On Wednesday 02 January 2008 1:57 pm, Tomasz Kojm wrote: > On Sun, 30 Dec 2007 21:49:11 -0600 > > Chris <[EMAIL PROTECTED]> wrote: > > Saw this link at SANS today, anything to it? > > > > http://seclists.org/fulldisclosure/2007/Dec/0625.html > > > > Or is this a rehash of something already known about? > > A few comments on the advisory: > > "1) ClamAV uses own functions to create temporary files. One such routine > is vulnerable to a race condition attack." > > The analysis is incorrect. The author mistakenly assumed that name_salt is > fixed and this is not true. After each call to cli_gentemp() name_salt gets > updated with a new MD5 digest and then used in generating new temporary > name, updated again and so on. Together with 48 pseudo-random bytes(*) used > in hashing it makes a solution practically resistant to race conditions. > > (*) since we MD5-hash them together with a varying name_salt, the quality > of the pseudo-random numbers is not that important here > > "2) ClamAV fails to properly check for base64-UUEncoded files, allowing > bypassing of the scanner through the use of such files." > > This is not really a security bug but rather a lack of feature. Any > (massive) attempt to bypass the uuencode decoder can be stopped with > regular signatures thanks to the fact that ClamAV additionally scans all > files in raw mode. > > "3) The sigtool utility included in the ClamAV distribution fails to handle > created files in a secure way." > > Sigtool is primarily a tool for signature database developers and by no > means it was designed to be run with SUID/SGID bits set. There is no > practical exploitation of this "vulnerability" and it should not be > considered a security issue. > > HTH,
Thank you Tomasz, as I said earlier, I was wondering if this was something that was discussed before and since I don't run a server here I assume that none of this would affect me anyway just running Spamassassinn with the ClamAv plugin. Chris -- Chris KeyID 0xE372A7DA98E6705C
pgpNpfXEFGXs5.pgp
Description: PGP signature
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
