--On Friday, June 09, 2023 6:40 PM -0400 Paul Kosinski via clamav-users
<clamav-users@lists.clamav.net> wrote:
I have on occasion heard of vulnerabilities in some archiving software,
where the mere act of decompressing and extracting an archive can result
in malicious code execution due to a bug in the archiving software. After
all, such software can itself have the all too common lack of bounds
checking (etc.) that could be exploited by a maliciously malformed
archive.
It could also be that lower level archive-like files such as ISOs and
disk images could, by means of malicious structuring, trigger a total
system compromise, because it might well involve the kernel. The way an
ISO or disk image is typically used (on Linux, at least) is to create a
"loop" device from the file, and then *mount* it as block device -- a
clear kernel involvement.
Filesystems are also files, interpreted by kernel-level filesystem drivers.
Some filesystems have a compression feature. Scanning ANY file exercises
such code.
Of course, scanning any file might conceivably trigger a ClamAV bug, and
thus a compromise, but that is no reason to add another layer of
vulnerability to things. (But it is a good reason not to run ClamAV as
root.)
This is also a good reason to run it as a service in a sandbox with minimal
capabilities. The client application (like a mail server) can feed the file
to scan through a socket and rely on the service's sandbox to protect the
client application.
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
