Looks like we have another one! BC.Img.Exploit.CVE_2018_4891-6453673-2
This is generating loads of FPs as well. Curiously (and sorry for listing two issues in one email) adding a bytecode signature name (with the .{} suffix) to an ign2 file appears to have no effect. Any thoughts why this might be? Best regards, Mark > On 16 Feb 2021, at 3:06 am, Micah Snyder (micasnyd) <micas...@cisco.com> > wrote: > > It looks like BC.Img.Exploit.CVE_2017_11255-6335669-1 suffered the same lack > of proper FP testing as the other TIFF signature, likely for the same > reasons. After some time reviewing it, I agree that > BC.Img.Exploit.CVE_2017_11255-6335669-1 should be dropped. This bytecode > signature has a relatively high probability to FP on TIFF files that don't > include a ColorMap in the IFD header(s), which is also fairly common. > Reworking the signature would is probably not worth the effort considering > the CVE is from 2017. > > It should be dropped in the update tomorrow morning. > > Thanks for reaching out Mark. > > Regards, > Micah > >> -----Original Message----- >> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf Of >> Micah Snyder (micasnyd) >> Sent: Monday, February 15, 2021 11:36 AM >> To: ClamAV Development <clamav-devel@lists.clamav.net> >> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 >> >> Oh, sorry I misread your email. Needed more coffee. You were asking about >> a different signature: BC.Img.Exploit.CVE_2017_11255-6335669-1 >> Will investigate. >> >> -Micah >> >>> -----Original Message----- >>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf >>> Of Micah Snyder (micasnyd) >>> Sent: Monday, February 15, 2021 10:28 AM >>> To: ClamAV Development <clamav-devel@lists.clamav.net> >>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 >>> >>> Hi Mark, >>> >>> TL;DR: The type detection mismatch is fixed in the current daily + 0.103.1. >>> The issue was with the signature. We didn't know about it because of >>> the mismatch. You should've found that the offending signature was >>> dropped on Saturday morning. >>> >>> Details: >>> >>> 0.103.1 introduced CL_TYPE_TIFF and changed TIFF file type recognition >>> from: >>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_GRAPHICS >>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_ GRAPHICS >>> to: >>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF >>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF >>> >>> When FTM signatures are loaded from daily.cvd, it overrides the >>> built-in FTM signatures. So it turns out that daily's FTM file had >>> been missing the original CL_TYPE_GRAPHICS detection of TIFF files all >>> this time, which would've been required for Target:5 signatures to >>> alert on TIFF files. As a result, the signature in question "worked" >>> in testing (with a single LDB file, using built-in FTM), but never >>> worked in worked during FP testing or in production (with a daily CVD file). >>> >>> When we added this to daily.ftm to support 0.103.1: >>> 0:0:49492a00:TIFF Little Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122 >>> 0:0:4d4d:TIFF Big Endian:CL_TYPE_ANY:CL_TYPE_TIFF:122 >>> ... all of a sudden a signature which was written for TIFF files >>> started alerting on TIFF files (as it should've) because the new >>> CL_TYPE_TIFF also alerts on >>> Target:5 (graphics) types. We never added the CL_TYPE_GRAPHICS >>> variant for 0.103.0 and prior, which is why it appeared to be an issue with >> 0.103.1. >>> Perhaps we should? I'll ask MRT about it. >>> >>> Anyways, this is basically a reminder that we need to make sure daily >>> FTM and libclamav's FTM are in sync. >>> >>> -Micah >>> >>> >>>> -----Original Message----- >>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf >>>> Of Mark Allan >>>> Sent: Saturday, February 13, 2021 3:35 PM >>>> To: ClamAV Development <clamav-devel@lists.clamav.net> >>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 >>>> >>>> Thanks. I've just found another one too >>>> >>>> BC.Img.Exploit.CVE_2017_11255-6335669-1 >>>> >>>> It's triggering on a file that's been part of macOS for many years. >>>> It's also a tiff file. I can submit this as well if necessary? >>>> >>>> Out of interest, is the type detection mismatch something that can >>>> be fixed in daily.cvd or can I patch libclamav/filetypes_int.h to >>>> revert it to what it was at 0.103.0? >>>> >>>> Mark >>>> >>>>> On 12 Feb 2021, at 5:23 am, Micah Snyder (micasnyd) >>>> <micas...@cisco.com> wrote: >>>>> >>>>> It appears to me to be an issue with the signature which is only >>>>> evident in >>>> 0.103.1 now that we're matching TIFFs with Target:5 signatures, like >>>> this >>> one. >>>>> >>>>> There was apparently a mismatch for TIFF file type detection >>>>> between the >>>> file type magic signatures built-in to libclamav >>>> (libclamav/filetypes_int.h) and the .ftm sigs shipped with daily.cvd >>>> (which override the internal ones when loaded). >>>>> >>>>> I'll ask to have the signature dropped and re-evaluated. >>>>> >>>>> -Micah >>>>> >>>>>> -----Original Message----- >>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On >>>>>> Behalf Of Micah Snyder (micasnyd) >>>>>> Sent: Thursday, February 11, 2021 8:27 PM >>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net> >>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 >>>>>> >>>>>> Thank you Mark! We'll take a look. >>>>>> >>>>>> -Micah >>>>>> >>>>>>> -----Original Message----- >>>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On >>>> Behalf >>>>>>> Of Mark Allan >>>>>>> Sent: Thursday, February 11, 2021 3:54 PM >>>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net> >>>>>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 >>>>>>> >>>>>>> Hi Micah, >>>>>>> >>>>>>> Yes of course! I've just uploaded a zip file (Archive.zip) to >>>>>>> the FP page on clamav.net >>>>>>> MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a >>>>>>> >>>>>>> Regards >>>>>>> Mark >>>>>>> >>>>>>>> On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd) >>>>>>> <micas...@cisco.com> wrote: >>>>>>>> >>>>>>>> Hi Mark, >>>>>>>> >>>>>>>> Do you think you could share a sample or two with me to test. >>>>>>>> I'm really >>>>>>> curious what changed and would like to debug each version with a >>>>>>> sample or two. >>>>>>>> >>>>>>>> -Micah >>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On >>>>>>>>> Behalf Of Mark Allan >>>>>>>>> Sent: Monday, February 8, 2021 3:04 AM >>>>>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net> >>>>>>>>> Subject: [Clamav-devel] Issue with FP only on 0.103.1 >>>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> It looks like the additional image file type support in >>>>>>>>> 0.103.1 has introduced an issue with a particular signature >>>>>>>>> which has been in the database since 2018 >>>>>>>>> >>>>>>>>> Img.Exploit.CVE_2018_4904-6449838-0 >>>>>>>>> >>>>>>>>> It's flagging up thousands of known-good files. As far as I >>>>>>>>> can tell, they're all TIFF files. >>>>>>>>> >>>>>>>>> I've added that signature to an ign2 file for now, but I'm >>>>>>>>> wondering if there's something else that's maybe amiss >>>>>>>>> somewhere either with the signature or the 0.103.1 update? >>>>>>>>> >>>>>>>>> Best regards, >>>>>>>>> Mark >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> >>>>>>>>> clamav-devel mailing list >>>>>>>>> clamav-devel@lists.clamav.net >>>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel >>>>>>>>> >>>>>>>>> Please submit your patches to our Github: >>>>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls >>>>>>>>> >>>>>>>>> Help us build a comprehensive ClamAV guide: >>>>>>>>> https://github.com/vrtadmin/clamav-faq >>>>>>>>> >>>>>>>>> http://www.clamav.net/contact.html#ml >>>>>>>> _______________________________________________ >>>>>>>> >>>>>>>> clamav-devel mailing list >>>>>>>> clamav-devel@lists.clamav.net >>>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel >>>>>>>> >>>>>>>> Please submit your patches to our Github: >>>>>>>> https://github.com/Cisco-Talos/clamav-devel/pulls >>>>>>>> >>>>>>>> Help us build a comprehensive ClamAV guide: >>>>>>>> https://github.com/vrtadmin/clamav-faq >>>>>>>> >>>>>>>> http://www.clamav.net/contact.html#ml >>>>>>> >>>>>>> _______________________________________________ >>>>>>> >>>>>>> clamav-devel mailing list >>>>>>> clamav-devel@lists.clamav.net >>>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel >>>>>>> >>>>>>> Please submit your patches to our Github: >>>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls >>>>>>> >>>>>>> Help us build a comprehensive ClamAV guide: >>>>>>> https://github.com/vrtadmin/clamav-faq >>>>>>> >>>>>>> http://www.clamav.net/contact.html#ml >>>>>> _______________________________________________ >>>>>> >>>>>> clamav-devel mailing list >>>>>> clamav-devel@lists.clamav.net >>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel >>>>>> >>>>>> Please submit your patches to our Github: >>>>>> https://github.com/Cisco- Talos/clamav-devel/pulls >>>>>> >>>>>> Help us build a comprehensive ClamAV guide: >>>>>> https://github.com/vrtadmin/clamav-faq >>>>>> >>>>>> http://www.clamav.net/contact.html#ml >>>>> _______________________________________________ >>>>> >>>>> clamav-devel mailing list >>>>> clamav-devel@lists.clamav.net >>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel >>>>> >>>>> Please submit your patches to our Github: >>>>> https://github.com/Cisco-Talos/clamav-devel/pulls >>>>> >>>>> Help us build a comprehensive ClamAV guide: >>>>> https://github.com/vrtadmin/clamav-faq >>>>> >>>>> http://www.clamav.net/contact.html#ml >>>> >>>> _______________________________________________ >>>> >>>> clamav-devel mailing list >>>> clamav-devel@lists.clamav.net >>>> https://lists.clamav.net/mailman/listinfo/clamav-devel >>>> >>>> Please submit your patches to our Github: https://github.com/Cisco- >>>> Talos/clamav-devel/pulls >>>> >>>> Help us build a comprehensive ClamAV guide: >>>> https://github.com/vrtadmin/clamav-faq >>>> >>>> http://www.clamav.net/contact.html#ml >>> _______________________________________________ >>> >>> clamav-devel mailing list >>> clamav-devel@lists.clamav.net >>> https://lists.clamav.net/mailman/listinfo/clamav-devel >>> >>> Please submit your patches to our Github: https://github.com/Cisco- >>> Talos/clamav-devel/pulls >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >> _______________________________________________ >> >> clamav-devel mailing list >> clamav-devel@lists.clamav.net >> https://lists.clamav.net/mailman/listinfo/clamav-devel >> >> Please submit your patches to our Github: https://github.com/Cisco- >> Talos/clamav-devel/pulls >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > _______________________________________________ > > clamav-devel mailing list > clamav-devel@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-devel > > Please submit your patches to our Github: > https://github.com/Cisco-Talos/clamav-devel/pulls > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml