clamscan's '--unzip' option

Hi,

I noticed that Deflate64 compressed Zip archives are directly
supported by libclamav in recent ClamAV devel snapshots. Thanks for this
improvement. Since the BZip2 compression mode does not seem to be
supported, I tried the '--unzip' option for this, with the following
result, using the latest clamscan snapshot:

# clamscan-devel-20050101 --stdout --no-summary --unzip /root/clam/clam_BZip2.zip
/root/clam/clam_BZip2.zip: Zip module failure
unzip:  cannot find /root/clam/clam_BZip2.zip, /root/clam/clam_BZip2.zip.zip or /root/clam/clam_BZip2.zip.ZIP.
(raw) /root/clam/clam_BZip2.zip: OK

Hm, does not seem that unzip would help here.

Thanks for considering this,
rob.

_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel

Re: clamscan's '--unzip' option

On Sun, 2 Jan 2005 00:15:39 +0100
Robert Allerstorfer <roal <at> anet.at> wrote:

> Hi,
> 
> I noticed that Deflate64 compressed Zip archives are directly
> supported by libclamav in recent ClamAV devel snapshots. Thanks for
> this improvement. Since the BZip2 compression mode does not seem to be
> supported, I tried the '--unzip' option for this, with the following
> result, using the latest clamscan snapshot:
> 
> # clamscan-devel-20050101 --stdout --no-summary --unzip
> /root/clam/clam_BZip2.zip/root/clam/clam_BZip2.zip: Zip module failure

Run clamscan with --debug and post the output here.

--

-- 
   oo    .....         Tomasz Kojm <tkojm <at> clamav.net>
  (\/)\.........         http://www.ClamAV.net/gpg/tkojm.gpg
     \..........._         0DCA5A08407D5288279DB43454822DC8985A444B
       //\   /\              Sun Jan  2 00:17:40 CET 2005

_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel

Re: clamscan's '--unzip' option

On Sun, 2 Jan 2005, 00:18 GMT+01 Tomasz Kojm wrote:

> On Sun, 2 Jan 2005 00:15:39 +0100
> Robert Allerstorfer <roal <at> anet.at> wrote:

>> Hi,
>> 
>> I noticed that Deflate64 compressed Zip archives are directly
>> supported by libclamav in recent ClamAV devel snapshots. Thanks for
>> this improvement. Since the BZip2 compression mode does not seem to be
>> supported, I tried the '--unzip' option for this, with the following
>> result, using the latest clamscan snapshot:
>> 
>> # clamscan-devel-20050101 --stdout --no-summary --unzip
>> /root/clam/clam_BZip2.zip/root/clam/clam_BZip2.zip: Zip module failure

> Run clamscan with --debug and post the output here.

# clamscan-devel-20050101 --stdout --no-summary --unzip --debug /root/clam/clam_BZip2.zip
LibClamAV debug: Loading databases from /var/clamav
LibClamAV debug: Loading /var/clamav/daily.cvd
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 27091cc94b362b3fddfcb1f5a3dab9cc
LibClamAV debug: Decoded signature: 27091cc94b362b3fddfcb1f5a3dab9cc
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /tmp/clamav-89804dec8413345e/COPYING
LibClamAV debug: Unpacking /tmp/clamav-89804dec8413345e/daily.db
LibClamAV debug: Unpacking /tmp/clamav-89804dec8413345e/daily.hdb
LibClamAV debug: Unpacking /tmp/clamav-89804dec8413345e/daily.ndb

Re: clamscan's '--unzip' option

> unzip:  cannot find /root/clam/clam_BZip2.zip,
> /root/clam/clam_BZip2.zip.zip or /root/clam/clam_BZip2.zip.ZIP.
> (raw) /root/clam/clam_BZip2.zip: OK

OK, I now found that the error message from unzip only occurs when unzip
runs as a user that has unproper permissions to the .zip file in
question (which belongs to root). If I run unzip as root, the
Deflate64 compressed Zip archive will be unpacked without any problems:

# ls -l /root/clam/clam_Deflate64.zip
-rw-r--r--    1 root     root          379 Nov 25 11:47 /root/clam/clam_Deflate64.zip

# unzip -P clam -o /root/clam/clam_Deflate64.zip
Archive:  /root/clam/clam_Deflate64.zip
  inflating: clam.exe

However, doing the same as a normal user fails:

$ ls -l /root/clam/clam_Deflate64.zip
ls: /root/clam/clam_Deflate64.zip: Permission denied

$ unzip -P clam -o /root/clam/clam_Deflate64.zip
unzip:  cannot find /root/clam/clam_Deflate64.zip, /root/clam/clam_Deflate64.zip.zip or /root/clam/clam_Deflate64.zip.ZIP.

The error message unzip gives is a bit confusing. It seems that
libclamav always tries to run unzip as an unprivileged user, so it
will always fail to extract a file belonging to root.

But, I am wondering why clamscan than claims the scan result of the
file that failed to give a result to be OK.

Re: clamscan's '--unzip' option

On Sun, 02 Jan 2005 at 12:29:42 +0100, Robert Allerstorfer wrote:
[...]
> OK, I now found that the error message from unzip only occurs when unzip
> runs as a user that has unproper permissions to the .zip file in
> question (which belongs to root). If I run unzip as root, the
> Deflate64 compressed Zip archive will be unpacked without any problems:
> 
> # ls -l /root/clam/clam_Deflate64.zip
> -rw-r--r--    1 root     root          379 Nov 25 11:47 /root/clam/clam_Deflate64.zip
> 
> # unzip -P clam -o /root/clam/clam_Deflate64.zip
> Archive:  /root/clam/clam_Deflate64.zip
>   inflating: clam.exe
> 
> However, doing the same as a normal user fails:
> 
> $ ls -l /root/clam/clam_Deflate64.zip
> ls: /root/clam/clam_Deflate64.zip: Permission denied

Permissions of clam_Deflate64.zip aren't enough. The full path must be
accessible. I presume  /root  is  drwx------ 

> $ unzip -P clam -o /root/clam/clam_Deflate64.zip
> unzip:  cannot find /root/clam/clam_Deflate64.zip, /root/clam/clam_Deflate64.zip.zip or /root/clam/clam_Deflate64.zip.ZIP.
> 
> The error message unzip gives is a bit confusing. It seems that
> libclamav always tries to run unzip as an unprivileged user, so it
> will always fail to extract a file belonging to root.

False. The following file does belong to root:

Cross compilation

Hi,
I am tring to cross compile clam for xscale. While 
configure I am getting following error.
  .

   checking for stdlib.h... (cached) yes
   checking for unistd.h... (cached) yes
   checking for getpagesize... yes
   checking for working mmap... no
   checking for _LARGEFILE_SOURCE value needed for large 
files... 1
   checking for fseeko... yes
   checking whether snprintf correctly terminates long 
strings... configure: error: cannot run test program while 
cross compiling
       See `config.log' for more details.

I have seem a mail from "Amir Goldstein" in archive but I 
am not able to get the patch. Please tell me how to 
configure and compile it.
Thanks
Tushar
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel

Re: clamscan's '--unzip' option

On Mon, 3 Jan 2005, 11:55 GMT+01 Tomasz Papszun wrote:

> On Sun, 02 Jan 2005 at 12:29:42 +0100, Robert Allerstorfer wrote:

>> $ ls -l /root/clam/clam_Deflate64.zip
>> ls: /root/clam/clam_Deflate64.zip: Permission denied

> Permissions of clam_Deflate64.zip aren't enough. The full path must be
> accessible. I presume  /root  is  drwx------ 

/root has drwxr-x--- but yes, that has the same effect to clamscan's
invoking mechanism for calling an external unpacking program.

>> $ unzip -P clam -o /root/clam/clam_Deflate64.zip
>> unzip:  cannot find /root/clam/clam_Deflate64.zip,
>> /root/clam/clam_Deflate64.zip.zip or
>> /root/clam/clam_Deflate64.zip.ZIP.
>> 
>> The error message unzip gives is a bit confusing. It seems that
>> libclamav always tries to run unzip as an unprivileged user, so it
>> will always fail to extract a file belonging to root.

> False. The following file does belong to root:

> $ ls -l /tmp/test.zip
> -rw-r--r--    1 root     root          248 Jan  3 11:48 /tmp/test.zip

> Still, clamscan scans it successfully:

> $ clamscan /tmp/test.zip

cosmetic issue: ////path-to-file

Hi,

if I run
clamscan [options] /

the log contains lines like this:

////home/roal/clamav-devel-20050101/test/clam.zip: ClamAV-Test-File FOUND

In ClamAV 0.80 the reported path was printed as

//home/roal/clamav-devel-20050101/test/clam.zip

Doesn't seem that this is intended, does it?

rob.

_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-devel

Re: clamscan's '--unzip' option

On Wed, 05 Jan 2005 at 11:44:35 +0100, Robert Allerstorfer wrote:
> On Mon, 3 Jan 2005, 11:55 GMT+01 Tomasz Papszun wrote:
> 
> > On Sun, 02 Jan 2005 at 12:29:42 +0100, Robert Allerstorfer wrote:
> 
> >> $ ls -l /root/clam/clam_Deflate64.zip
> >> ls: /root/clam/clam_Deflate64.zip: Permission denied
> 
> > Permissions of clam_Deflate64.zip aren't enough. The full path must be
> > accessible. I presume  /root  is  drwx------ 
> 
> /root has drwxr-x--- but yes, that has the same effect to clamscan's

Yes, it's accessible for "root" group, but not for other users, so
effectively it's _not_ accessible for ordinary user.

> invoking mechanism for calling an external unpacking program.
> 
> >> $ unzip -P clam -o /root/clam/clam_Deflate64.zip
> >> unzip:  cannot find /root/clam/clam_Deflate64.zip,
> >> /root/clam/clam_Deflate64.zip.zip or
> >> /root/clam/clam_Deflate64.zip.ZIP.
> >> 
> >> The error message unzip gives is a bit confusing. It seems that
> >> libclamav always tries to run unzip as an unprivileged user, so it
> >> will always fail to extract a file belonging to root.
> 
> > False. The following file does belong to root:
> 
> > $ ls -l /tmp/test.zip

Re: clamscan's '--unzip' option

On Wed, 5 Jan 2005, 13:25 GMT+01 Tomasz Papszun wrote:

> On Wed, 05 Jan 2005 at 11:44:35 +0100, Robert Allerstorfer wrote:
[...]
>> yes, but when the .zip file resides in a directory that is only
>> read- & executable by root, clamscan's call of unzip fails. And the
>> exit code is zero, meaning no virus has been detected, even when the
>> zip contains a virus. Shouldn't clamscan exit with a number greater
>> than one?
>> 

> We need more "debugging" of your example, I'm afraid.
> My quick tests do _not_ confirm your observation.

> # ls -ld /root
> drwx------    5 root     root        11264 Jan  5 13:17 /root/
> # ls -l /root/test.zip
> -rw-r--r--    1 root     root          248 Jan  5 13:17 /root/test.zip
> # ls -l /root/no-such-file
> ls: /root/no-such-file: No such file or directory

> $ clamscan /root/test.zip
> ERROR: Can't access file /root/test.zip
> /root/test.zip: Permission denied

> $ echo $?
> 56

> $ clamscan /root/no-such-file
> ERROR: Can't access file /root/no-such-file