Re: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report
On 1/24/07, Peter Peltonen [EMAIL PROTECTED] wrote: 2007-01-24 12:01:50.928674500 LibClamAV Warning: Error -5 inflating PDF attachment snip I found a bug in clamav bugzilla (Opened: 2006-09-20 11:32) regarding this: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=43 whcih states that The PDF file's attachements are not being recognised as ASCII85, so clamAV is not passing the attachments through the ASCII85 handler before the Flatedecode handler. Status: FIXED in CVS This should be now fixed in the 0.90rc3 package availabel from the devel site: Sun Oct 22 11:24:07 BST 2006 (njh) -- * libclamav/pdf.c:Handle ASCII85 encoded Flated objectes (bug#43) Let's test and see? BTW: I couldn't find the clamav's changelog from the web. I had to unpack the source to read it. If someone knows a better way, let me know :) Cheers, Peter - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report
On Wed, 24 Jan 2007 11:43:30 +0200, Peter Peltonen wrote: On 1/22/07, Quinn Comendant [EMAIL PROTECTED] wrote: FYI: I found an issue with simscan this morning that y'all should be aware of. Read below... Has this bug been confirmed? I don't know. I emailed my bug report to the simscan list but there wasn't a single reply. Quinn - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report
On 1/22/07, Quinn Comendant [EMAIL PROTECTED] wrote: FYI: I found an issue with simscan this morning that y'all should be aware of. Read below... Has this bug been confirmed? I've had a few reports of PDF attachments not been delivered to the receiver which I did not take that seriously as all I am filtering away at the moment are viruses with clamd and .src .bat .pif attachments with simscan. I'll disable those attacment rejections for the moment. Regards, Peter - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report
On 1/24/07, Peter Peltonen [EMAIL PROTECTED] wrote: I've had a few reports of PDF attachments not been delivered to the receiver which I Actually there were this kind of errors in clamd current log file: 2007-01-24 12:01:50.928674500 LibClamAV Warning: Error -5 inflating PDF attachment 2007-01-24 12:01:51.309276500 /var/qmail/simscan/1169632906.395016.3061/msg.1169632906.395016.3061: OK 2007-01-24 12:01:51.309313500 2007-01-24 12:01:51.309723500 /var/qmail/simscan/1169632906.395016.3061/textfile0: OK 2007-01-24 12:01:51.309743500 /var/qmail/simscan/1169632906.395016.3061/textfile0: OK 2007-01-24 12:01:51.310476500 LibClamAV Warning: Error -5 inflating PDF attachment 2007-01-24 12:01:51.448268500 /var/qmail/simscan/1169632906.395016.3061/Lehtimainos 186x131 mm.pdf: Zip module failure ERROR Are these due clamd giving me trouble or the simscan attachment scanning discussed in this thread? I have now disabled both. I found a bug in clamav bugzilla (Opened: 2006-09-20 11:32) regarding this: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=43 whcih states that The PDF file's attachements are not being recognised as ASCII85, so clamAV is not passing the attachments through the ASCII85 handler before the Flatedecode handler. Status: FIXED in CVS Another report: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=131 Same problem, user running current stable version .90rc2. Also FIXED in CVS. I'm running the newest clamav that came with toaster, clamav-toaster-0.90rc2-1.3.8 which is also the newest in the devel site. Any info when we can get a newer clamav devel package that would have this fixed? Regards, Peter - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report
Quinn Comendant wrote: FYI: I found an issue with simscan this morning that y'all should be aware of. Read below... Thank you for report. -- Best regards, Alexey Loukianov mailto:[EMAIL PROTECTED] System Engineer, IT Department, Lavtech Corp. - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report
Hi Guys,
Was just taking a look into the issue of the bug reported below (in
particular the C function that is being called and came across this patch
for simscan 1.2 (not sure if this is what is currently being used by the
toaster)
http://jeremy.kister.net/code/simscan-1.2-stabilize.patch
Regards
Rangi
-Original Message-
From: Quinn Comendant [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 23 January 2007 10:44 a.m.
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug
report
FYI: I found an issue with simscan this morning that y'all should be aware
of. Read below...
Quinn
-
Strangecode :: Internet Consultancy
http://www.strangecode.com/
+1 530 624 4410
- Begin forwarded message -
Subject: [simscan] attachment filename scanning bug report
Date: Mon, 22 Jan 2007 13:38:16 -0800
From: Quinn Comendant [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
I found a problem with simscan's attachment scanning: the filename matching
is overly sensitive. I'm using version 1.2 but the problem should exist in
all recent versions. Here's an example running on simscan with a cdb
including attach=.exe:.bat:.pif:.src:
My email contains two attachments, the filename of one is:
Content-Disposition: attachment;
filename=C A Blum TeachVenture Recruiting Invoice 016
11-30-06.doc
Simscan thinks this filename matches the attachment extension .src, and so
the email is rejected.
Problem #1: Filenames with spaces are not handled properly. This filename is
processed only as C. (See debug output below.)
Problem #2: The entire attachment extension is not matched, regardless of a
dot. If the specified extension is .src then only .src should match, not
c, rc, or src.
Proposed solution: Use a more specific string matching function instead of
this:
if ( str_rstr(mydirent-d_name,bk_attachments[i]) == 0 ) {
(I'm not well versed in C, so I'm not sure what would be used.)
[EMAIL PROTECTED]/1 ~]$QMAILQUEUE=/var/qmail/bin/simscan SIMSCAN_DEBUG=5
/var/qmail/bin/qmail-inject [EMAIL PROTECTED] teachventure-attach.eml
simscan: cdb looking up
simscan: cdb for found
clam=yes,spam=yes,spam_hits=8,attach=.exe:.bat:.pif:.src
simscan: pelookup clam = yes
simscan: pelookup spam = yes
simscan: pelookup spam_hits = 8
simscan: Per Domain Hits set to : 8.00
simscan: pelookup attach = .exe:.bat:.pif:.src
simscan: attachment flag attach = .exe:.bat:.pif:.src
simscan: add_attach called with .exe:.bat:.pif:.src
simscan: .exe is attachment number 0
simscan: .bat is attachment number 1
simscan: .pif is attachment number 2
simscan: .src is attachment number 3
simscan: starting: work dir: /var/qmail/simscan/1169498396.417942.30775
simscan: pelookup: called with [EMAIL PROTECTED]
simscan: pelookup: domain is gmail.com
simscan: cdb looking up gmail.com
simscan: pelookup: local part is beausmith
simscan: lpart: local part is **
simscan: cdb looking up [EMAIL PROTECTED]
simscan: pelookup: called with [EMAIL PROTECTED]
simscan: pelookup: domain is hoodwink.us
simscan: cdb looking up hoodwink.us
simscan: pelookup: local part is q
simscan: lpart: local part is **
simscan: cdb looking up [EMAIL PROTECTED]
simscan: checking attachment textfile0 against .exe
simscan: checking attachment textfile0 against .bat
simscan: checking attachment textfile0 against .pif
simscan: checking attachment textfile0 against .src
simscan: checking attachment C against .exe
simscan: checking attachment c against .bat
simscan: checking attachment c against .pif
simscan: checking attachment c against .src
simscan:[30774]:ATTACH:0.0108s:c:(null):[EMAIL PROTECTED]:[EMAIL PROTECTED]
simscan: exit error code: 82
qmail-inject: fatal: Your email was rejected because it contains a bad
attachment: c
Cheers!
Quinn
-
Strangecode :: Internet Consultancy
http://www.strangecode.com/
+1 530 624 4410
-
QmailToaster hosted by: VR Hosted http://www.vr.org
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.410 / Virus Database: 268.17.5/645 - Release Date: 22/01/2007
-
QmailToaster hosted by: VR Hosted http://www.vr.org
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
RE: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug report
Ignore the previous post. I posted the wrong link. But apparently it is
already being addressed. That patch is what partially has created the bug
found by Quinn.
There is a patch due to come out very shortly.
Regards
-Original Message-
From: Quinn Comendant [mailto:[EMAIL PROTECTED]
Sent: Tuesday, 23 January 2007 10:44 a.m.
To: qmailtoaster-list@qmailtoaster.com
Subject: [qmailtoaster] Fwd: [simscan] attachment filename scanning bug
report
FYI: I found an issue with simscan this morning that y'all should be aware
of. Read below...
Quinn
-
Strangecode :: Internet Consultancy
http://www.strangecode.com/
+1 530 624 4410
- Begin forwarded message -
Subject: [simscan] attachment filename scanning bug report
Date: Mon, 22 Jan 2007 13:38:16 -0800
From: Quinn Comendant [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
I found a problem with simscan's attachment scanning: the filename matching
is overly sensitive. I'm using version 1.2 but the problem should exist in
all recent versions. Here's an example running on simscan with a cdb
including attach=.exe:.bat:.pif:.src:
My email contains two attachments, the filename of one is:
Content-Disposition: attachment;
filename=C A Blum TeachVenture Recruiting Invoice 016
11-30-06.doc
Simscan thinks this filename matches the attachment extension .src, and so
the email is rejected.
Problem #1: Filenames with spaces are not handled properly. This filename is
processed only as C. (See debug output below.)
Problem #2: The entire attachment extension is not matched, regardless of a
dot. If the specified extension is .src then only .src should match, not
c, rc, or src.
Proposed solution: Use a more specific string matching function instead of
this:
if ( str_rstr(mydirent-d_name,bk_attachments[i]) == 0 ) {
(I'm not well versed in C, so I'm not sure what would be used.)
[EMAIL PROTECTED]/1 ~]$QMAILQUEUE=/var/qmail/bin/simscan SIMSCAN_DEBUG=5
/var/qmail/bin/qmail-inject [EMAIL PROTECTED] teachventure-attach.eml
simscan: cdb looking up
simscan: cdb for found
clam=yes,spam=yes,spam_hits=8,attach=.exe:.bat:.pif:.src
simscan: pelookup clam = yes
simscan: pelookup spam = yes
simscan: pelookup spam_hits = 8
simscan: Per Domain Hits set to : 8.00
simscan: pelookup attach = .exe:.bat:.pif:.src
simscan: attachment flag attach = .exe:.bat:.pif:.src
simscan: add_attach called with .exe:.bat:.pif:.src
simscan: .exe is attachment number 0
simscan: .bat is attachment number 1
simscan: .pif is attachment number 2
simscan: .src is attachment number 3
simscan: starting: work dir: /var/qmail/simscan/1169498396.417942.30775
simscan: pelookup: called with [EMAIL PROTECTED]
simscan: pelookup: domain is gmail.com
simscan: cdb looking up gmail.com
simscan: pelookup: local part is beausmith
simscan: lpart: local part is **
simscan: cdb looking up [EMAIL PROTECTED]
simscan: pelookup: called with [EMAIL PROTECTED]
simscan: pelookup: domain is hoodwink.us
simscan: cdb looking up hoodwink.us
simscan: pelookup: local part is q
simscan: lpart: local part is **
simscan: cdb looking up [EMAIL PROTECTED]
simscan: checking attachment textfile0 against .exe
simscan: checking attachment textfile0 against .bat
simscan: checking attachment textfile0 against .pif
simscan: checking attachment textfile0 against .src
simscan: checking attachment C against .exe
simscan: checking attachment c against .bat
simscan: checking attachment c against .pif
simscan: checking attachment c against .src
simscan:[30774]:ATTACH:0.0108s:c:(null):[EMAIL PROTECTED]:[EMAIL PROTECTED]
simscan: exit error code: 82
qmail-inject: fatal: Your email was rejected because it contains a bad
attachment: c
Cheers!
Quinn
-
Strangecode :: Internet Consultancy
http://www.strangecode.com/
+1 530 624 4410
-
QmailToaster hosted by: VR Hosted http://www.vr.org
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.410 / Virus Database: 268.17.5/645 - Release Date: 22/01/2007
-
QmailToaster hosted by: VR Hosted http://www.vr.org
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
