On Sat, 31 Jan 2009 12:34:06 +0100 Michael Tautschnig <[email protected]> wrote: >Hi Scott, > >> The attached is for Ubuntu's 0.92.1. It should be very similar (make sure to >> set the correct CL_FLEVEL) for 0.90.1. I did verify that the modules are re- >> enabled, but that capability didn't change looking at the output of clamscan >> --debug. >> > >[...] > >Would you mind giving some more background information? I'm somewhat confused >about this, is this some known security issue? Could you add some links? > IIRC (I'm away from my computer and reasonable access to reference material) I left the upstream changelog entry in the diff and it references a clamav bug that has the background. Here's the short version...
Since the 0.9x series of clamav, clamav signature updates have not only delivered new signatures, but have also had the ability to remotely disable different code modules. You can see what's disabled in the clamscan --debug output. The effect of this has been that when we did a security patch, we would block the vulnerability, but the code would remain disabled. There was not a way to indicate that modules should be reenabled because in the released versions of clamav the same variable is used to describe the functional capability of the scanning engine and the presence of security fixes. Based on the bug I mentioned above, upstream disambiguated these two concepts. The code change is small, but it allows us to express that we've fixed stuff and modules should run. I so think it's a security issue because all the functionality disabled due to these past security fixes is still not available to users. I'd treat this as finishing an incomplete security fix. Scott K _______________________________________________ Pkg-clamav-devel mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-clamav-devel
