The CVD files (main.cvd and daily.cvd) that contain the virus definitions contain a header with the build date. On a normal install of ClamAV 0.94.1, this will have a build date of Oct. 30th. The current database is Nov. 25th (today). When freshclam checks to see if it has the latest database, however, it doesn't use the file's CVD header date; rather it uses the modified date of the file itself. On Gentoo, at least, the daily.cvd file is not installed with a fake timestamp, meaning that if you've just installed clamav, the freshclam program checks to see if the file on the servers is newer than *now*, which fails -- and freshclam has no native way to force re-downloading the file. Especially if you are using clamd and don't notice the warning Clam gives about the database being more than 7 days old, this can make it seem like you going to detect recent viruses when in fact you will not. Even if users see the warning, they may think that it's spurious since freshclam keeps saying the updates were successful. This is a security problem if any reliance is placed on the Clam scan being accurate. Here's the output of freshclam -v...note that this was installed today: heifertosh src # freshclam -v Current working dir is /var/lib/clamav Max retries == 3 ClamAV update process started at Tue Nov 25 11:34:10 2008 Using IPv6 aware code Querying current.cvd.clamav.net WARNING: Can't query current.cvd.clamav.net WARNING: Invalid DNS reply. Falling back to HTTP mode. Connecting via [proxy] If-Modified-Since: Tue, 25 Nov 2008 16:29:40 GMT Reading CVD header (main.cvd): Connected to database.clamav.net (IP: [proxy IP address]). Trying to retrieve CVD header of http://database.clamav.net/main.cvd OK (IMS) main.cvd is up to date (version: 49, sigs: 437972, f-level: 35, builder: sven) Connecting via [proxy] If-Modified-Since: Tue, 25 Nov 2008 16:29:40 GMT Reading CVD header (daily.cvd): Connected to database.clamav.net (IP: [proxy IP]). Trying to retrieve CVD header of http://database.clamav.net/daily.cvd OK (IMS) daily.cvd is up to date (version: 8542, sigs: 17493, f-level: 35, builder: ccordes) You can see the If-Modified-Since: header. Here's my daily.cvd file: -rw-rw-r-- 1 clamav clamav 488709 2008-11-25 11:29 /var/lib/clamav/daily.cvd And here is the start of the CVD header: heifertosh fanfare # less /var/lib/clamav/daily.cvd ClamAV-VDB:30 Oct 2008 14-23 +0000:8542:17493:35:ac30b198.......... The current version (as of this writing) is 8679 (the version in the above file is 8542). There are two ways to actually get it to properly update. 1) Download daily.cvd manually from http://database.clamav.net/daily.cvd and copy it to the appropriate place, overwriting the old daily.cvd. 2) Delete the daily.cvd and re-run freshclam. I'm going to report this upstream, but at least as a stopgap measure it may be good for the Gentoo package to use a fake installation time on the daily.cvd file so that freshclam works. Reproducible: Always Steps to Reproduce: 1. Newly install ClamAV on a system. 2. Freshclam will report success, but really fail. 3.
(In reply to comment #0) > This is a security problem if any reliance is placed > on the Clam scan being accurate. Weaker filters do not themselves allow crossing of trust boundaries, so this is not a security vulnerability of a system. You cannot safely rely on a virus scanner to identify bad code before running it. Obviously, this is still a bug, so reassigning.
(In reply to comment #1) > Weaker filters do not themselves allow crossing of trust boundaries, so this is > not a security vulnerability of a system. I don't really follow what you're talking about here. Who said anything about filters and trust boundaries? > You cannot safely rely on a virus scanner to identify bad code before running it. Well, the problem is that you can't rely on ClamAV to identify the bad code *after* running it either. I see this as a security vulnerability, even if you don't. Perhaps it is just my perspective, given that I have been given the responsibility of virus scanning files on a bunch of Gentoo file server boxes, to be completed by the end of the day, for a Windows worm that came out very recently. This worm will not be picked up by the Oct. 30th daily.cvd that the clamav package installs with and that freshclam is saying is up-to-date when it isn't. When I certify that I have scanned these files, and that they do not contain the worm, I put my neck on the line, saying that these files are clean when because of a flaw in freshclam they are not (necessarily). It is easy to see how this can be exploited by a malicious user or program by placing or having infected files in an area where they will be scanned/certified "clean" and then redistributing them to trusting users and systems. Upstream has confirmed the bug (#1305) and it sounds like they will use CVD header timestamps in future versions. If you somehow still don't think this is a security issue, I hope someone will at least issue a -r1 that invalidates the daily.cvd mtime so that freshclam updates it properly when run.
ClamAV folks say that it has been fixed and will be in 0.94.2 out tomorrow.
Please do not move bugs to the Security component of the Gentoo Linux product, it is deprecated and should be removed. (In reply to comment #2) > I don't really follow what you're talking about here. Who said anything about > filters and trust boundaries? Indirectly, you did. Our definition of a security issue is that a trust boundary must be crossed. Like when an application allows a user to do things it is not supposed to do. However, relying on a virus scanner is not a sufficient mechanism to identify bad code before executing it. > It is easy to see how this can be exploited by a malicious user or program by > placing or having infected files in an area where they will be > scanned/certified "clean" and then redistributing them to trusting users and > systems. In that case the issue is either in users executing other people's programs or in their programs being vulnerable to the exploits. > I hope someone will at least issue a -r1 that invalidates the > daily.cvd mtime so that freshclam updates it properly when run. Agreed.
0.94.2 is in CVS.
