Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Allow clamd to start normally when a whitelist is present. #1309

Merged
merged 1 commit into from
Jul 23, 2024
Merged

fix: Allow clamd to start normally when a whitelist is present. #1309

merged 1 commit into from
Jul 23, 2024

Conversation

userwiths
Copy link
Contributor

This PR is an attempt to fix issue #1174

The given functionality was introduced in the following commit and after taking a look at the cli_cvdverify function I believe it is meant to verify only CVDs.

That is, it throws an error when encountering a clear text (whitelist, .ign,.ign2) file. I mimicked the way the allowed extensions in the Database folder were handled, and excluded the 2 clear text extensions mentioned above. This has locally allowed for the normal execution of clamd.

micahsnyder
micahsnyder requested changes Jul 15, 2024
View reviewed changes
Copy link
Contributor

@micahsnyder micahsnyder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for working on a solution to this bug.

The same issue occurs when adding individual signature files outside of a CVD or CLD archive. E.g. if you drop in "clamav.hdb" file containing a hash-based signature, then clamd loading will still fail with:


❯ ./install/sbin/clamd -F
LibClamAV Error: cli_cvdverify: Can't read CVD header
LibClamAV Error: cl_cvdgetage: cvdgetfileage() failed for /home/micah/workspace/clamav-micah-5/build/install/share/clamav/clamav.hdb

So rather than having cl_cvdgetage ignore specific extensions like ".ign2", it would be better to only verify for ".cvd" and ".cld".

@userwiths
Copy link
Contributor Author

Yeah, I'm not familiar with all of the extensions so the clarification is more than welcome.
As discussed now the cl_cvdgetage checks only CVD and CLD files.

@userwiths userwiths requested a review from micahsnyder July 16, 2024 15:20
@micahsnyder
Copy link
Contributor

Hi @userwiths I thought of one other issue. If anyone tries to run clamscan where they pass in specific databases rather than using a database directory, it will still fail.

E.g.:

❯ clamscan -d ~/clamav.hdb -d ~/.cvdupdate/database/bytecode.cvd --fail-if-cvd-older-than=5 /path/to/file
LibClamAV Error: cli_cvdverify: Can't read CVD header
ERROR: Broken or not a CVD file

I think to fix this, we'll need to check if the database path ends with ".cvd" or ".cld" in this location: https://github.com/userwiths/clamav/blob/8474e6a86d45ba2b084bd7d3719947db90aa5543/clamscan/manager.c#L1253-L1254

What do you think?

@userwiths
Copy link
Contributor Author

I think that you are correct.
Despite that, I saw a specific scenario for which I took a decision that might be worth a notice.

I noticed that clamscan proceeds without a notice even if a file/directory passed with -d does not exist.
Don't know if that is intentional or not, my current changes exit with an error and log on the screen a message with the path to the missing file.

In case you think it would be better to keep the behavior as it was, just say so and I will change it accordingly.

@micahsnyder
Copy link
Contributor

I noticed that clamscan proceeds without a notice even if a file/directory passed with -d does not exist.

I wasn't able to reproduce this, or else I don't fully understand what you mean. I believe it should fail if the -d file or directory does not exist. So I'm good with your change either way.

Your PR seems good to me. I was doing some local testing after a rebase. I'm going to squash it down to one commit as well and then force-push that.

@micahsnyder micahsnyder force-pushed the issue-1174-FailIfCvdOlderThan-error-on-whitelist branch from ca96f27 to 2c7860f Compare July 23, 2024 17:46
@userwiths @micahsnyder
fix: Issue with --fail-if-cvd-older-than and non-CVD database files
9a7b186 
Clamscan and ClamD will throw an error if you use the
'--fail-if-cvd-older-than=DAYS' / 'FailIfCvdOlderThan' option and
try to load any plaintext signature files.
That is, it throws an error when encountering plain signature files like
`.ign2`, `.ldb`, `.hdb`, etc.
This feature should only verify CVD / CLD files.

The feature (and bug) was introduced in ClamAV 1.1.0, here:
Cisco-Talos@e4fe665

With this change, the `cl_cvdgetage` checks will skip any file that is
not a CVD or CLD.

Fixes: Cisco-Talos#1174
@micahsnyder micahsnyder force-pushed the issue-1174-FailIfCvdOlderThan-error-on-whitelist branch from 2c7860f to 9a7b186 Compare July 23, 2024 20:01
@micahsnyder micahsnyder merged commit 6c0d644 into Cisco-Talos:main Jul 23, 2024
23 of 24 checks passed
mtremer pushed a commit to ipfire/ipfire-2.x that referenced this pull request Jan 9, 2025
clamav: Update to version 1.4.1
4aae2b4 
- Update from version 1.3.2 to 1.4.1
- Update of rootfile
- Changelog
    1.4.1
	ClamAV 1.4.1 is a critical patch release with the following fixes:
	- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506):
	  Changed the logging module to disable following symlinks on Linux and Unix
	  systems so as to prevent an attacker with existing access to the 'clamd' or
	  'freshclam' services from using a symlink to corrupt system files.
	  This issue affects all currently supported versions. It will be fixed in:
	  - 1.4.1
	  - 1.3.2
	  - 1.0.7
	  - 0.103.12
	  Thank you to Detlef for identifying this issue.
	- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505):
	  Fixed a possible out-of-bounds read bug in the PDF file parser that could
	  cause a denial-of-service (DoS) condition.
	  This issue affects all currently supported versions. It will be fixed in:
	  - 1.4.1
	  - 1.3.2
	  - 1.0.7
	  - 0.103.12
	  Thank you to OSS-Fuzz for identifying this issue.
	- Removed unused Python modules from freshclam tests including deprecated
	  'cgi' module that is expected to cause test failures in Python 3.13.
    1.4.0
      Major changes
	- Added support for extracting ALZ archives.
	  The new ClamAV file type for ALZ archives is `CL_TYPE_ALZ`.
	  Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html)
	  option to enable or disable ALZ archive support.
	  > _Tip_: DCONF (Dynamic CONFiguration) is a feature that allows for some
	  > configuration changes to be made via ClamAV `.cfg` "signatures".
	  - [GitHub pull request](Cisco-Talos/clamav#1183)
	- Added support for extracting LHA/LZH archives.
	  The new ClamAV file type for LHA/LZH archives is `CL_TYPE_LHA_LZH`.
	  Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html)
	  option to enable or disable LHA/LZH archive support.
	  - [GitHub pull request](Cisco-Talos/clamav#1192)
	- Added the ability to disable image fuzzy hashing, if needed. For context,
	  image fuzzy hashing is a detection mechanism useful for identifying malware
	  by matching images included with the malware or phishing email/document.
	  New ClamScan options:
	  ```
	  --scan-image[=yes(*)/no]
	  --scan-image-fuzzy-hash[=yes(*)/no]
	  ```
	  New ClamD config options:
	  ```
	  ScanImage yes(*)/no
	  ScanImageFuzzyHash yes(*)/no
	  ```
	  New libclamav scan options:
	  ```c
	  options.parse &= ~CL_SCAN_PARSE_IMAGE;
	  options.parse &= ~CL_SCAN_PARSE_IMAGE_FUZZY_HASH;
	  ```
	  Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html)
	  option to enable or disable image fuzzy hashing support.
	  - [GitHub pull request](Cisco-Talos/clamav#1186)
      Other improvements
	- Added cross-compiling instructions for targeting ARM64/aarch64 processors for
	  [Windows](https://github.com/Cisco-Talos/clamav/blob/main/INSTALL-cross-windows-arm64.md)
	  and
	  [Linux](https://github.com/Cisco-Talos/clamav/blob/main/INSTALL-cross-linux-arm64.md).
	  - [GitHub pull request](Cisco-Talos/clamav#1116)
	- Improved the Freshclam warning messages when being blocked or rate limited
	  so as to include the Cloudflare Ray ID, which helps with issue triage.
	  - [GitHub pull request](Cisco-Talos/clamav#1195)
	- Removed unnecessary memory allocation checks when the size to be allocated
	  is fixed or comes from a trusted source.
	  We also renamed internal memory allocation functions and macros, so it is
	  more obvious what each function does.
	  - [GitHub pull request](Cisco-Talos/clamav#1137)
	- Improved the Freshclam documentation to make it clear that the `--datadir`
	  option must be an absolute path to a directory that already exists, is
	  writable by Freshclam, and is readable by ClamScan and ClamD.
	  - [GitHub pull request](Cisco-Talos/clamav#1199)
	- Added an optimization to avoid calculating the file hash if the clean file
	  cache has been disabled. The file hash may still be calculated as needed to
	  perform hash-based signature matching if any hash-based signatures exist that
	  target a file of the same size, or if any hash-based signatures exist that
	  target "any" file size.
	  - [GitHub pull request](Cisco-Talos/clamav#1167)
	- Added an improvement to the SystemD service file for ClamOnAcc so that the
	  service will shut down faster on some systems.
	  - [GitHub pull request](Cisco-Talos/clamav#1164)
	- Added a CMake build dependency on the version map files so that the build
	  will re-run if changes are made to the version map files.
	  Work courtesy of Sebastian Andrzej Siewior.
	  - [GitHub pull request](Cisco-Talos/clamav#1294)
	- Added an improvement to the CMake build so that the RUSTFLAGS settings
	  are inherited from the environment.
	  Work courtesy of liushuyu.
	  - [GitHub pull request](Cisco-Talos/clamav#1301)
      Bug fixes
	- Silenced confusing warning message when scanning some HTML files.
	  - [GitHub pull request](Cisco-Talos/clamav#1252)
	- Fixed minor compiler warnings.
	  - [GitHub pull request](Cisco-Talos/clamav#1197)
	- Since the build system changed from Autotools to CMake, ClamAV no longer
	  supports building with configurations where bzip2, libxml2, libz, libjson-c,
	  or libpcre2 are not available. Libpcre is no longer supported in favor of
	  libpcre2. In this release, we removed all the dead code associated with those
	  unsupported build configurations.
	  - [GitHub pull request](Cisco-Talos/clamav#1217)
	- Fixed assorted typos. Patch courtesy of RainRat.
	  - [GitHub pull request](Cisco-Talos/clamav#1228)
	- Added missing documentation for the ClamScan `--force-to-disk` option.
	  - [GitHub pull request](Cisco-Talos/clamav#1186)
	- Fixed an issue where ClamAV unit tests would prefer an older
	  libclamunrar_iface library from the install path, if present, rather than
	  the recently compiled library in the build path.
	  - [GitHub pull request](Cisco-Talos/clamav#1258)
	- Fixed a build issue on Windows with newer versions of Rust.
	  Also upgraded GitHub Actions imports to fix CI failures.
	  Fixes courtesy of liushuyu.
	  - [GitHub pull request](Cisco-Talos/clamav#1307)
	- Fixed an unaligned pointer dereference issue on select architectures.
	  Fix courtesy of Sebastian Andrzej Siewior.
	  - [GitHub pull request](Cisco-Talos/clamav#1293)
	- Fixed a bug that prevented loading plaintext (non-CVD) signature files
	  when using the `--fail-if-cvd-older-than=DAYS` / `FailIfCvdOlderThan` option.
	  Fix courtesy of Bark.
	  - [GitHub pull request](Cisco-Talos/clamav#1309)

Signed-off-by: Adolf Belka <[email protected]>
Signed-off-by: Arne Fitzenreiter <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@micahsnyder micahsnyder micahsnyder approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@userwiths @micahsnyder