Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: devel

spoolfile that segfaults clamav 0.60 (not the empty part issue) Re: off list was ... Re: [Clamav-virusdb] email submission for viruses?

 

 

ClamAV devel RSS feed   Index | Next | Previous | View Threaded


tbrown at baremetal

Sep 21, 2003, 10:19 PM

Post #1 of 6 (1020 views)
Permalink
spoolfile that segfaults clamav 0.60 (not the empty part issue) Re: off list was ... Re: [Clamav-virusdb] email submission for viruses?

On Sun, 21 Sep 2003, Luca 'NERvOus' Gibelli wrote:

>
>
> I'm sitting at my desk, reconfiguring my network monitor, when the phone rings.
> Caller-ID tells me it's Tom Brown. I pick the receiver up and say:
>
>
> > what's the current suggested mechanism for bug reports? I've got a
>
> posting them to clamav-devel@ is the best thing you can do for normal bugs.

?? I expect it'll bounce, since I'm not subscribed. Please forward it if
you don't see it there.

> Security bugs should be sent via private mail to Tomasz Kojm
> (kojm [at] users).

hhmm, the ability to hang clamd could be considered a security bug... sure
wreaks havoc with our systems... :-(

/:home:~> clamscan bad.mbox
bad.mbox: OK

----------- SCAN SUMMARY -----------
Known viruses: 9615
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.01 Mb
I/O buffer size: 131072 bytes
Time: 0.413 sec (0 m 0 s)

/:home:~> clamscan --mbox bad.mbox
Segmentation fault (core dumped)

/:home:~> clamscan --version
clamscan / ClamAV version 0.60

bad.mbox is attached, it's just a single small message ... although it may
well be misformatted... pine shows it as empty... then again, we are using
mime-defang and I think it would have been the decoded contents that were
given to clamd ...

-Tom
Attachments: bad.mbox (9.07 KB)


tomek-clam-devel at lodz

Sep 22, 2003, 9:17 AM

Post #2 of 6 (1010 views)
Permalink
Re: spoolfile that segfaults clamav 0.60 (not the empty part issue) Re: off list was ... Re: [Clamav-virusdb] email submission for viruses? [In reply to]

On Sun, 21 Sep 2003 at 21:49:31 -0700, Tom Brown wrote:
> On Sun, 21 Sep 2003, Luca 'NERvOus' Gibelli wrote:
>
> ?? I expect it'll bounce, since I'm not subscribed. Please forward it if
> you don't see it there.
>
> > Security bugs should be sent via private mail to Tomasz Kojm
> > (kojm [at] users).
>
> hhmm, the ability to hang clamd could be considered a security bug... sure
> wreaks havoc with our systems... :-(
>
[...]
> /:home:~> clamscan --mbox bad.mbox
> Segmentation fault (core dumped)
>
> /:home:~> clamscan --version
> clamscan / ClamAV version 0.60
>

At my place, 'clamscan --mbox bad.mbox' doesn't coredump, just warns:

LibClamAV Warning: Empty attachment not saved
bad.mbox: OK

$ clamscan --version
clamscan / ClamAV version 0.60+BugFixesFromCVS-20030829

(from the Debian package).

> bad.mbox is attached, it's just a single small message ... although it may

In fact, there are 2 messages; mutt shows:

q:Quit d:Del u:Undel s:Save m:Mail r:Reply g:Group ?:Help
1 N 20.09.03 owner-sotd (7.7K)
2 21.09.03 Mail System Interna (0.3K) DON'T DELETE THIS MESSAGE -- FOLDER

don't mind it, just to be precise.

> well be misformatted... pine shows it as empty... then again, we are using
> mime-defang and I think it would have been the decoded contents that were
> given to clamd ...
>
> -Tom

The message from owner-sotd is heavily misformatted!
Even so good MUA like mutt shows the text part of that message as:

r [at] Promotion_Email using -f
Received: from Administrator (pool-68-161-142-58.ny325.east.verizon.net [68.161.
142.58])
by star3.baremetal.com (8.12.10/8.12.9) with ESMTP id h8KArWNW014741
for <sotd [at] kididdles>; Sat, 20 Sep 2003 03:53:33 -0700
Message-Id: <200309201053.h8KArWNW014741 [at] star3>
From: Web-master [at] Promotion_Email
To: sotd [at] kididdles
Subject: Most Cheapest Software Products!
Date: Fri, 05 Sep 03 04:20:12 Eastern Daylight Time
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary="----=_NextPart_000_00C4_6670AD7C.A42FBC
77"
X-Priority: 3

This is because lines are broken (further parts of the lines are moved
to new lines). See below:

[...]
> From owner-sotd Sat Sep 20 03:45:44 2003
> Received: from star3.baremetal.com (star3.baremetal.com [216.86.113.236])
> by mailman.baremetal.com (8.12.10/8.12.9) with ESMTP id h8KAjiBm022039
> for <sotd [at] mailman>; Sat, 20 Sep 2003 03:45:44 -0700
> Received: from star3.baremetal.com (localhost [127.0.0.1])
> by star3.baremetal.com (8.12.10/8.12.9) with ESMTP id h8KArYNV014766
> for <sotd [at] mailman>; Sat, 20 Sep 2003 03:53:34 -0700
> Received: (from kididdles [at] localhos)
> by star3.baremetal.com (8.12.10/8.12.10/Submit) id h8KArYhN014764
> for sotd [at] mailman; Sat, 20 Sep 2003 03:53:34 -0700
> X-Authentication-Warning: star3.baremetal.com: kididdles set sender to Web-maste
> r [at] Promotion_Email using -f

^^^ Instead of "Web-master [at] Promotion_Email using -f" there is:
"Web-maste
r [at] Promotion_Email using -f"

> Received: from Administrator (pool-68-161-142-58.ny325.east.verizon.net [68.161.
> 142.58])

^^^ Instead of "[68.161.142.58])"
there is:
"[68.161.
142.58])".

> by star3.baremetal.com (8.12.10/8.12.9) with ESMTP id h8KArWNW014741
> for <sotd [at] kididdles>; Sat, 20 Sep 2003 03:53:33 -0700
> Message-Id: <200309201053.h8KArWNW014741 [at] star3>
> From: Web-master [at] Promotion_Email
> To: sotd [at] kididdles
> Subject: Most Cheapest Software Products!
> Date: Fri, 05 Sep 03 04:20:12 Eastern Daylight Time
> MIME-Version: 1.0
> Content-Type: multipart/mixed;boundary= "----=_NextPart_000_00C4_6670AD7C.A42FBC
> 77"

^^^
That's why the attachment is seen as empty: instead of the string
"_NextPart_000_00C4_6670AD7C.A42FBC77" there is:
"_NextPart_000_00C4_6670AD7C.A42FBC" with "77" in the *next* line, which
is not valid.

[...]

> ------=_NextPart_000_00C4_6670AD7C.A42FBC77
^^
So the boundary string doesn't match that declared earlier.

> Content-Type: text/html
> Content-Transfer-Encoding: base64
>
[...]

--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek [at] lodz http://www.lodz.tpsa.pl/ | ones and zeros.


bet at rahul

Sep 22, 2003, 9:55 AM

Post #3 of 6 (1007 views)
Permalink
Re: spoolfile that segfaults clamav 0.60 (not the empty part issue) Re: off list was ... Re: [Clamav-virusdb] email submission for viruses? [In reply to]

(NB nothing important to clamav here, just clarifying a subtle
point)

2003-09-22T12:16:11 Tomasz Papszun:
> > bad.mbox is attached, it's just a single small message ... although it may
>
> In fact, there are 2 messages; mutt shows:
>
> q:Quit d:Del u:Undel s:Save m:Mail r:Reply g:Group ?:Help
> 1 N 20.09.03 owner-sotd (7.7K)
> 2 21.09.03 Mail System Interna (0.3K) DON'T DELETE THIS MESSAGE -- FOLDER

That's common. Pine, along with uw-imapd and the other
email-handling utilities in that family, uses a common library for
handling mailbox files. Its mbox handler always deposits one of
these "DON'T DELETE THIS MESSAGE..." things in it, to hold some
metadata the IMAP protocol likes, I believe. It's hidden by pine,
shows up in all other MUAs (like mutt) when accessing the folder
directly, or when a different popd or imapd, not based on that
library, views the mbox.

-Bennett


njh at bandsman

Sep 29, 2003, 6:20 AM

Post #4 of 6 (1013 views)
Permalink
Re: spoolfile that segfaults clamav 0.60 (not the empty part issue) Re: off list was ... Re: [Clamav-virusdb] email submission for viruses? [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 22 Sep 2003 5:49 am, Tom Brown wrote:

> hhmm, the ability to hang clamd could be considered a security bug... sure
> wreaks havoc with our systems... :-(

> /:home:~> clamscan --mbox bad.mbox
> Segmentation fault (core dumped)
>
> /:home:~> clamscan --version
> clamscan / ClamAV version 0.60

I just tried it and got this:

[njh [at] nj tmp]$ clamscan --mbox bad.mbox
LibClamAV Warning: Empty attachment not saved
bad.mbox: OK
[njh [at] nj tmp]$ clamscan --version
clamscan / ClamAV version 20030829

- -Nigel

- --
Nigel Horne. Arranger, Composer, Conductor, Typesetter.
Owner of the brass band group of the Internet. ICQ#20252325
njh [at] bandsman http://www.bandsman.co.uk/music.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/eDE4Ov/MqfDWaY8RAhzbAJ91gjQaTKcfoXzoE5jjuuK7+bkOpwCfSVf9
hC71vY56CnAiepH4TWtJUVM=
=PMju
-----END PGP SIGNATURE-----


tbrown at baremetal

Sep 29, 2003, 12:05 PM

Post #5 of 6 (1013 views)
Permalink
Re: spoolfile that segfaults clamav 0.60 (not the empty part issue) Re: off list was ... Re: [Clamav-virusdb] email submission for viruses? [In reply to]

On Mon, 29 Sep 2003, Nigel Horne wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Monday 22 Sep 2003 5:49 am, Tom Brown wrote:
>
> > hhmm, the ability to hang clamd could be considered a security bug... sure
> > wreaks havoc with our systems... :-(
>
> > /:home:~> clamscan --mbox bad.mbox
> > Segmentation fault (core dumped)
> >
> > /:home:~> clamscan --version
> > clamscan / ClamAV version 0.60
>
> I just tried it and got this:

yes, I know better now...

> [njh [at] nj tmp]$ clamscan --mbox bad.mbox
> LibClamAV Warning: Empty attachment not saved
> bad.mbox: OK
> [njh [at] nj tmp]$ clamscan --version
> clamscan / ClamAV version 20030829

yes, this was yet another 'bogus' bug report that could be fixed
by having a more current "release" than 0.60 ... what are the
plans for "blessing" another tarball with the title "stable
versin" and putting it up on the
http://prdownloads.sourceforge.net/clamav/ page? Given that all
the suggestions on this list to pretty much every bug report is
"upgrade" it doesn't seem to make a lot of sense to even have
0.60 up there.

strange that clamscan calls aprox 100 lines of base64 an "empty
attachment", but I know next to nothing about mime. I see other
antivirus scanners producing messages like that... the email is
110k but the contents are about 4k ...

note also that the version numbers from 20030829 are pretty
bogus...

[root [at] am ~]# clamscan --version
clamscan / ClamAV version 20030829

[root [at] am ~]# rpm -qi clamav
Name : clamav Relocations: (not relocateable)
Version : devel_20030922 Vendor: (none)


damien at pagefault

Oct 5, 2003, 1:00 AM

Post #6 of 6 (1017 views)
Permalink
Re: spoolfile that segfaults clamav 0.60 (not the empty part issue) Re: off list was ... Re: [Clamav-virusdb] email submission for viruses? [In reply to]

On Mon, Sep 29, 2003 at 11:51:42AM -0700, Tom Brown wrote:
> On Mon, 29 Sep 2003, Nigel Horne wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Monday 22 Sep 2003 5:49 am, Tom Brown wrote:
> >
> > > hhmm, the ability to hang clamd could be considered a security bug... sure
> > > wreaks havoc with our systems... :-(
> >
> > > /:home:~> clamscan --mbox bad.mbox
> > > Segmentation fault (core dumped)
> > >
> > > /:home:~> clamscan --version
> > > clamscan / ClamAV version 0.60
> >
> > I just tried it and got this:
>
> yes, I know better now...
>
> > [njh [at] nj tmp]$ clamscan --mbox bad.mbox
> > LibClamAV Warning: Empty attachment not saved
> > bad.mbox: OK
> > [njh [at] nj tmp]$ clamscan --version
> > clamscan / ClamAV version 20030829
>
> yes, this was yet another 'bogus' bug report that could be fixed
> by having a more current "release" than 0.60 ... what are the
> plans for "blessing" another tarball with the title "stable
> versin" and putting it up on the
> http://prdownloads.sourceforge.net/clamav/ page? Given that all
> the suggestions on this list to pretty much every bug report is
> "upgrade" it doesn't seem to make a lot of sense to even have
> 0.60 up there.

One of the problems is the lack of maintainance of the stable
release. Patch releases should be provided between stable releases for
serious bugs, as Magnus has been doing for the debian packages.

Fetching cvs snapshots is probably not suitable for the majority of users,
and theirs little point leaving the last available stable download when
it's critically unreliable. Perhaps we can do this from the next stable
release which is expected very soon...

> strange that clamscan calls aprox 100 lines of base64 an "empty
> attachment", but I know next to nothing about mime. I see other
> antivirus scanners producing messages like that... the email is
> 110k but the contents are about 4k ...

Perhaps its in ms-tnef format.

> note also that the version numbers from 20030829 are pretty
> bogus...
>
> [root [at] am ~]# clamscan --version
> clamscan / ClamAV version 20030829
>
> [root [at] am ~]# rpm -qi clamav
> Name : clamav Relocations: (not relocateable)
> Version : devel_20030922 Vendor: (none)

Yep.
--
Damien

ClamAV devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.