Certain RAR archives (for example some archives produced by the Bagle virus) can RAR processor of clamav, leading to a denial of service. Reproducible: Always Steps to Reproduce: 1. 2. 3.
The info about this bug from Bugtraq (http://www.securityfocus.com/bid/9897/info/) suggests to update to 0.68, not 0.70rc. Therefore (since marking an rc as stable in portage is IMHO not a good idea) the security update in the GLSA (if there will be one) should be 0.68, not 0.70rc.
4 days and pending in critical state.. I'll bump this on behalf of the antivirus herd as it seems they are to busy to notice this bug.
Updateded in portage as clamav-0.68 KEYWORDS="~x86 ~ppc ~sparc ~mips ~alpha ~hppa ~amd64 ~ia64" Arch maintainers please test and mark stable when ready.
Stable on AMD64, removing from CC.
stable on sparc.
Version 0.68 doesn't solve the problem with RAR archives, but disables RAR archive support completely. Version 0.68-1 does solve the problem. Before marking 0.68 as stable, I think we should jump to 0.68-1 instead. Otherwise all Beagle RAR archives will be ignored!
i'm using 0.70rc on 3 machines running stable and faster than 0.6x ..
0.68.1 in portage (aka 0.68-1) please test and mark stable :)
Does someone have an infected rar file we can use for testing?
clamav should also probably have a crypt useflag that pulls in gmp as the clamav config script will disable digital certificate support (used to check the validity of the db mirrors) if it is not available or gmp version 2 or above is not installed.
1) just try to scan a .rar archive ;) 2) true .. please add a bug for the gmp dep bug or i'll forget it again (planned to do b4 ;) (in a hurry now ;) reagards
I don't have any rar archives, so I can't test them. Providing a test or two for everyone will help expedite this. Additionally, without the gmp fix it's very hard to ensure people are fully testing clamav before marking it stable, since some people may not be building digitial certificate support if they don't have gmp (which is how i found the dependency). If you really want a second bug that's fine but it should really be included in 0.68.1 for the GLSA (imo at least).
stable on hppa
dep for dev-libs/gmp is in. i added a dep for the dev-libs/gmp version i compiled it with. ppc,mips,hppa ppl please test dev-libs/gmp too and bump to stable first(maybe the lower version works too but it is marked stable on less archs than the newer one.)
I put the eicar test virus in raw, rar'd and layered compressed formats here; http://dev.gentoo.org/~cjr/testvirus/
need to draft GLSA -- who wants this one?
what do u mean 'wants' it?
Just asking one of the security folks to handle writing up the GLSA. Move along, nothing to see here. :)
Thanks for the rar archives Chris :) With using clamscan on both ~x86 and ~sparc using version 0.68.1 I get the following error scanning the provided rar archive; eicar-test.rar: RAR module failure If we want to go ahead with that, let me know and I'll stabilize on sparc. If not, what's the next course of action?
Marked clamav-0.68.1.ebuild stable on alpha and ia64, removing from cc
>> eicar-test.rar: RAR module failure It should report the virus and not break, right?
Correctl, clamscan should be able to see the virus in the RAR and report on it. However the clamav docs do mention that the rar support is extermely experimental and may not work correctly. So it seems like the DoS may be fixed but the program is possibly not functioning as desired.
i posted this link to clamav-users mailinglist. i hope someone who really knows about this will comment on it.
out of curiosity Jason, did it detect the non rar variants ok?
feel free to disagree with me, but as long as the DoS is fixed (and because it sounds like this problem isn't a severe one that prevents the entire program from working) I'd rather mark this stable now so we can issue the GLSA and inform our users of the vulnerability. Jason -- thoughts?
@klieber: /me aggrees i'd rather have my AV program miss one virus than crash completely
I just wanted to make sure people were aware of the fact that the RAR scanning wasn't working, 0.70_rc has the same problem, so it's not unique to 0.68.1 (which is already stable on sparc). So let the GLSA roll. Chris: The regular gzip and bzip2 files as well as the uncompressed .com file were detected correctly as a virus.
The newer version is stable on ppc.
We still need stable on x86 before a GLSA can go out on this one. -K
.68.1 is stabled on x86, sorry for the delay
GLSA 200404-07