There appear to be minors leak in clamd that can occur when shutting-
down immediately after a command (e.g. RELOAD).
These are causing intermittent clamd test failures.
It seems like they're caused by a thread leaking occasionally,
due to not exiting before the program terminates.
I don't believe these to be a serious issue. Tracking down the exact
cause and crafting a fix for the leaks isn't worth the effort.
This commit adds valgrind suppression rules to stabilize the tests.
Added feature to start FreshClam & Clamd as Windows services
Special thanks to Gianluigi Tiesi for allowing us to integrate this
feature from ClamWin directly into ClamAV.
Added internal --service-mode option for FreshClam and ClamD
This is used when Windows starts FreshClam or ClamD as a service so
that they will register with the service manager.
Code found in service.c.
Windows XP had a maximum section count of 96, and this has been
the max for ClamAV forever as well. Raising this prevents malicious
executables from being able to evade certain ClamAV signatures by
having 97 or more sections.
The non-existent file test has a hack to "expect" a wierd error message
caused by the '\v' character rather than the file not actually existing.
Recently something(?) changed and the test started reporting yet a
different message or no message.
Removing the '\v' special character fixes the test so it actually tests
a non-existent file and returns the same message as on other operating
systems.
Previously we'd not clang-formatted the c++ bytecode files because:
A) It's a massive difference in format
B) I wasn't sure, at the time, which code was "ours"
Reformatting now that the LLVM source is all removed and before it gets
updated to support modern LLVM versions.
Add a test where freshclam received a zero-byte cdiff to trigger a whole
CVD database download, and the CVD served is older than advertised.
This is a regression test for a bug found & fixed by Andrew Williams.
This commit fixes a bug in the libfreshclam error handling to where if
either of the following scenarios are encountered, the CVD download
attempt may be retried multiple times and always result in failure:
Scenario 1:
- Incremental downloads via CDIFFs are stopped because an empty CDIFF
file is encountered, and
- The CVD downloaded from the configured mirror is older than the
version advertised via DNS (for example, due to caching)
Scenario 2:
- Incremental downloads via CDIFFs fail, and
- The local database is more than 1 version out of date, and
- The CVD downloaded from the configured mirror is older than the
version advertised via DNS (for example, due to caching)
This bug was discovered by Coverity:
317956 Logically dead code
In updatedb: Code can never be reached because of a logical
contradiction
Adds 3 tests to validate that:
1. a CDIFF update works
2. a CDIFF partial update (with 1 missing CDIFF) works
and that a subsequent update is ok with being 1 behind
3. a CDIFF partial update (with 2 missing CDIFFs) works
and that a subsequent update will try to get the WHOLE CVD -
because being 2+ CDIFFs behind without any update isn't good enough.
Also fixed a minor bug so that the database name is properly displayed
when a partial update occurs instead of displaying "(null)".
Also changed the freshclam test port to 8001 to deconflict with
CVD-Update, in case that's running in the background.
TODO: Make the tests smarter so they find an open port instead of
hoping that 8001 is available.
The URL registry.hub.docker.com was apparently deprecated for a while,
and started to give 404 errors as of today for some repo's. The correct
URL is index.docker.io, so lets use that instead.
Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
Cloudflare deprecated the __cfduid cookie which caused ClamSubmit
failures on systems that stopped receiving the cookie.
This commit removes support for the __cfduid cookie.
Also made the session cookie optional, in case that disappears too.
Changed error messages over to use the logg() function like our other apps.
Tidied up some of the logic, and changed "cleanup" label to "done" to
match other code.
The for loop in cli_bcomp_scanbuf contains a few "continue" directives
that do not free the three-bytes subsigid buffer allocated within the
loop. This code path is triggered only when a signature contains more
than one byte compare subsignatures. Over a significant amount of time,
as for example when using clamd, this leads to memory exhaustion.
The `cli_append_virus()` function does an FP check. If it is an FP, it
will return `CL_CLEAN` and the match/alert/virus should be discarded.
This fix will respect FP verdicts when appending virus name in ac and
bm matchers in all match mode.
If zip content is detected within a file by way of the embedded file
type recognition scan (in `scanraw()`), a raw scan of that "ZIPSFX" will
detect all subsequent zip entries as new ZIPSFX's. Though they aren't
actually scanned later, it shows up in the metadata JSON. This commit
prevents embedded file type detection for ZIPSFX like we already have
for ZIP.
Semi-related, the mach-o unibin parser presently allows scanning of FAT
partitions anywhere in the fmap, to include the very beginning of the
fmap. This would be an infinite loop, scanning the same file over and
over again, were it not for the scan recursion limit. With the recursion
limit, it's ok, but still bad behavior. This commit prevents scanning
FAT files from the mach-o unibin parser where the offset is less than
the end of the headers.
Also fixed an unsigned integer comparison in the OLE2 parser that
might overflow.
This commit updates the ordering of the internal FTM sigs to
match what's in daily.ftm today. No FTM signature changes are
included as part of this commit (only re-ordering).
The template includes a comment block at the top to direct security
issue reports towards the SECURITY.md instructions.
A comment block at the bottom provides instructions for how to share
files needed to reproduce the bug.
These comments blocks disappear when the report is submitted.
The older style markdown headers are used to match the headers printed
by the ClamConf tool, so that copy-pasted output from ClamConf looks
good in the bug report.
We would like to switch from Bugzilla to Github Issues. This will make
issue reporting more accessible (more folks have a Github account than a
bugzilla.clamav.net account) in addition to the benefits of a more
modern issue tracker.
However, GitHub Issues reports are always public. Vulnerability reports
will have to go somewhere else. The preferred option is to report them
to Cisco PSIRT after which PSIRT will coordinate with the ClamAV team
and the reporter to resolve the issue.
The mail parser uses asserts extensively to detect error conditions.
It's lazy error handling; good for prototyping but bad for production.
Release mode builds are fine in 0.103 with autotools and visual-
studio but cmake release builds will crash because asserts are enabled
even for release.
In particular this assert(0) is a possible error condition in a
malformed mail file and should be handled properly.
This resolves:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31782#c2
The condition triggering Heuristics.PNG.CVE-2010-1205 is more common
than expected. Considering this type of malformed PNG is somewhat common
and the CVE is more than 10 years old, it is reasonable to place this
detection behind the --alert-broken-media (SCAN_HEURISTIC_BROKEN_MEDIA)
option.
This is a bit of a style thing, as freeing a NULL pointer isn't
dangerous. Still, we hould only try to free the certificate name
if non-NULL, and then set it to NULL so it may not be accidentally
re-used if the code is later modified.
The iconv_open() function fails on Alpine because the musl iconv
implementation does not support //TRANSLIT.
See: https://github.com/akrennmair/newsbeuter/issues/364#issuecomment-250208235
This commit also makes it so `ctest` must pass when building the Docker
image, now that the tests with utf8 conversion are expected to pass.
Disable the HTTPUserAgent config option if the DatabaseMirror uses
clamav.net. This will prevent users from being inadvertently blocked and
will ensure that we can keep better metrics on which clamav versions are
being used.
This change is needed because we observed some users being blocked by
the new CDN rules when they set custom user-agents.
The FreshClam DAT file may be owned by root if run like so:
sudo freshclam -d
This is problematic because any future attempts to use FreshClam will
fail unless run as root/with sudo.
This commit fixes the issue by changing the file ownership if it exists
to the DatabaseOwner before dropping privileges. This has the benefit of
changing any previously existing files to be owned by the DatabaseOwner
for folks who were already affected by the bug.
Some users have scripts set up from long ago to delete mirrors.dat if
FreshClam failed. We used to recommend this if people had technical
issues because mirrors.dat would store a bunch of entries indicating
that all of their regional mirrors were failing and then FreshClam would
give up.
The new freshclam DAT file no longer stores that kind of information.
Deleting the DAT file is no longer sound advice.
We very much want the UUID, which is generated when creating the DAT
file, to persist between runs. So unless people go and change the
scripts to delete freshclam.dat instead, this commit should resolve the
concern.
Improvements to use modern block list and allow list verbiage.
blacklist -> block list
whitelist -> allow listed
blacklisted -> blocked
whitelisted -> allowed
In the case of certificate verification, use "trust" or "verify" when
something is allowed.
Also changed domainlist -> domain list (or DomainList) to match.
The subject and public key of each CRB signature used to be
printed in debug mode, but this will become increasingly
more noisy as we add more CRB rules. For now, given that the
number of CRB sigs is still low, only print this information
when running clamscan with the --dumpcerts parameter (or
equivalent clamd setting). If we ever get to the point where
we have hundreds of CRB rules and these log messages are
overwhelming when running with --dumpcerts, consider removing
the log messages entirely and update sigtool so that it can
nicely format and display CRB sigs with using the --decode
parameter.
clamav-daemon.service requires clamav-daemon.socket but
it is missing from the build and install process.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Micah Snyder