependency in exec while running with -T switch at
/root/amavis line 1073. (message-id=<[EMAIL PROTECTED]>)
Aug 7 22:11:05 mymailserver-mail amavis[27962]: msg-27957-2.rar is atomic
Aug 7 22:11:05 mymailserver-mail amavis[27962]: Using clamav
Aug 7 22:11:05 mymailserver-mail amavis[27962]:
/var/amavis/amavis-09704957/parts/msg-27957-1.txt: OK
/var/amavis/amavis-09704957/parts/msg-27957-2.rar: RAR module failure
/var/amavis/amavis-09704957/parts/part-00001: Empty file
-----------------------------------------------------------------
The problem seems to be that there is no detainting of the filenames
derived from the archives, so Perl rightly dies when before it tries to
exec something. Consider this: if there was a RAR file that had a
compressed file called "MyDoc ; rm -rf /" (yes, can be done - tested
something similar with an LHA file). This would be bad if not detainted.
Is this a bug with amavis? As far as I can tell, no RAR et al files are
going to get through virus-free or not.
My makeshift patch was:
# diff amavis amavis.orig
1573,1579d1572
< do_log(0,"untainting $_");
< if ($_ =~ /^([EMAIL PROTECTED])$/) {
< $_ = $1;
< } else {
< die "Bad data in \"$_\""; # log this somewhere
< }
<
This works, until you get one of the nasty files mentioned above.
Our system:
OS: Mandrake Linux 10.0 Community
Amavis: 0.3.12 (hand-rolled, not RPM)
MTA: Postfix 2.1.5
AV: Clamav 0.86.2
BTW, first post, recent subscription, though I searched the mail
archives, the FAQs, bug lists and google in general.
Thanks,
Tony Lewis
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/