Looks like we have another one!
BC.Img.Exploit.CVE_2018_4891-6453673-2
This is generating loads of FPs as well.
Curiously (and sorry for listing two issues in one email) adding a bytecode
signature name (with the .{} suffix) to an ign2 file appears to have no effect.
Any thoughts why this might be?
Best regards,
Mark
> On 16 Feb 2021, at 3:06 am, Micah Snyder (micasnyd) <micas...@cisco.com>
> wrote:
>
> It looks like BC.Img.Exploit.CVE_2017_11255-6335669-1 suffered the same lack
> of proper FP testing as the other TIFF signature, likely for the same
> reasons. After some time reviewing it, I agree that
> BC.Img.Exploit.CVE_2017_11255-6335669-1 should be dropped. This bytecode
> signature has a relatively high probability to FP on TIFF files that don't
> include a ColorMap in the IFD header(s), which is also fairly common.
> Reworking the signature would is probably not worth the effort considering
> the CVE is from 2017.
>
> It should be dropped in the update tomorrow morning.
>
> Thanks for reaching out Mark.
>
> Regards,
> Micah
>
>> -----Original Message-----
>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf Of
>> Micah Snyder (micasnyd)
>> Sent: Monday, February 15, 2021 11:36 AM
>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>
>> Oh, sorry I misread your email. Needed more coffee. You were asking about
>> a different signature: BC.Img.Exploit.CVE_2017_11255-6335669-1
>> Will investigate.
>>
>> -Micah
>>
>>> -----Original Message-----
>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf
>>> Of Micah Snyder (micasnyd)
>>> Sent: Monday, February 15, 2021 10:28 AM
>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>
>>> Hi Mark,
>>>
>>> TL;DR: The type detection mismatch is fixed in the current daily + 0.103.1.
>>> The issue was with the signature. We didn't know about it because of
>>> the mismatch. You should've found that the offending signature was
>>> dropped on Saturday morning.
>>>
>>> Details:
>>>
>>> 0.103.1 introduced CL_TYPE_TIFF and changed TIFF file type recognition
>>> from:
>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS
>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_ GRAPHICS
>>> to:
>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF
>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF
>>>
>>> When FTM signatures are loaded from daily.cvd, it overrides the
>>> built-in FTM signatures. So it turns out that daily's FTM file had
>>> been missing the original CL_TYPE_GRAPHICS detection of TIFF files all
>>> this time, which would've been required for Target:5 signatures to
>>> alert on TIFF files. As a result, the signature in question "worked"
>>> in testing (with a single LDB file, using built-in FTM), but never
>>> worked in worked during FP testing or in production (with a daily CVD file).
>>>
>>> When we added this to daily.ftm to support 0.103.1:
>>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
>>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122
>>> ... all of a sudden a signature which was written for TIFF files
>>> started alerting on TIFF files (as it should've) because the new
>>> CL_TYPE_TIFF also alerts on
>>> Target:5 (graphics) types. We never added the CL_TYPE_GRAPHICS
>>> variant for 0.103.0 and prior, which is why it appeared to be an issue with
>> 0.103.1.
>>> Perhaps we should? I'll ask MRT about it.
>>>
>>> Anyways, this is basically a reminder that we need to make sure daily
>>> FTM and libclamav's FTM are in sync.
>>>
>>> -Micah
>>>
>>>
>>>> -----Original Message-----
>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf
>>>> Of Mark Allan
>>>> Sent: Saturday, February 13, 2021 3:35 PM
>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>
>>>> Thanks. I've just found another one too
>>>>
>>>> BC.Img.Exploit.CVE_2017_11255-6335669-1
>>>>
>>>> It's triggering on a file that's been part of macOS for many years.
>>>> It's also a tiff file. I can submit this as well if necessary?
>>>>
>>>> Out of interest, is the type detection mismatch something that can
>>>> be fixed in daily.cvd or can I patch libclamav/filetypes_int.h to
>>>> revert it to what it was at 0.103.0?
>>>>
>>>> Mark
>>>>
>>>>> On 12 Feb 2021, at 5:23 am, Micah Snyder (micasnyd)
>>>> <micas...@cisco.com> wrote:
>>>>>
>>>>> It appears to me to be an issue with the signature which is only
>>>>> evident in
>>>> 0.103.1 now that we're matching TIFFs with Target:5 signatures, like
>>>> this
>>> one.
>>>>>
>>>>> There was apparently a mismatch for TIFF file type detection
>>>>> between the
>>>> file type magic signatures built-in to libclamav
>>>> (libclamav/filetypes_int.h) and the .ftm sigs shipped with daily.cvd
>>>> (which override the internal ones when loaded).
>>>>>
>>>>> I'll ask to have the signature dropped and re-evaluated.
>>>>>
>>>>> -Micah
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On
>>>>>> Behalf Of Micah Snyder (micasnyd)
>>>>>> Sent: Thursday, February 11, 2021 8:27 PM
>>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>>
>>>>>> Thank you Mark! We'll take a look.
>>>>>>
>>>>>> -Micah
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On
>>>> Behalf
>>>>>>> Of Mark Allan
>>>>>>> Sent: Thursday, February 11, 2021 3:54 PM
>>>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>>>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>>>
>>>>>>> Hi Micah,
>>>>>>>
>>>>>>> Yes of course! I've just uploaded a zip file (Archive.zip) to
>>>>>>> the FP page on clamav.net
>>>>>>> MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a
>>>>>>>
>>>>>>> Regards
>>>>>>> Mark
>>>>>>>
>>>>>>>> On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd)
>>>>>>> <micas...@cisco.com> wrote:
>>>>>>>>
>>>>>>>> Hi Mark,
>>>>>>>>
>>>>>>>> Do you think you could share a sample or two with me to test.
>>>>>>>> I'm really
>>>>>>> curious what changed and would like to debug each version with a
>>>>>>> sample or two.
>>>>>>>>
>>>>>>>> -Micah
>>>>>>>>
>>>>>>>>> -----Original Message-----
>>>>>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On
>>>>>>>>> Behalf Of Mark Allan
>>>>>>>>> Sent: Monday, February 8, 2021 3:04 AM
>>>>>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>>>>>>>>> Subject: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>>
>>>>>>>>> It looks like the additional image file type support in
>>>>>>>>> 0.103.1 has introduced an issue with a particular signature
>>>>>>>>> which has been in the database since 2018
>>>>>>>>>
>>>>>>>>> Img.Exploit.CVE_2018_4904-6449838-0
>>>>>>>>>
>>>>>>>>> It's flagging up thousands of known-good files. As far as I
>>>>>>>>> can tell, they're all TIFF files.
>>>>>>>>>
>>>>>>>>> I've added that signature to an ign2 file for now, but I'm
>>>>>>>>> wondering if there's something else that's maybe amiss
>>>>>>>>> somewhere either with the signature or the 0.103.1 update?
>>>>>>>>>
>>>>>>>>> Best regards,
>>>>>>>>> Mark
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>>
>>>>>>>>> clamav-devel mailing list
>>>>>>>>> clamav-devel@lists.clamav.net
>>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>>>>
>>>>>>>>> Please submit your patches to our Github:
>>>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
>>>>>>>>>
>>>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>>>>
>>>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>>> _______________________________________________
>>>>>>>>
>>>>>>>> clamav-devel mailing list
>>>>>>>> clamav-devel@lists.clamav.net
>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>>>
>>>>>>>> Please submit your patches to our Github:
>>>>>>>> https://github.com/Cisco-Talos/clamav-devel/pulls
>>>>>>>>
>>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>>>
>>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>>
>>>>>>> clamav-devel mailing list
>>>>>>> clamav-devel@lists.clamav.net
>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>>
>>>>>>> Please submit your patches to our Github:
>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
>>>>>>>
>>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>>
>>>>>>> http://www.clamav.net/contact.html#ml
>>>>>> _______________________________________________
>>>>>>
>>>>>> clamav-devel mailing list
>>>>>> clamav-devel@lists.clamav.net
>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>>
>>>>>> Please submit your patches to our Github:
>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls
>>>>>>
>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>
>>>>>> http://www.clamav.net/contact.html#ml
>>>>> _______________________________________________
>>>>>
>>>>> clamav-devel mailing list
>>>>> clamav-devel@lists.clamav.net
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>
>>>>> Please submit your patches to our Github:
>>>>> https://github.com/Cisco-Talos/clamav-devel/pulls
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>
>>>>> http://www.clamav.net/contact.html#ml
>>>>
>>>> _______________________________________________
>>>>
>>>> clamav-devel mailing list
>>>> clamav-devel@lists.clamav.net
>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>
>>>> Please submit your patches to our Github: https://github.com/Cisco-
>>>> Talos/clamav-devel/pulls
>>>>
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/vrtadmin/clamav-faq
>>>>
>>>> http://www.clamav.net/contact.html#ml
>>> _______________________________________________
>>>
>>> clamav-devel mailing list
>>> clamav-devel@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>
>>> Please submit your patches to our Github: https://github.com/Cisco-
>>> Talos/clamav-devel/pulls
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>> _______________________________________________
>>
>> clamav-devel mailing list
>> clamav-devel@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>
>> Please submit your patches to our Github: https://github.com/Cisco-
>> Talos/clamav-devel/pulls
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
> _______________________________________________
>
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Github:
> https://github.com/Cisco-Talos/clamav-devel/pulls
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel
Please submit your patches to our Github:
https://github.com/Cisco-Talos/clamav-devel/pulls
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
