Mailing List Archive: [clamav-users] An example of why ClamAV should be able to scan disk images (which are typically over 2 GB)

On Tue, 2 Jan 2024, Paul Kosinski via clamav-users wrote:

> CVE-2021-44879
>
> Wenqing Liu reported a NULL pointer dereference in the f2fs
> implementation. An attacker able to mount a specially crafted image
> ^^^^^^^^^^^^^^^^^^^^^^^
> can take advantage of this flaw for denial of service.
>
> From "Debian Security Advisory DSA-5594-1"

Do you have a ClamAV rule for that ?
I don't see how ClamAV would find that unless it did an fsck-like
scan of the image. If it used the system tools, it would trigger the
vulnerability; if it did its own scan it would be susceptible to
software
rot and I don't see how it would avoid false positives when looking for
null (long?)words in special places.

[. Not sure why Debian is fixing this now
when Ubuntu fixed it nearly two years ago. ]

I agree that it would be good to get rid of the 2GB limit
though I can see that it could require changes throughout the code
and break backward compatibility.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat