Re: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report
On 1/24/07, Peter Peltonen [EMAIL PROTECTED] wrote: 2007-01-24 12:01:50.928674500 LibClamAV Warning: Error -5 inflating PDF attachment snip I found a bug in clamav bugzilla (Opened: 2006-09-20 11:32) regarding this: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=43 whcih states that The PDF file's attachements are not being recognised as ASCII85, so clamAV is not passing the attachments through the ASCII85 handler before the Flatedecode handler. Status: FIXED in CVS This should be now fixed in the 0.90rc3 package availabel from the devel site: Sun Oct 22 11:24:07 BST 2006 (njh) -- * libclamav/pdf.c:Handle ASCII85 encoded Flated objectes (bug#43) Let's test and see? BTW: I couldn't find the clamav's changelog from the web. I had to unpack the source to read it. If someone knows a better way, let me know :) Cheers, Peter - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report
On Wed, 24 Jan 2007 11:43:30 +0200, Peter Peltonen wrote: On 1/22/07, Quinn Comendant [EMAIL PROTECTED] wrote: FYI: I found an issue with simscan this morning that y'all should be aware of. Read below... Has this bug been confirmed? I don't know. I emailed my bug report to the simscan list but there wasn't a single reply. Quinn - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report
On 1/22/07, Quinn Comendant [EMAIL PROTECTED] wrote: FYI: I found an issue with simscan this morning that y'all should be aware of. Read below... Has this bug been confirmed? I've had a few reports of PDF attachments not been delivered to the receiver which I did not take that seriously as all I am filtering away at the moment are viruses with clamd and .src .bat .pif attachments with simscan. I'll disable those attacment rejections for the moment. Regards, Peter - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report
On 1/24/07, Peter Peltonen [EMAIL PROTECTED] wrote: I've had a few reports of PDF attachments not been delivered to the receiver which I Actually there were this kind of errors in clamd current log file: 2007-01-24 12:01:50.928674500 LibClamAV Warning: Error -5 inflating PDF attachment 2007-01-24 12:01:51.309276500 /var/qmail/simscan/1169632906.395016.3061/msg.1169632906.395016.3061: OK 2007-01-24 12:01:51.309313500 2007-01-24 12:01:51.309723500 /var/qmail/simscan/1169632906.395016.3061/textfile0: OK 2007-01-24 12:01:51.309743500 /var/qmail/simscan/1169632906.395016.3061/textfile0: OK 2007-01-24 12:01:51.310476500 LibClamAV Warning: Error -5 inflating PDF attachment 2007-01-24 12:01:51.448268500 /var/qmail/simscan/1169632906.395016.3061/Lehtimainos 186x131 mm.pdf: Zip module failure ERROR Are these due clamd giving me trouble or the simscan attachment scanning discussed in this thread? I have now disabled both. I found a bug in clamav bugzilla (Opened: 2006-09-20 11:32) regarding this: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=43 whcih states that The PDF file's attachements are not being recognised as ASCII85, so clamAV is not passing the attachments through the ASCII85 handler before the Flatedecode handler. Status: FIXED in CVS Another report: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=131 Same problem, user running current stable version .90rc2. Also FIXED in CVS. I'm running the newest clamav that came with toaster, clamav-toaster-0.90rc2-1.3.8 which is also the newest in the devel site. Any info when we can get a newer clamav devel package that would have this fixed? Regards, Peter - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report
Quinn Comendant wrote: FYI: I found an issue with simscan this morning that y'all should be aware of. Read below... Thank you for report. -- Best regards, Alexey Loukianov mailto:[EMAIL PROTECTED] System Engineer, IT Department, Lavtech Corp. - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report
Hi Guys, Was just taking a look into the issue of the bug reported below (in particular the C function that is being called and came across this patch for simscan 1.2 (not sure if this is what is currently being used by the toaster) http://jeremy.kister.net/code/simscan-1.2-stabilize.patch Regards Rangi -Original Message- From: Quinn Comendant [mailto:[EMAIL PROTECTED] Sent: Tuesday, 23 January 2007 10:44 a.m. To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report FYI: I found an issue with simscan this morning that y'all should be aware of. Read below... Quinn - Strangecode :: Internet Consultancy http://www.strangecode.com/ +1 530 624 4410 - Begin forwarded message - Subject: [simscan] attachment filename scanning bug report Date: Mon, 22 Jan 2007 13:38:16 -0800 From: Quinn Comendant [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] I found a problem with simscan's attachment scanning: the filename matching is overly sensitive. I'm using version 1.2 but the problem should exist in all recent versions. Here's an example running on simscan with a cdb including attach=.exe:.bat:.pif:.src: My email contains two attachments, the filename of one is: Content-Disposition: attachment; filename=C A Blum TeachVenture Recruiting Invoice 016 11-30-06.doc Simscan thinks this filename matches the attachment extension .src, and so the email is rejected. Problem #1: Filenames with spaces are not handled properly. This filename is processed only as C. (See debug output below.) Problem #2: The entire attachment extension is not matched, regardless of a dot. If the specified extension is .src then only .src should match, not c, rc, or src. Proposed solution: Use a more specific string matching function instead of this: if ( str_rstr(mydirent-d_name,bk_attachments[i]) == 0 ) { (I'm not well versed in C, so I'm not sure what would be used.) [EMAIL PROTECTED]/1 ~]$QMAILQUEUE=/var/qmail/bin/simscan SIMSCAN_DEBUG=5 /var/qmail/bin/qmail-inject [EMAIL PROTECTED] teachventure-attach.eml simscan: cdb looking up simscan: cdb for found clam=yes,spam=yes,spam_hits=8,attach=.exe:.bat:.pif:.src simscan: pelookup clam = yes simscan: pelookup spam = yes simscan: pelookup spam_hits = 8 simscan: Per Domain Hits set to : 8.00 simscan: pelookup attach = .exe:.bat:.pif:.src simscan: attachment flag attach = .exe:.bat:.pif:.src simscan: add_attach called with .exe:.bat:.pif:.src simscan: .exe is attachment number 0 simscan: .bat is attachment number 1 simscan: .pif is attachment number 2 simscan: .src is attachment number 3 simscan: starting: work dir: /var/qmail/simscan/1169498396.417942.30775 simscan: pelookup: called with [EMAIL PROTECTED] simscan: pelookup: domain is gmail.com simscan: cdb looking up gmail.com simscan: pelookup: local part is beausmith simscan: lpart: local part is ** simscan: cdb looking up [EMAIL PROTECTED] simscan: pelookup: called with [EMAIL PROTECTED] simscan: pelookup: domain is hoodwink.us simscan: cdb looking up hoodwink.us simscan: pelookup: local part is q simscan: lpart: local part is ** simscan: cdb looking up [EMAIL PROTECTED] simscan: checking attachment textfile0 against .exe simscan: checking attachment textfile0 against .bat simscan: checking attachment textfile0 against .pif simscan: checking attachment textfile0 against .src simscan: checking attachment C against .exe simscan: checking attachment c against .bat simscan: checking attachment c against .pif simscan: checking attachment c against .src simscan:[30774]:ATTACH:0.0108s:c:(null):[EMAIL PROTECTED]:[EMAIL PROTECTED] simscan: exit error code: 82 qmail-inject: fatal: Your email was rejected because it contains a bad attachment: c Cheers! Quinn - Strangecode :: Internet Consultancy http://www.strangecode.com/ +1 530 624 4410 - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.410 / Virus Database: 268.17.5/645 - Release Date: 22/01/2007 - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report
Ignore the previous post. I posted the wrong link. But apparently it is already being addressed. That patch is what partially has created the bug found by Quinn. There is a patch due to come out very shortly. Regards -Original Message- From: Quinn Comendant [mailto:[EMAIL PROTECTED] Sent: Tuesday, 23 January 2007 10:44 a.m. To: qmailtoaster-list@qmailtoaster.com Subject: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report FYI: I found an issue with simscan this morning that y'all should be aware of. Read below... Quinn - Strangecode :: Internet Consultancy http://www.strangecode.com/ +1 530 624 4410 - Begin forwarded message - Subject: [simscan] attachment filename scanning bug report Date: Mon, 22 Jan 2007 13:38:16 -0800 From: Quinn Comendant [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] I found a problem with simscan's attachment scanning: the filename matching is overly sensitive. I'm using version 1.2 but the problem should exist in all recent versions. Here's an example running on simscan with a cdb including attach=.exe:.bat:.pif:.src: My email contains two attachments, the filename of one is: Content-Disposition: attachment; filename=C A Blum TeachVenture Recruiting Invoice 016 11-30-06.doc Simscan thinks this filename matches the attachment extension .src, and so the email is rejected. Problem #1: Filenames with spaces are not handled properly. This filename is processed only as C. (See debug output below.) Problem #2: The entire attachment extension is not matched, regardless of a dot. If the specified extension is .src then only .src should match, not c, rc, or src. Proposed solution: Use a more specific string matching function instead of this: if ( str_rstr(mydirent-d_name,bk_attachments[i]) == 0 ) { (I'm not well versed in C, so I'm not sure what would be used.) [EMAIL PROTECTED]/1 ~]$QMAILQUEUE=/var/qmail/bin/simscan SIMSCAN_DEBUG=5 /var/qmail/bin/qmail-inject [EMAIL PROTECTED] teachventure-attach.eml simscan: cdb looking up simscan: cdb for found clam=yes,spam=yes,spam_hits=8,attach=.exe:.bat:.pif:.src simscan: pelookup clam = yes simscan: pelookup spam = yes simscan: pelookup spam_hits = 8 simscan: Per Domain Hits set to : 8.00 simscan: pelookup attach = .exe:.bat:.pif:.src simscan: attachment flag attach = .exe:.bat:.pif:.src simscan: add_attach called with .exe:.bat:.pif:.src simscan: .exe is attachment number 0 simscan: .bat is attachment number 1 simscan: .pif is attachment number 2 simscan: .src is attachment number 3 simscan: starting: work dir: /var/qmail/simscan/1169498396.417942.30775 simscan: pelookup: called with [EMAIL PROTECTED] simscan: pelookup: domain is gmail.com simscan: cdb looking up gmail.com simscan: pelookup: local part is beausmith simscan: lpart: local part is ** simscan: cdb looking up [EMAIL PROTECTED] simscan: pelookup: called with [EMAIL PROTECTED] simscan: pelookup: domain is hoodwink.us simscan: cdb looking up hoodwink.us simscan: pelookup: local part is q simscan: lpart: local part is ** simscan: cdb looking up [EMAIL PROTECTED] simscan: checking attachment textfile0 against .exe simscan: checking attachment textfile0 against .bat simscan: checking attachment textfile0 against .pif simscan: checking attachment textfile0 against .src simscan: checking attachment C against .exe simscan: checking attachment c against .bat simscan: checking attachment c against .pif simscan: checking attachment c against .src simscan:[30774]:ATTACH:0.0108s:c:(null):[EMAIL PROTECTED]:[EMAIL PROTECTED] simscan: exit error code: 82 qmail-inject: fatal: Your email was rejected because it contains a bad attachment: c Cheers! Quinn - Strangecode :: Internet Consultancy http://www.strangecode.com/ +1 530 624 4410 - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.410 / Virus Database: 268.17.5/645 - Release Date: 22/01/2007 - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]