It appears to me to be an issue with the signature which is only evident in 0.103.1 now that we're matching TIFFs with Target:5 signatures, like this one.
There was apparently a mismatch for TIFF file type detection between the file type magic signatures built-in to libclamav (libclamav/filetypes_int.h) and the .ftm sigs shipped with daily.cvd (which override the internal ones when loaded). I'll ask to have the signature dropped and re-evaluated. -Micah > -----Original Message----- > From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf Of > Micah Snyder (micasnyd) > Sent: Thursday, February 11, 2021 8:27 PM > To: ClamAV Development <clamav-devel@lists.clamav.net> > Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > Thank you Mark! We'll take a look. > > -Micah > > > -----Original Message----- > > From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf > > Of Mark Allan > > Sent: Thursday, February 11, 2021 3:54 PM > > To: ClamAV Development <clamav-devel@lists.clamav.net> > > Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 > > > > Hi Micah, > > > > Yes of course! I've just uploaded a zip file (Archive.zip) to the FP > > page on clamav.net > > MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a > > > > Regards > > Mark > > > > > On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd) > > <micas...@cisco.com> wrote: > > > > > > Hi Mark, > > > > > > Do you think you could share a sample or two with me to test. I'm > > > really > > curious what changed and would like to debug each version with a > > sample or two. > > > > > > -Micah > > > > > >> -----Original Message----- > > >> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On > > >> Behalf Of Mark Allan > > >> Sent: Monday, February 8, 2021 3:04 AM > > >> To: ClamAV Development <clamav-devel@lists.clamav.net> > > >> Subject: [Clamav-devel] Issue with FP only on 0.103.1 > > >> > > >> Hi all, > > >> > > >> It looks like the additional image file type support in 0.103.1 has > > >> introduced an issue with a particular signature which has been in > > >> the database since 2018 > > >> > > >> Img.Exploit.CVE_2018_4904-6449838-0 > > >> > > >> It's flagging up thousands of known-good files. As far as I can > > >> tell, they're all TIFF files. > > >> > > >> I've added that signature to an ign2 file for now, but I'm > > >> wondering if there's something else that's maybe amiss somewhere > > >> either with the signature or the 0.103.1 update? > > >> > > >> Best regards, > > >> Mark > > >> > > >> _______________________________________________ > > >> > > >> clamav-devel mailing list > > >> clamav-devel@lists.clamav.net > > >> https://lists.clamav.net/mailman/listinfo/clamav-devel > > >> > > >> Please submit your patches to our Github: https://github.com/Cisco- > > >> Talos/clamav-devel/pulls > > >> > > >> Help us build a comprehensive ClamAV guide: > > >> https://github.com/vrtadmin/clamav-faq > > >> > > >> http://www.clamav.net/contact.html#ml > > > _______________________________________________ > > > > > > clamav-devel mailing list > > > clamav-devel@lists.clamav.net > > > https://lists.clamav.net/mailman/listinfo/clamav-devel > > > > > > Please submit your patches to our Github: > > > https://github.com/Cisco-Talos/clamav-devel/pulls > > > > > > Help us build a comprehensive ClamAV guide: > > > https://github.com/vrtadmin/clamav-faq > > > > > > http://www.clamav.net/contact.html#ml > > > > _______________________________________________ > > > > clamav-devel mailing list > > clamav-devel@lists.clamav.net > > https://lists.clamav.net/mailman/listinfo/clamav-devel > > > > Please submit your patches to our Github: https://github.com/Cisco- > > Talos/clamav-devel/pulls > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > _______________________________________________ > > clamav-devel mailing list > clamav-devel@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-devel > > Please submit your patches to our Github: https://github.com/Cisco- > Talos/clamav-devel/pulls > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
