Package: amavisd-new Version: 1:2.6.2-1 Severity: grave Tags: security Justification: allows viruses to get through undetected
Verified to be a regression from 2.6.1 to 2.6.2, so it is not in Lenny. Something is breaking amavisd-new detection of INFECTED messages when the AV code returns more than one virus match. This happens with clamav, both in daemon mode and command-line mode. I have not tested with other AV engines, but the fact that it hits both the command-line mode and the daemon mode makes it probable that it will also trigger with other AVs. The bug is triggered only when multiple virus signatures are found (in different parts, I didn't test more than one per part). This is rare in the field when only standard clamav signatures are in use, since usually the detectable payload shows up in the message only once. HOWEVER, anyone making use of keep_decoded_original_maps and decode_parts to have the raw message and the decoded message available to the AV engine WILL hit the bug. And that's a common enough setup to be cause for worry. I am trying to debug this, but I thought it better to send the bug in as a warning ASAP. The simplest test vector I have is to send an email with two copies of the EICAR signatures attached as text files. The clamav log clearly shows that both parts were detected as infected, but amavis fails to consider the message to be INFECTED, and lets it through as CLEAN. Another easy way to test it (be extremely carefull, this will cause EVERY infected message to get through undetected) is to change keep_decoded_original_maps to match "MAIL" so that the raw message is available, and keep decode_parts enabled. This causes two copies of the virus to be extracted to the scratch area, and clamav will find and report both, triggering the bug. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
