[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-6156-g094ec9b
Tomasz Kojm
tkojm at clamav.net
Sun Apr 4 01:06:49 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit 6416cdef152d713836392737c0aa34497ec55015
Author: Tomasz Kojm <tkojm at clamav.net>
Date: Fri Oct 2 14:36:27 2009 +0200
libclamav: unify fp checking; output fp signatures in debug mode
diff --git a/ChangeLog b/ChangeLog
index a457004..b3bf2ef 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+Fri Oct 2 14:35:42 CEST 2009 (tk)
+----------------------------------
+ * libclamav: unify fp checking; output fp signatures in debug mode
+
Fri Oct 2 14:33:09 CEST 2009 (tk)
----------------------------------
* libclamav/scanners.c: fix whitelisting of scripts (bb#1706)
diff --git a/libclamav/elf.c b/libclamav/elf.c
index 8d8724a..9239640 100644
--- a/libclamav/elf.c
+++ b/libclamav/elf.c
@@ -216,7 +216,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_EFORMAT;
}
@@ -229,7 +229,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_EFORMAT;
}
@@ -240,7 +240,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_CLEAN;
}
@@ -282,7 +282,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_CLEAN;
}
@@ -303,7 +303,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_EFORMAT;
}
@@ -320,7 +320,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_EFORMAT;
}
@@ -331,7 +331,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_EFORMAT;
}
@@ -343,7 +343,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_CLEAN;
}
@@ -387,7 +387,7 @@ int cli_scanelf(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_CLEAN;
}
diff --git a/libclamav/macho.c b/libclamav/macho.c
index 4fe8846..a158ae9 100644
--- a/libclamav/macho.c
+++ b/libclamav/macho.c
@@ -176,7 +176,7 @@ struct macho_fat_arch
if(DETECT_BROKEN) { \
if(ctx->virname) \
*ctx->virname = "Broken.Executable"; \
- return cli_checkfp(fd, ctx) ? CL_CLEAN : CL_VIRUS; \
+ return CL_VIRUS; \
} \
return CL_EFORMAT
diff --git a/libclamav/matcher.c b/libclamav/matcher.c
index 525c856..f25119a 100644
--- a/libclamav/matcher.c
+++ b/libclamav/matcher.c
@@ -287,8 +287,11 @@ int cli_caloff(const char *offstr, struct cli_target_info *info, int fd, unsigne
int cli_checkfp(int fd, cli_ctx *ctx)
{
unsigned char *digest;
+ char md5[33];
+ unsigned int i;
const char *virname;
off_t pos;
+ struct stat sb;
if((pos = lseek(fd, 0, SEEK_CUR)) == -1) {
@@ -311,6 +314,14 @@ int cli_checkfp(int fd, cli_ctx *ctx)
lseek(fd, pos, SEEK_SET);
return 1;
}
+
+ if(fstat(fd, &sb) != -1) {
+ for(i = 0; i < 16; i++)
+ sprintf(md5 + i * 2, "%02x", digest[i]);
+ md5[32] = 0;
+ cli_dbgmsg("FP SIGNATURE: %s:%u:%s\n", md5, (unsigned int) sb.st_size, *ctx->virname ? *ctx->virname : "Name");
+ }
+
free(digest);
}
@@ -424,11 +435,7 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc
cli_ac_freedata(&tdata);
if(bm_offmode)
cli_bm_freeoff(&toff, troot);
-
- if(cli_checkfp(desc, ctx))
- return CL_CLEAN;
- else
- return CL_VIRUS;
+ return CL_VIRUS;
}
}
@@ -444,10 +451,7 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc
if(bm_offmode)
cli_bm_freeoff(&toff, troot);
}
- if(cli_checkfp(desc, ctx))
- return CL_CLEAN;
- else
- return CL_VIRUS;
+ return CL_VIRUS;
} else if((acmode & AC_SCAN_FT) && ret >= CL_TYPENO) {
if(ret > type)
@@ -506,13 +510,8 @@ int cli_scandesc(int desc, cli_ctx *ctx, cli_file_t ftype, uint8_t ftonly, struc
cli_ac_freedata(&gdata);
}
- if(ret == CL_VIRUS) {
- lseek(desc, 0, SEEK_SET);
- if(cli_checkfp(desc, ctx))
- return CL_CLEAN;
- else
- return CL_VIRUS;
- }
+ if(ret == CL_VIRUS)
+ return CL_VIRUS;
if(!ftonly && ctx->engine->md5_hdb) {
cli_md5_final(digest, &md5ctx);
diff --git a/libclamav/pe.c b/libclamav/pe.c
index c8b1029..157060b 100644
--- a/libclamav/pe.c
+++ b/libclamav/pe.c
@@ -469,7 +469,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_CLEAN;
}
@@ -605,7 +605,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
if(nsections)
cli_warnmsg("PE file contains %d sections\n", nsections);
@@ -625,7 +625,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_CLEAN;
}
@@ -635,7 +635,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_CLEAN;
}
@@ -648,7 +648,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_CLEAN;
}
@@ -664,7 +664,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
cli_dbgmsg("9x compatibility mode\n");
}
@@ -706,7 +706,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_CLEAN;
}
@@ -787,14 +787,14 @@ int cli_scanpe(int desc, cli_ctx *ctx)
cli_dbgmsg("Bad virtual alignemnt\n");
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
if (DETECT_BROKEN && !native && (!(pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment)) || (pe_plus?EC32(optional_hdr64.FileAlignment):EC32(optional_hdr32.FileAlignment))%0x200)) {
cli_dbgmsg("Bad file alignemnt\n");
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
if(fstat(desc, &sb) == -1) {
@@ -830,7 +830,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_CLEAN;
}
@@ -899,7 +899,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
*ctx->virname = "Broken.Executable";
free(section_hdr);
free(exe_sections);
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
if (exe_sections[i].rsz) { /* Don't bother with virtual only sections */
@@ -910,7 +910,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_CLEAN; /* no ninjas to see here! move along! */
}
@@ -929,7 +929,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
free(section_hdr);
free(exe_sections);
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
}
break;
@@ -945,7 +945,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_CLEAN;
}
@@ -957,7 +957,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
*ctx->virname = "Broken.Executable";
free(section_hdr);
free(exe_sections);
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
min = exe_sections[i].rva;
max = exe_sections[i].rva + exe_sections[i].rsz;
@@ -968,7 +968,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
*ctx->virname = "Broken.Executable";
free(section_hdr);
free(exe_sections);
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
if(exe_sections[i].rva < min)
min = exe_sections[i].rva;
@@ -988,7 +988,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(DETECT_BROKEN) {
if(ctx->virname)
*ctx->virname = "Broken.Executable";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_CLEAN;
}
@@ -1036,7 +1036,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if((((uint32_t)cli_readint32(pt) ^ (uint32_t)cli_readint32(pt + 4)) == 0x505a4f) && (((uint32_t)cli_readint32(pt + 8) ^ (uint32_t)cli_readint32(pt + 12)) == 0xffffb) && (((uint32_t)cli_readint32(pt + 16) ^ (uint32_t)cli_readint32(pt + 20)) == 0xb8)) {
*ctx->virname = "W32.Parite.B";
free(exe_sections);
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
}
}
@@ -1119,7 +1119,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if (op==kzdsize+0x48 && *kzcode==0x75 && kzlen-(int8_t)kzcode[1]-3<=kzinitlen && kzlen-(int8_t)kzcode[1]>=kzxorlen) {
*ctx->virname = "W32.Kriz";
free(exe_sections);
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
cli_dbgmsg("kriz: loop out of bounds, corrupted sample?\n");
kzstate++;
@@ -1146,7 +1146,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(cli_memstr(buff, 4091, "\xe8\x2c\x61\x00\x00", 5)) {
*ctx->virname = dam ? "W32.Magistr.A.dam" : "W32.Magistr.A";
free(exe_sections);
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
}
@@ -1158,7 +1158,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if(cli_memstr(buff, 4091, "\xe8\x04\x72\x00\x00", 5)) {
*ctx->virname = dam ? "W32.Magistr.B.dam" : "W32.Magistr.B";
free(exe_sections);
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
}
}
@@ -1216,7 +1216,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
*ctx->virname = "W32.Polipos.A";
free(jumps);
free(exe_sections);
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
}
free(jumps);
@@ -1242,7 +1242,7 @@ int cli_scanpe(int desc, cli_ctx *ctx)
if (ret != CL_CLEAN) {
free(exe_sections);
if(ret == CL_VIRUS)
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
return ret;
}
}
diff --git a/libclamav/scanners.c b/libclamav/scanners.c
index df18de6..8288201 100644
--- a/libclamav/scanners.c
+++ b/libclamav/scanners.c
@@ -209,7 +209,7 @@ static int cli_unrar_scanmetadata(int desc, unrar_metadata_t *metadata, cli_ctx
if(mdata) {
*ctx->virname = mdata->virname;
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
if(DETECT_ENCRYPTED && metadata->encrypted) {
@@ -1316,10 +1316,8 @@ static int cli_scanriff(int desc, cli_ctx *ctx)
int ret = CL_CLEAN;
if(cli_check_riff_exploit(desc) == 2) {
- if(!cli_checkfp(desc, ctx)) {
- ret = CL_VIRUS;
- *ctx->virname = "Exploit.W32.MS05-002";
- }
+ ret = CL_VIRUS;
+ *ctx->virname = "Exploit.W32.MS05-002";
}
return ret;
@@ -1330,10 +1328,8 @@ static int cli_scanjpeg(int desc, cli_ctx *ctx)
int ret = CL_CLEAN;
if(cli_check_jpeg_exploit(desc, ctx) == 1) {
- if(!cli_checkfp(desc, ctx)) {
- ret = CL_VIRUS;
- *ctx->virname = "Exploit.W32.MS04-028";
- }
+ ret = CL_VIRUS;
+ *ctx->virname = "Exploit.W32.MS04-028";
}
return ret;
@@ -1595,13 +1591,13 @@ static int cli_scan_structured(int desc, cli_ctx *ctx)
if(cc_count != 0 && cc_count >= ctx->engine->min_cc_count) {
cli_dbgmsg("cli_scan_structured: %u credit card numbers detected\n", cc_count);
*ctx->virname = "Structured.CreditCardNumber";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
if(ssn_count != 0 && ssn_count >= ctx->engine->min_ssn_count) {
cli_dbgmsg("cli_scan_structured: %u social security numbers detected\n", ssn_count);
*ctx->virname = "Structured.SSN";
- return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+ return CL_VIRUS;
}
return CL_CLEAN;
@@ -1878,8 +1874,10 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
cli_dbgmsg("cli_magic_scandesc: Hit recursion limit, only scanning raw file\n");
else
cli_dbgmsg("Raw mode: No support for special files\n");
- if((ret = cli_scandesc(desc, ctx, 0, 0, NULL, AC_SCAN_VIR)) == CL_VIRUS)
+ if((ret = cli_scandesc(desc, ctx, 0, 0, NULL, AC_SCAN_VIR)) == CL_VIRUS) {
cli_dbgmsg("%s found in descriptor %d\n", *ctx->virname, desc);
+ return CL_VIRUS;
+ }
return ret;
}
@@ -2097,7 +2095,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
ctx->container_type = current_container;
if(ret == CL_VIRUS)
- return CL_VIRUS;
+ return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
if(type == CL_TYPE_ZIP && SCAN_ARCHIVE && (DCONF_ARCH & ARCH_CONF_ZIP)) {
if(sb.st_size > 1048576) {
@@ -2109,7 +2107,7 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
/* CL_TYPE_HTML: raw HTML files are not scanned, unless safety measure activated via DCONF */
if(type != CL_TYPE_IGNORED && (type != CL_TYPE_HTML || !(DCONF_DOC & DOC_CONF_HTML_SKIPRAW)) && !ctx->engine->sdb) {
if(cli_scanraw(desc, ctx, type, typercg, &dettype) == CL_VIRUS)
- return CL_VIRUS;
+ return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
}
ctx->recursion++;
@@ -2139,6 +2137,9 @@ int cli_magic_scandesc(int desc, cli_ctx *ctx)
}
ctx->recursion--;
+ if(ret == CL_VIRUS)
+ return cli_checkfp(desc, ctx) ? CL_CLEAN : CL_VIRUS;
+
switch(ret) {
case CL_EFORMAT:
case CL_EMAXREC:
diff --git a/libclamav/special.c b/libclamav/special.c
index 1dbba75..9b7f5de 100644
--- a/libclamav/special.c
+++ b/libclamav/special.c
@@ -77,8 +77,6 @@ int cli_check_mydoom_log(int desc, cli_ctx *ctx)
if (j < 2) {
retval = CL_CLEAN;
} else if (retval==CL_VIRUS) {
- if(cli_checkfp(desc, ctx))
- return CL_CLEAN;
*ctx->virname = "Worm.Mydoom.M.log";
}
diff --git a/libclamav/unzip.c b/libclamav/unzip.c
index 07693e2..47c8cf7 100644
--- a/libclamav/unzip.c
+++ b/libclamav/unzip.c
@@ -355,12 +355,8 @@ static unsigned int lhdr(uint8_t *zip, uint32_t zsize, unsigned int *fu, unsigne
)
) meta = meta->next;
if(meta) {
- if(!cli_checkfp(fd, ctx)) {
- *ctx->virname = meta->virname;
- *ret = CL_VIRUS;
- } else
- *ret = CL_CLEAN;
-
+ *ctx->virname = meta->virname;
+ *ret = CL_VIRUS;
return 0;
}
--
Debian repository for ClamAV
More information about the Pkg-clamav-commits
mailing list