severity 484670 normal thanks This one time, at band camp, Torsten Jerzembeck said: > Severity: grave > Justification: renders package unusable
Really, calm down.
> When using external archivers to process files, clamscan fails to
> detect malware in many cases. This is due to the fact that the filetype
> detection code (clamscan/manager.c lines 708 ff.) matches the filename
> against a hardcoded list of extensions (e.g. ".zip", ".rar", ".arj"
> etc.). The external archiver is only called if the filename matches the
> extension.
>
> This obviously breaks the detection in cases where the filename doesn't
> contain the required extension. Most cases of self-extracting archives
> use ".exe" as a extension and thus aren't recognized at all. This
> creates a huge gap ("wide open barndoor" would be the precise term, I
> think), as very many cases of Windows malware come in the form of
> self-extracting archives. Also, this breaks in cases where suspicious
> files are scanned in a quarantine, using the MD5 sum as a filename.
What gives you the impression that .exe files aren't scanned?
> Libclamav already contains code to recognize the file format
> independently of a filetype extension (libclamav/scanners.c, lines 1554
> ff., function cli_scanraw). This could/should be used to detect the
> filetype when deciding whether to call an external archiver to process a
> file.
If clamscan doesn't use an external unpacker, it falls back to the
internal one, which is by and large good enough (for everything but rar,
as you note).
> This bug has also been opened in the upstream bugzilla
> (<https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1051>). However,
> Debian is affected more than other distributions due to the fact that
> clamscan on Debian relies on an external unrar in order to scan RAR
> archives (because of the licensing issues). This bug means that
> self-extracting RAR archives ARE NOT SCANNED correctly on Debian
> systems. Many forms of (especially Windows) malware spread as
> self-extracting RAR archives and ARE NOT DETECTED by Debian clamav
> installations.
THERE IS NO NEED TO SHOUT.
The issue about rar files is true. Whether it's a bug in the package or
not is debatable, as it's certainly done on purpose by me with every
upload, and not some accident or bad code path.
I'll see if upstream is interested in calling their native filetype
routines and add that to the list for choosing an external unpacker.
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : [EMAIL PROTECTED] |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
signature.asc
Description: Digital signature
