[clamav-users] Question regarding the 0.103.1 PNG bug fix
Micah Snyder (micasnyd)
micasnyd at cisco.com
Wed Mar 3 21:33:37 UTC 2021
Hello!
File type detection is performed primarily with file type magic (FTM) signatures loaded from daily.cvd. If you unpack daily.cvd, you’ll find them in daily.ftm. The signature format is documented here: https://www.clamav.net/documents/file-type-magic
By adjusting these signatures, we disabled detecting PNG files as “CL_TYPE_PNG” for 0.103.0 and prior, instead detecting PNG files as “CL_TYPE_GRAPHICS” as it had been before.
If you look at daily.ftm now, the PNG related signatures are:
0:0:89504e47:PNG:CL_TYPE_ANY:CL_TYPE_GRAPHICS::121
0:0:89504e47:PNG:CL_TYPE_ANY:CL_TYPE_PNG:122
For 0.103.1+, PNG files will detect as CL_TYPE_PNG which will enable the (fixed) PNG parser. Because we’re able to effectively mitigate the issue by disabling PNG file type detection, which wasn’t working correctly in other ways from an efficacy standpoint due to other bugs anyways, we didn’t request a CVE or publish an advisory.
-Micah
From: clamav-users <clamav-users-bounces at lists.clamav.net> On Behalf Of Pierre Olivier KAPLAN
Sent: Wednesday, March 3, 2021 5:12 AM
To: clamav-users at lists.clamav.net
Subject: [clamav-users] Question regarding the 0.103.1 PNG bug fix
Hello,
I have two question regarding the 0.103.1 Releases Notes.
In the bug fixes is mentionned an issue with some PNG parsing file causing a stack exhaustion. With isn't this categorized as a vulnerability, as it allows DoS attacks ?
It is also mentionned that a signature exists to avoid the parsing. But I couldn't find it in the database. Do you know which one we shall use ?
Thanks in advance for your help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20210303/3d39a533/attachment.htm>
More information about the clamav-users
mailing list