[Mimedefang] ClamAV 0.88 caution
David F. Skoll
dfs at roaringpenguin.com
Wed Jan 11 11:35:44 EST 2006
Hi,
As you know, the Clam folks continue their tradition of security problems,
and have released version 0.88 to plug the latest hole discovered.
However, there seems to be a regression in 0.88 compared to 0.87.1.
The file http://www.roaringpenguin.com/msg-1212-47.zip contains an EICAR
test virus in a "deflate64" zip file.
Clam's built-in ZIP code doesn't handle deflate64, but the external
UNIX utility "unzip" does. So in earlier versions, clamscan --unzip
msg-1212-47.zip finds the EICAR:
$ clamscan --unzip msg-1212-47.zip
/home/dfs/msg-1212-47.zip: Zip module failure
Archive: /home/dfs/msg-1212-47.zip
inflating: eicar.com
/tmp/clamav-364678599ce3d6be/eicar.com: Eicar-Test-Signature FOUND
/home/dfs/msg-1212-47.zip: Infected.Archive FOUND
whereas 0.88 reacts thus:
$ clamscan --unzip msg-1212-47.zip
/home/dfs/msg-1212-47.zip: OK
I tried reading the Clam source code to figure out the difficulty,
but soon got lost in a maze of twisty little passages, all alike.
I have filed a bug report at clamav.net.
Regards,
David.
More information about the MIMEDefang
mailing list