Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6596 to the following vulnerability: ClamAV 0.92 does not recognize Base64 UUEncoded archives, which allows remote attackers to bypass the scanner via a Base64-UUEncoded file. References: http://www.securityfocus.com/archive/1/archive/1/485631/100/0/threaded http://www.securityfocus.com/bid/27064
Some do not consider this a security flaw and consider it a flaw of mail clients which open files encoded in a nonstandard way. [1] It makes some sense, but it definitely makes more sense to protect all possible clients therefore we do consider it a problem. I guess it is nontrivial to add and maintain a base64 decoder in our package -- is upstream going to implement this? [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458532
Upstream statement: http://lurker.clamav.net/message/20080102.195717.b4bbdef2.en.html This is not really a security bug but rather a lack of feature. Any (massive) attempt to bypass the uuencode decoder can be stopped with regular signatures thanks to the fact that ClamAV additionally scans all files in raw mode. Upstream considers this as RFE as well. I'm closing this as UPSTREAM. If this will be implemented upstream, we'll have the "fix" after next re-base, which happens frequently in Fedora and EPEL.