Hello, ClamAV 0.54 is not vulnerable to DoS attack with the infamous 42.zip, however a total scan of this archive might be very slow on slow/busy machines (although libclamav doesn't physically decompress any file from this archive at all), expecially with default archive limits. Here is the clamscan output on a slow Celeron 300 machine, with recursion level limited:
[EMAIL PROTECTED]:/tmp$ clamscan --max-recursion=2 --max-files=200 42.zip
42.zip: Recursion limit exceeded.
42.zip: OK
----------- SCAN SUMMARY -----------
Known viruses: 7440
Scanned directories: 0
Scanned files: 2
Infected files: 0
Data scanned: 0.07 Mb
I/O buffer size: 131072 bytes
Time: 434.479 sec (7 m 14 s)
ClamAV has implemented a good protection against DoS attacks, unhappily I forgot
to set a default limits in clamscan (and probably most users and mail software
don't use --max-recursion, --max-files and --max-space). Attached (ugly)
patch (execute `patch -p0 < 42zip.patch` in clamav sources (main directory)) fixes
42.zip issue, even when limits in clamscan are not set:
[EMAIL PROTECTED]:/tmp/clamav-0.54/clamscan$ ./clamscan /tmp/42.zip
LibClamAV Error: Zip -> Malformed archive detected.
/tmp/42.zip: Recursion limit exceeded.
/tmp/42.zip: OK
----------- SCAN SUMMARY -----------
Known viruses: 7440
Scanned directories: 0
Scanned files: 2
Infected files: 0
Data scanned: 0.07 Mb
I/O buffer size: 131072 bytes
Time: 27.909 sec (0 m 27 s)
Best regards,
Tomasz Kojm
--
oo ..... [EMAIL PROTECTED]
(\/)\......... http://www.konarski.edu.pl/~zolw
\..........._ I nie zapomnij kliknac w brzuszek...
//\ /\\ <- C. Amboinensis www.pajacyk.pl
Attachment:
42zip.patch
Description: Binary data
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
bin00000.bin
Description: "For additional commands, e-mail: [EMAIL PROTECTED]"
