Summary: | clamav-0.82 has false Exploit.W32.MS05-002 positives | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Jakub Moc (RETIRED) <jakub> |
Component: | Current packages | Assignee: | Antivirus Team <antivirus> |
Status: | VERIFIED TEST-REQUEST | ||
Severity: | critical | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://lurker.clamav.net/thread/20050209.190624.3bbb8981.en.html | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Jakub Moc (RETIRED)
2005-02-10 03:17:46 UTC
I already pointed out this problem in Bug 81075 but to no avail. :-( Reproducible: Didn't try Steps to Reproduce: I won´t try to reproduce it - this is a production server and I do not have required sample mails to test it elsewhere. Actual Results: Please see: http://lurker.clamav.net/thread/20050209.190624.3bbb8981.en.html http://sourceforge.net/forum/forum.php?thread_id=1226202&forum_id=443243 Expected Results: No false positives, please! People want their mail! Fix from http://lurker.clamav.net/message/20050208.154110.9cd5bde8.en.html --- libclamav/special.c 5 Feb 2005 15:50:18 -0000 1.8 +++ libclamav/special.c 8 Feb 2005 14:47:06 -0000 1.9 @@ -224,6 +224,12 @@ return 0; } + if (memcmp(&form_type, "ACON", 4) != 0) { + /* Only scan MS animated icon files */ + /* There is a *lot* of broken software out there that produces bad RIFF files */ + return 0; + } + chunk_size = riff_endian_convert_32(chunk_size, big_endian); do { @@ -234,6 +240,6 @@ if (offset < chunk_size) { retval = 2; - }; + } return retval; } Could you please try out clamav-0.82-r1, freshly landing on portage mirrors in few hours? The patch is applied there. Sorry for not taking care of this earlier, I had some prior engagements. Sure, I will give it a try. It will however take a day or two to report back, since this bug was filed solely upon reports of users who complained about loosing innocent emails. So I need a few thousands email samples to pass through. ;-) Thanks. Marking this as verified upstream as per http://lurker.clamav.net/message/20050214.003000.79670a95.en.html and obsoleted by Bug 81931 (ClamAV 0.83 is out and includes this patch). Thank you. 0.83 is now in portage, thanks. I'm marking 0.82-r1 stable, as it's 0.82 (which is marked stable) with this patch. |