[AMaViS-user] taint checking problems?
This is a discussion on [AMaViS-user] taint checking problems? within the Amavis User forums, part of the Anti-Spam and Anti-Virus Related Forums category; We are having problems with amavis checking RAR, LHA, ARC and ZOO files. Some debugging shows that it's barfing ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-07-2005
|
|||
|
|||
[AMaViS-user] taint checking problems?
We are having problems with amavis checking RAR, LHA, ARC and ZOO
files. Some debugging shows that it's barfing at the exec() in fh_copy(), called by store_mgr(), called by do_unrar() and buddies. Evidence: (running amavis from command line, with debugging on) ---------------------------------------------------------------- Aug 7 22:11:05 mymailserver-mail amavis[27957]: Extracting mime components Aug 7 22:11:05 mymailserver-mail amavis[27957]: Level: 1, parts: 2 Aug 7 22:11:05 mymailserver-mail amavis[27957]: Archive nesting depth: 0 Aug 7 22:11:05 mymailserver-mail amavis[27957]: File-type of msg-27957-1.txt: ASCII text Aug 7 22:11:05 mymailserver-mail amavis[27957]: msg-27957-1.txt is atomic Aug 7 22:11:05 mymailserver-mail amavis[27957]: File-type of msg-27957-2.rar: RAR archive data, v1d, os: Unix Aug 7 22:11:05 mymailserver-mail amavis[27957]: Expanding RAR archive msg-27957-2.rar Aug 7 22:11:05 mymailserver-mail amavis[27962]: Decoding of msg-27957-2.rar (RAR archive data, v1d, os: Unix) failed, leaving it unpacked: Insecure dependency in exec while running with -T switch at /root/amavis line 1073. (message-id=<42EF4535.9040800@mydomain.com>) Aug 7 22:11:05 mymailserver-mail amavis[27962]: msg-27957-2.rar is atomic Aug 7 22:11:05 mymailserver-mail amavis[27962]: Using clamav Aug 7 22:11:05 mymailserver-mail amavis[27962]: /var/amavis/amavis-09704957/parts/msg-27957-1.txt: OK /var/amavis/amavis-09704957/parts/msg-27957-2.rar: RAR module failure /var/amavis/amavis-09704957/parts/part-00001: Empty file ----------------------------------------------------------------- The problem seems to be that there is no detainting of the filenames derived from the archives, so Perl rightly dies when before it tries to exec something. Consider this: if there was a RAR file that had a compressed file called "MyDoc ; rm -rf /" (yes, can be done - tested something similar with an LHA file). This would be bad if not detainted. Is this a bug with amavis? As far as I can tell, no RAR et al files are going to get through virus-free or not. My makeshift patch was: # diff amavis amavis.orig 1573,1579d1572 < do_log(0,"untainting $_"); < if ($_ =~ /^([-\@\w.]+)$/) { < $_ = $1; < } else { < die "Bad data in \"$_\""; # log this somewhere < } < This works, until you get one of the nasty files mentioned above. Our system: OS: Mandrake Linux 10.0 Community Amavis: 0.3.12 (hand-rolled, not RPM) MTA: Postfix 2.1.5 AV: Clamav 0.86.2 BTW, first post, recent subscription, though I searched the mail archives, the FAQs, bug lists and google in general. Thanks, Tony Lewis ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/...fo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/ 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 10:51 PM.
