This one time, at band camp, Hendrik Weimer said: > While the new 0.88.7 version fixes CVE-2006-6406 and CVE-2006-6481 the > update introduces another flaw that lets viruses pass undetected. If a > virus is nested deeper than the --max-mail-recursion limit, the file > will pass and ClamAV's exit code indicates that the file was scanned > properly. > > Again, details, PoC, and discussion can be found at > http://www.quantenblog.net/security/virus-scanner-bypass.
I'm not sure what clamav should do here. What algorithm do you suggest for infinitely recursive scanning without memory exhaustion or other physical limits being hit? We could return OverNesteded.MIME as the virus name, I suppose, but I have had plenty of complaints over the years about the various block max settings, so I'm not sure this is always the right thing to do either. We could change clamscan's exit code, but that of course doesn't do anything for the people who don't use clamscan - exiscan uses a direct socket to clamd, dansguardian uses a public library API, etc. So, suggestions? -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
signature.asc
Description: Digital signature
