[clamav-users] clamav-unofficial-sigs download script updated
Michael Orlitzky
michael at orlitzky.com
Fri Jan 31 14:06:08 UTC 2020
On 1/31/20 2:47 AM, Steve Basford wrote:
> Hi All,
>
> eXtremeSHOK.com's clamav-unofficial-sigs download script has been
> updated:
>
> https://github.com/extremeshok/clamav-unofficial-sigs
>
> Change Log
>
> Version 7.0.1 (Updated 25 January 2020)
>
Beware, as of a few versions ago this script is filled with a million
unsafe uses of chown and chmod, running as root. The script should never
be using chown/chmod in the first place, so all of these are wrong,
$ grep 'chown\|chmod' clamav-unofficial-sigs.sh | wc -l
40
and many of them are exploitable if the clamav user swaps out one of the
targets for a symlink pointing to e.g. /etc/passwd. And since the script
runs on a predictable schedule, you have all the time in the world to do
that.
More information about the clamav-users
mailing list