[clamav-users] After 0.100.1 Update, clamd crashes

Paul Kosinski clamav-users at iment.com
Tue Jul 31 14:41:43 EDT 2018


I must say that I agree. To have ClamAV crash on a badly formed
signature is as bad (or worse) as having it crash while scanning.

Since ClamAV tends to be run with automatic updates to its DB, having a
bad signature cause it to crash can result in email blockage or a total
lack of AV service (including perhaps letting bad emails through).

Even if clamd is auto-restarted (e.g., via systemd), it will likely
crash each time, and thus be unavailable.

Software should *never* crash when presented with invalid input,
especially if the input arrives via the Internet. And it's quite
conceivable that some especially clever bad guy might attack the source
of signatures to incapacitate ClamAV, or, in the worst case, to cause it
to execute arbitrary code instead of "merely" crashing.


On Tue, 31 Jul 2018 18:14:29 +0100 (BST)
"G.W. Haywood" <clamav at jubileegroup.co.uk> wrote:

> Hi there,
> 
> On Tue, 31 Jul 2018, Steve Basford wrote:
> 
> > My little issue is with this statement:
> > 
> > "It wasn't quite clear at the offset of this bug, but ClamAV cannot
> > support unofficial signatures from a development standpoint. For
> > numerous reasons, we do not regress against those signatures, and
> > in cases where sig writers publish non-functional signatures due to
> > insufficient testing (which then cause crashes in newer versions of
> > clam) we cannot devote our resources to fixing that
> > problem." (above Bugzilla)
> 
> I'll take issue with that statement too.  That's a cr at p developer
> attitude.
> 
> If an unofficial signature causes (or is even _capable_ of causing)
> clam to crash, that's a fault in clam that needs to be fixed.
> 
> If nothing else it means that you're quite likely less secure if
> you're running clam on Linux than you are if you're _not_ running it.
> 



More information about the clamav-users mailing list