tomek-clam-devel at lodz
Sep 22, 2003, 9:17 AM
Post #2 of 6
On Sun, 21 Sep 2003 at 21:49:31 -0700, Tom Brown wrote:
Re: spoolfile that segfaults clamav 0.60 (not the empty part issue) Re: off list was ... Re: [Clamav-virusdb] email submission for viruses?
[In reply to]
> On Sun, 21 Sep 2003, Luca 'NERvOus' Gibelli wrote:
> ?? I expect it'll bounce, since I'm not subscribed. Please forward it if
> you don't see it there.
> > Security bugs should be sent via private mail to Tomasz Kojm
> > (kojm [at] users).
> hhmm, the ability to hang clamd could be considered a security bug... sure
> wreaks havoc with our systems... :-(
> /:home:~> clamscan --mbox bad.mbox
> Segmentation fault (core dumped)
> /:home:~> clamscan --version
> clamscan / ClamAV version 0.60
At my place, 'clamscan --mbox bad.mbox' doesn't coredump, just warns:
LibClamAV Warning: Empty attachment not saved
$ clamscan --version
clamscan / ClamAV version 0.60+BugFixesFromCVS-20030829
(from the Debian package).
> bad.mbox is attached, it's just a single small message ... although it may
In fact, there are 2 messages; mutt shows:
q:Quit d:Del u:Undel s:Save m:Mail r:Reply g:Group ?:Help
1 N 20.09.03 owner-sotd (7.7K)
2 21.09.03 Mail System Interna (0.3K) DON'T DELETE THIS MESSAGE -- FOLDER
don't mind it, just to be precise.
> well be misformatted... pine shows it as empty... then again, we are using
> mime-defang and I think it would have been the decoded contents that were
> given to clamd ...
The message from owner-sotd is heavily misformatted!
Even so good MUA like mutt shows the text part of that message as:
r [at] Promotion_Email using -f
Received: from Administrator (pool-68-161-142-58.ny325.east.verizon.net [68.161.
by star3.baremetal.com (8.12.10/8.12.9) with ESMTP id h8KArWNW014741
for <sotd [at] kididdles>; Sat, 20 Sep 2003 03:53:33 -0700
Message-Id: <200309201053.h8KArWNW014741 [at] star3>
From: Web-master [at] Promotion_Email
To: sotd [at] kididdles
Subject: Most Cheapest Software Products!
Date: Fri, 05 Sep 03 04:20:12 Eastern Daylight Time
This is because lines are broken (further parts of the lines are moved
to new lines). See below:
> From owner-sotd Sat Sep 20 03:45:44 2003
> Received: from star3.baremetal.com (star3.baremetal.com [220.127.116.11])
> by mailman.baremetal.com (8.12.10/8.12.9) with ESMTP id h8KAjiBm022039
> for <sotd [at] mailman>; Sat, 20 Sep 2003 03:45:44 -0700
> Received: from star3.baremetal.com (localhost [127.0.0.1])
> by star3.baremetal.com (8.12.10/8.12.9) with ESMTP id h8KArYNV014766
> for <sotd [at] mailman>; Sat, 20 Sep 2003 03:53:34 -0700
> Received: (from kididdles [at] localhos)
> by star3.baremetal.com (8.12.10/8.12.10/Submit) id h8KArYhN014764
> for sotd [at] mailman; Sat, 20 Sep 2003 03:53:34 -0700
> X-Authentication-Warning: star3.baremetal.com: kididdles set sender to Web-maste
> r [at] Promotion_Email using -f
^^^ Instead of "Web-master [at] Promotion_Email using -f" there is:
r [at] Promotion_Email using -f"
> Received: from Administrator (pool-68-161-142-58.ny325.east.verizon.net [68.161.
^^^ Instead of "[18.104.22.168])"
> by star3.baremetal.com (8.12.10/8.12.9) with ESMTP id h8KArWNW014741
> for <sotd [at] kididdles>; Sat, 20 Sep 2003 03:53:33 -0700
> Message-Id: <200309201053.h8KArWNW014741 [at] star3>
> From: Web-master [at] Promotion_Email
> To: sotd [at] kididdles
> Subject: Most Cheapest Software Products!
> Date: Fri, 05 Sep 03 04:20:12 Eastern Daylight Time
> MIME-Version: 1.0
> Content-Type: multipart/mixed;boundary= "----=_NextPart_000_00C4_6670AD7C.A42FBC
That's why the attachment is seen as empty: instead of the string
"_NextPart_000_00C4_6670AD7C.A42FBC77" there is:
"_NextPart_000_00C4_6670AD7C.A42FBC" with "77" in the *next* line, which
is not valid.
So the boundary string doesn't match that declared earlier.
> Content-Type: text/html
> Content-Transfer-Encoding: base64
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek [at] lodz http://www.lodz.tpsa.pl/ | ones and zeros.