Bug 1316140

Summary: clamav: Missing error return value when DoS protection terminates scanning
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: janfrode, j, mstevens, ondrejj, orion, redhat-bugzilla, rhbugs, sergio
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-19 02:13:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1316141, 1316142    
Bug Blocks:    

Description Adam Mariš 2016-03-09 14:05:27 UTC 
When using clamscan on very large file, DoS protection terminating the scanning may apply, returning 0 value, just as in case of successfull scan. If application relies on return value of clamscan, it is possible to trick the application to hide malicious code in very large file, so the DoS protection in clamscan occurs, returning successful return value.

Upstream bug:

https://bugzilla.clamav.net/show_bug.cgi?id=11522

Debian report:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=817067
Comment 1 Adam Mariš 2016-03-09 14:06:13 UTC 
Created clamav tracking bugs for this issue:

Affects: fedora-all [bug 1316141]
Affects: epel-all [bug 1316142]
Comment 2 Orion Poplawski 2016-06-14 21:32:41 UTC 
Could I be given access to the upstream bug report?
Comment 3 Sergio Basto 2017-07-17 13:22:22 UTC 
(In reply to Orion Poplawski from comment #2)
> Could I be given access to the upstream bug report?

+1 , Orion have you already access to this bug report ?
Comment 4 Sergio Basto 2017-07-17 13:48:15 UTC 
fix 0.99.3 false negative of virus Pdf.Exploit.CVE_2016_1046-1. 

https://github.com/vrtadmin/clamav-devel/commit/167c0079292814ec5523d0b97a9e1b002bf8819b

is this CVE ?
Comment 5 Orion Poplawski 2017-07-17 15:25:27 UTC 
(In reply to Sergio Monteiro Basto from comment #3)
> (In reply to Orion Poplawski from comment #2)
> > Could I be given access to the upstream bug report?
> 
> +1 , Orion have you already access to this bug report ?

Nope.
Comment 6 Sergio Basto 2018-01-11 17:36:37 UTC 
(In reply to Sergio Monteiro Basto from comment #4)
> fix 0.99.3 false negative of virus Pdf.Exploit.CVE_2016_1046-1. 
> 
> https://github.com/vrtadmin/clamav-devel/commit/
> 167c0079292814ec5523d0b97a9e1b002bf8819b
> 
> is this CVE ?

No, this fix is only applicable to 0.99.3 , conclusion this vulnerability may be closed as not a real vulnerability and won't fix until update to 0.99.3 release