Thanks. I've just found another one too
BC.Img.Exploit.CVE_2017_11255-6335669-1
It's triggering on a file that's been part of macOS for many years. It's also a
tiff file. I can submit this as well if necessary?
Out of interest, is the type detection mismatch something that can be fixed in
daily.cvd or can I patch libclamav/filetypes_int.h to revert it to what it was
at 0.103.0?
Mark
> On 12 Feb 2021, at 5:23 am, Micah Snyder (micasnyd) <micas...@cisco.com>
> wrote:
>
> It appears to me to be an issue with the signature which is only evident in
> 0.103.1 now that we're matching TIFFs with Target:5 signatures, like this
> one.
>
> There was apparently a mismatch for TIFF file type detection between the file
> type magic signatures built-in to libclamav (libclamav/filetypes_int.h) and
> the .ftm sigs shipped with daily.cvd (which override the internal ones when
> loaded).
>
> I'll ask to have the signature dropped and re-evaluated.
>
> -Micah
>
>> -----Original Message-----
>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf Of
>> Micah Snyder (micasnyd)
>> Sent: Thursday, February 11, 2021 8:27 PM
>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>
>> Thank you Mark! We'll take a look.
>>
>> -Micah
>>
>>> -----Original Message-----
>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf
>>> Of Mark Allan
>>> Sent: Thursday, February 11, 2021 3:54 PM
>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1
>>>
>>> Hi Micah,
>>>
>>> Yes of course! I've just uploaded a zip file (Archive.zip) to the FP
>>> page on clamav.net
>>> MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a
>>>
>>> Regards
>>> Mark
>>>
>>>> On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd)
>>> <micas...@cisco.com> wrote:
>>>>
>>>> Hi Mark,
>>>>
>>>> Do you think you could share a sample or two with me to test. I'm
>>>> really
>>> curious what changed and would like to debug each version with a
>>> sample or two.
>>>>
>>>> -Micah
>>>>
>>>>> -----Original Message-----
>>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On
>>>>> Behalf Of Mark Allan
>>>>> Sent: Monday, February 8, 2021 3:04 AM
>>>>> To: ClamAV Development <clamav-devel@lists.clamav.net>
>>>>> Subject: [Clamav-devel] Issue with FP only on 0.103.1
>>>>>
>>>>> Hi all,
>>>>>
>>>>> It looks like the additional image file type support in 0.103.1 has
>>>>> introduced an issue with a particular signature which has been in
>>>>> the database since 2018
>>>>>
>>>>> Img.Exploit.CVE_2018_4904-6449838-0
>>>>>
>>>>> It's flagging up thousands of known-good files. As far as I can
>>>>> tell, they're all TIFF files.
>>>>>
>>>>> I've added that signature to an ign2 file for now, but I'm
>>>>> wondering if there's something else that's maybe amiss somewhere
>>>>> either with the signature or the 0.103.1 update?
>>>>>
>>>>> Best regards,
>>>>> Mark
>>>>>
>>>>> _______________________________________________
>>>>>
>>>>> clamav-devel mailing list
>>>>> clamav-devel@lists.clamav.net
>>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>>
>>>>> Please submit your patches to our Github: https://github.com/Cisco-
>>>>> Talos/clamav-devel/pulls
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>
>>>>> http://www.clamav.net/contact.html#ml
>>>> _______________________________________________
>>>>
>>>> clamav-devel mailing list
>>>> clamav-devel@lists.clamav.net
>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>>
>>>> Please submit your patches to our Github:
>>>> https://github.com/Cisco-Talos/clamav-devel/pulls
>>>>
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/vrtadmin/clamav-faq
>>>>
>>>> http://www.clamav.net/contact.html#ml
>>>
>>> _______________________________________________
>>>
>>> clamav-devel mailing list
>>> clamav-devel@lists.clamav.net
>>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>>
>>> Please submit your patches to our Github: https://github.com/Cisco-
>>> Talos/clamav-devel/pulls
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>> _______________________________________________
>>
>> clamav-devel mailing list
>> clamav-devel@lists.clamav.net
>> https://lists.clamav.net/mailman/listinfo/clamav-devel
>>
>> Please submit your patches to our Github: https://github.com/Cisco-
>> Talos/clamav-devel/pulls
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
> _______________________________________________
>
> clamav-devel mailing list
> clamav-devel@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-devel
>
> Please submit your patches to our Github:
> https://github.com/Cisco-Talos/clamav-devel/pulls
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel
Please submit your patches to our Github:
https://github.com/Cisco-Talos/clamav-devel/pulls
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
