On 1/31/20 2:47 AM, Steve Basford wrote: > Hi All, > > eXtremeSHOK.com's clamav-unofficial-sigs download script has been > updated: > > https://github.com/extremeshok/clamav-unofficial-sigs > > Change Log > > Version 7.0.1 (Updated 25 January 2020) >
Beware, as of a few versions ago this script is filled with a million unsafe uses of chown and chmod, running as root. The script should never be using chown/chmod in the first place, so all of these are wrong, $ grep 'chown\|chmod' clamav-unofficial-sigs.sh | wc -l 40 and many of them are exploitable if the clamav user swaps out one of the targets for a symlink pointing to e.g. /etc/passwd. And since the script runs on a predictable schedule, you have all the time in the world to do that. _______________________________________________ clamav-users mailing list [email protected] https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
