[Pkg-clamav-commits] [SCM] Debian repository for ClamAV branch, debian/unstable, updated. debian/0.95+dfsg-1-6156-g094ec9b

Sun Apr 4 01:22:26 UTC 2010

The following commit has been merged in the debian/unstable branch:
commit 606fd6d0f1cd839223732f79eeca4e7c97190042
Author: Török Edvin <edwin at clamav.net>
Date:   Wed Mar 10 14:30:31 2010 +0200

    Allow "None" bytecode security setting only in --enable-debug mode.

diff --git a/clambc/bcrun.c b/clambc/bcrun.c
index 6bb734d..86e9358 100644
--- a/clambc/bcrun.c
+++ b/clambc/bcrun.c
@@ -237,7 +237,7 @@ int main(int argc, char *argv[])
     bcs.all_bcs = bc;
     bcs.count = 1;
 
-    rc = cli_bytecode_load(bc, f, NULL, 0);
+    rc = cli_bytecode_load(bc, f, NULL, optget(opts, "trust-bytecode")->enabled);
     if (rc != CL_SUCCESS) {
 	fprintf(stderr,"Unable to load bytecode: %s\n", cl_strerror(rc));
 	optfree(opts);
@@ -251,7 +251,6 @@ int main(int argc, char *argv[])
     } else if (optget(opts, "printsrc")->enabled) {
         print_src(opts->filename[0]);
     } else {
-	bc->trusted = 1;
 	rc = cli_bytecode_prepare(&bcs, BYTECODE_ENGINE_MASK);
 	if (rc != CL_SUCCESS) {
 	    fprintf(stderr,"Unable to prepare bytecode: %s\n", cl_strerror(rc));
diff --git a/clamd/clamd.c b/clamd/clamd.c
index 07fb9fe..9b87e3d 100644
--- a/clamd/clamd.c
+++ b/clamd/clamd.c
@@ -422,7 +422,11 @@ int main(int argc, char **argv)
 	    ret = 1;
 	    break;
 	}
-	cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, s);
+	if ((ret = cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, s))) {
+	    logg("Invalid bytecode security setting %s: %s\n", opt->strarg, cl_strerror(ret));
+	    ret = 1;
+	    break;
+	}
     }
 
     if(optget(opts,"PhishingScanURLs")->enabled)
diff --git a/etc/clamd.conf b/etc/clamd.conf
index ccff749..e996d1a 100644
--- a/etc/clamd.conf
+++ b/etc/clamd.conf
@@ -454,6 +454,7 @@ Example
 # Set bytecode security level.
 # Possible values:
 #       None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS
+#         This value is only available if clamav was built with --enable-debug!
 #       TrustSigned - trust bytecode loaded from signed .c[lv]d files,
 #                insert runtime safety checks for bytecode loaded from other sources
 #       Paranoid - don't trust any bytecode, insert runtime checks for all
diff --git a/libclamav/bytecode.c b/libclamav/bytecode.c
index 6ff8cb9..2b8ab09 100644
--- a/libclamav/bytecode.c
+++ b/libclamav/bytecode.c
@@ -1237,6 +1237,7 @@ int cli_bytecode_load(struct cli_bc *bc, FILE *f, struct cli_dbio *dbio, int tru
     int rc, end=0;
 
     memset(bc, 0, sizeof(*bc));
+    cli_dbgmsg("Loading %s bytecode\n", trust ? "trusted" : "untrusted");
     bc->trusted = trust;
     if (!f && !dbio) {
 	cli_errmsg("Unable to load bytecode (null file)\n");
diff --git a/libclamav/others.c b/libclamav/others.c
index c955129..ec8fad5 100644
--- a/libclamav/others.c
+++ b/libclamav/others.c
@@ -382,6 +382,12 @@ int cl_engine_set_num(struct cl_engine *engine, enum cl_engine_field field, long
 	    engine->keeptmp = num;
 	    break;
 	case CL_ENGINE_BYTECODE_SECURITY:
+#ifndef CL_DEBUG
+	    if (num == CL_BYTECODE_TRUST_ALL) {
+		cli_errmsg("cl_engine_set_num: CL_BYTECODE_TRUST_ALL is only supported when ClamAV is built in debug mode\n");
+		return CL_EARG;
+	    }
+#endif
 	    engine->bytecode_security = num;
 	    break;
 	default:
diff --git a/shared/optparser.c b/shared/optparser.c
index e971c85..c2e41e4 100644
--- a/shared/optparser.c
+++ b/shared/optparser.c
@@ -121,6 +121,7 @@ const struct clam_option __clam_options[] = {
     { NULL, "generate-config", 'g', TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMCONF, "", "" },
 
     { NULL, "force-interpreter", 'f', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMBC, "Force using the interpreter instead of the JIT", "" },
+    { NULL, "trust-bytecode", 't', TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMBC, "Trust loaded bytecode (default yes)"},
     { NULL, "info", 'i', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMBC, "Load and print bytecode information without executing", ""},
     { NULL, "printsrc", 'p', TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMBC, "Print source code of bytecode", ""},
     { NULL, "input", 'i', TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMBC, "Input file to run the bytecode n", ""},

-- 
Debian repository for ClamAV

