From cd2f2975b93277de7f74464d48adb378375a305f Mon Sep 17 00:00:00 2001
From: Micah Snyder <micasnyd@cisco.com>
Date: Mon, 6 Jul 2020 13:03:35 -0700
Subject: [PATCH] Docs: Warn against running untrusted bytecode

Add notices to man pages and help strings cautioning against running
bytecode signatures from untrusted sources.

Also adds missing BytecodeUnsigned option to clamd.conf.sample files.
---
 clambc/bcrun.c                        |  2 ++
 clamscan/clamscan.c                   |  2 ++
 docs/man/clambc.1.in                  | 30 ++++++++++++++++-----------
 docs/man/clamd.conf.5.in              |  2 ++
 docs/man/clamscan.1.in                |  2 +-
 etc/clamd.conf.sample                 |  6 ++++++
 libclamav/clamav.h                    |  2 +-
 win32/conf_examples/clamd.conf.sample |  6 ++++++
 8 files changed, 38 insertions(+), 14 deletions(-)

diff --git a/clambc/bcrun.c b/clambc/bcrun.c
index 948ef6d83..fe41a9dd0 100644
--- a/clambc/bcrun.c
+++ b/clambc/bcrun.c
@@ -67,6 +67,8 @@ static void help(void)
     printf("    --statistics=bytecode             Collect and print bytecode execution statistics\n");
     printf("    file                              File to test\n");
     printf("\n");
+    printf("**Caution**: You should NEVER run bytecode signatures from untrusted sources.\nDoing so may result in arbitrary code execution.\n");
+    printf("\n");
     return;
 }
 
diff --git a/clamscan/clamscan.c b/clamscan/clamscan.c
index 5b4267146..dafdcc8e0 100644
--- a/clamscan/clamscan.c
+++ b/clamscan/clamscan.c
@@ -263,6 +263,8 @@ void help(void)
     mprintf("\n");
     mprintf("    --bytecode[=yes(*)/no]               Load bytecode from the database\n");
     mprintf("    --bytecode-unsigned[=yes/no(*)]      Load unsigned bytecode\n");
+    mprintf("                                         **Caution**: You should NEVER run bytecode signatures from untrusted sources.\n");
+    mprintf("                                         Doing so may result in arbitrary code execution.\n");
     mprintf("    --bytecode-timeout=N                 Set bytecode timeout (in milliseconds)\n");
     mprintf("    --statistics[=none(*)/bytecode/pcre] Collect and print execution statistics\n");
     mprintf("    --detect-pua[=yes/no(*)]             Detect Possibly Unwanted Applications\n");
diff --git a/docs/man/clambc.1.in b/docs/man/clambc.1.in
index 49a662bc5..f5e95e95b 100644
--- a/docs/man/clambc.1.in
+++ b/docs/man/clambc.1.in
@@ -5,45 +5,51 @@ clambc \- Bytecode Analysis and Testing Tool
 .PP
 clambc <file> [function] [param1 ...]
 .SH DESCRIPTION
+Bytecode signatures are a platform independent executable plugin format that
+extend ClamAV's malware detection capabilities. This tool is provided for
+signature authors and ClamAV developers to test bytecode signatures and bytecode
+runtime performance. **Caution**: You should NEVER run bytecode signatures from
+untrusted sources. Doing so may result in arbitrary code execution.
+.SH "OPTIONS"
 .TP
 \fB\-\-help\fR                 \fB\-h\fR
-Show help
+Show help.
 .TP
 \fB\-\-version\fR              \fB\-V\fR
 Show version
 .TP
 \fB\-\-debug\fR
-Show debug
+Show debug.
 .TP
 \fB\-\-force\-interpreter\fR   \fB\-f\fR
-Force using the interpreter instead of the JIT
+Force using the interpreter instead of the JIT.
 .TP
 \fB\-\-trust\-bytecode\fR      \fB\-t\fR
-Trust loaded bytecode (default yes)
+Trust loaded bytecode (default yes).
 .TP
 \fB\-\-info\fR                 \fB\-i\fR
-Print information about bytecode
+Print information about bytecode.
 .TP
 \fB\-\-printsrc\fR             \fB\-p\fR
-Print bytecode source
+Print bytecode source.
 .TP
 \fB\-\-printbcir\fR            \fB\-c\fR
-Print IR of bytecode signature
+Print IR of bytecode signature.
 .TP
 \fB\-\-input\fR                \fB\-r\fR
-Input file to run the bytecode on
+Input file to run the bytecode on.
 .TP
 \fB\-\-trace\fR <level>        \fB\-T\fR
-Set bytecode trace level 0..7 (default 7)
+Set bytecode trace level 0..7 (default 7).
 .TP
 \fB\-\-no\-trace\-showsource\fR
-Don't show source line during tracing
+Don't show source line during tracing.
 .TP
 \fB\-\-statistics=bytecode\fR
-Collect and print bytecode execution statistics
+Collect and print bytecode execution statistics.
 .TP
 file
-file to test
+File to test.
 .SH "CREDITS"
 Please check the full documentation for credits.
 .SH "AUTHOR"
diff --git a/docs/man/clamd.conf.5.in b/docs/man/clamd.conf.5.in
index 8ed978c5f..23755681a 100644
--- a/docs/man/clamd.conf.5.in
+++ b/docs/man/clamd.conf.5.in
@@ -307,6 +307,8 @@ Default: 5000
 .TP
 \fBBytecodeUnsigned BOOL\fR
 Allow loading bytecode from outside digitally signed .c[lv]d files.
+**Caution**: You should NEVER run bytecode signatures from untrusted sources.
+Doing so may result in arbitrary code execution.
 .br
 Default: no
 .TP
diff --git a/docs/man/clamscan.1.in b/docs/man/clamscan.1.in
index 3b68266c1..71d5aa565 100644
--- a/docs/man/clamscan.1.in
+++ b/docs/man/clamscan.1.in
@@ -100,7 +100,7 @@ Only scan file/directory matching regular expression. These options can be used
 With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option turned on, otherwise you may miss detections for many new viruses.
 .TP
 \fB\-\-bytecode\-unsigned[=yes/no(*)]\fR
-Allow loading bytecode from outside digitally signed .c[lv]d files.
+Allow loading bytecode from outside digitally signed .c[lv]d files. **Caution**: You should NEVER run bytecode signatures from untrusted sources. Doing so may result in arbitrary code execution.
 .TP
 \fB\-\-bytecode\-timeout=N\fR
 Set bytecode timeout in milliseconds (default: 5000 = 5s)
diff --git a/etc/clamd.conf.sample b/etc/clamd.conf.sample
index b96e7a368..85f9a9bf1 100644
--- a/etc/clamd.conf.sample
+++ b/etc/clamd.conf.sample
@@ -769,6 +769,12 @@ Example
 # Default: TrustSigned
 #BytecodeSecurity TrustSigned
 
+# Allow loading bytecode from outside digitally signed .c[lv]d files.
+# **Caution**: You should NEVER run bytecode signatures from untrusted sources.
+# Doing so may result in arbitrary code execution.
+# Default: no
+#BytecodeUnsigned yes
+
 # Set bytecode timeout in milliseconds.
 #
 # Default: 5000
diff --git a/libclamav/clamav.h b/libclamav/clamav.h
index 1955ec301..47ce00414 100644
--- a/libclamav/clamav.h
+++ b/libclamav/clamav.h
@@ -140,7 +140,7 @@ typedef enum cl_error_t {
 #define CL_DB_OFFICIAL_ONLY     0x1000
 #define CL_DB_BYTECODE          0x2000
 #define CL_DB_SIGNED            0x4000  /* internal */
-#define CL_DB_BYTECODE_UNSIGNED 0x8000
+#define CL_DB_BYTECODE_UNSIGNED 0x8000  /* Caution: You should never run bytecode signatures from untrusted sources. Doing so may result in arbitrary code execution. */
 #define CL_DB_UNSIGNED          0x10000 /* internal */
 #define CL_DB_BYTECODE_STATS    0x20000
 #define CL_DB_ENHANCED          0x40000
diff --git a/win32/conf_examples/clamd.conf.sample b/win32/conf_examples/clamd.conf.sample
index de0c082a9..564ac64d4 100644
--- a/win32/conf_examples/clamd.conf.sample
+++ b/win32/conf_examples/clamd.conf.sample
@@ -637,6 +637,12 @@ TCPAddr 127.0.0.1
 # Default: TrustSigned
 #BytecodeSecurity TrustSigned
 
+# Allow loading bytecode from outside digitally signed .c[lv]d files.
+# **Caution**: You should NEVER run bytecode signatures from untrusted sources.
+# Doing so may result in arbitrary code execution.
+# Default: no
+#BytecodeUnsigned yes
+
 # Set bytecode timeout in milliseconds.
 #
 # Default: 5000