Commit graph

79 commits

Author SHA1 Message Date
Valerie Snyder
27fe03c751
Fix OpenSSL 1 compatibility issue, plus minor improvements
For OpenSSL 1, `EVP_get_digestbyname()` will fail with "sha2-*" algorithm names.
Must use "sha256", etc.

I made a shim that does the conversion, and I made an improvement to ignore case
when converting alg names to our hash type enumeration.

Other fixes for a few warnings.
2025-08-18 12:27:10 -04:00
Valerie Snyder
e64590d8b5
libclamav: Add 'ex'-scan functions to API w. hash and type in/out parameters
Add `cl_scanfile_ex()`, `cl_scanmap_ex()`, and `cl_scandesc_ex()`
functions that provide the following additional parameters:

hash_hint       (Optional) A NULL terminated string of the file hash so that
                libclamav does not need to calculate it.

[out] hash_out  (Optional) A NULL terminated string of the file hash.
                The caller is responsible for freeing the string.

hash_alg        The hashing algorithm used for either `hash_hint` or `hash_out`.
                Supported algorithms are "md5", "sha1", "sha2-256".
                If not specified, the default is "sha2-256".

file_type_hint  (Optional) A NULL terminated string of the file type hint.
                E.g. "pe", "elf", "zip", etc.
                You may also use ClamAV type names such as "CL_TYPE_PE".
                ClamAV will ignore the hint if it is not familiar with the specified type.
                See also: https://docs.clamav.net/appendix/FileTypes.html#file-types

file_type_out   (Optional) A NULL terminated string of the file type
                of the top layer as determined by ClamAV.
                Will take the form of the standard ClamAV file type format. E.g. "CL_TYPE_PE".
                See also: https://docs.clamav.net/appendix/FileTypes.html#file-types

CLAM-2626
2025-08-14 22:39:12 -04:00
Val S.
17d0665580
ZIP: Fix NULL-dereference for OOXML scans (#1552)
I accidentally introduced a NULL-dereference bug when scanning any OOXML
file in https://github.com/Cisco-Talos/clamav/pull/1548

I overlooked the test failure out of haste. 😔

The NULL-dereference happens because the `unzip_search()` feature
allowed searching some other file than the one that is currently being
scanned, which you would do by setting `ctx` to NULL and setting an
`fmap` parameter instead.
In practice, the current layer's `fmap` from the `ctx` was always passed in.

This fix makes it so the `unzip_search()` and related functions only
take the `ctx` parameter and do not have and `fmap` or `fsize` field
(Note: the `fsize` was never needed, because `fmap->len` take care of that).

CLAM-2837
2025-08-14 21:17:46 -04:00
Val Snyder
8a77214c82
Add CL_TYPE_AI_MODEL and associated file type magic signatures
This is just preliminary support for identifying an assortment of
different AI model files.

So far, this detects the following types:
- GGML GGUF (.gguf)
- ONNX AI (.onnx)
- TensorFlow Lite (.tflite)

Additional types to consider:
- SafeTensors (.safetensors)
- TensorFlow (.pb, .ckpt, .tfrecords)
- Keras (.keras)
- pickle (.pkl)
- numpy (.npy, .npz)
- coreml (.coreml)
- PyTorch (.pt, .pth, .bin, .mar, .pte, .pt2, .ptl)

Outside of being able to differentiate by file type, the scanner
will treat CL_TYPE_AI_MODEL the same as CL_TYPE_BINARY_DATA.
We're not adding parsers to further process these files, for now.
2025-03-27 14:30:40 -04:00
Val Snyder
7ff29b8c37
Bump copyright dates for 2025 2025-02-14 10:24:30 -05:00
Andy Ragusa
79f2a5f2f6 Add parser for ALZ archives 2024-04-15 10:03:02 -07:00
Micah Snyder
3ae9c1e434 Add LHA/LZH archive support
File type magic signatures chosen based on the extensions supported
by Rust delharc crate.

See: https://docs.rs/delharc/latest/delharc/
2024-04-09 10:35:22 -04:00
Micah Snyder
9cb28e51e6 Bump copyright dates for 2024 2024-01-22 11:27:17 -05:00
Micah Snyder
fd11f1b468 Add CL_TYPE_PYTHON_COMPILED and associated file type magic signatures
It may be necessary to differentiate between *.pyc and other binary
types in case additional processing is needed.

Outside of being able to differentiate the by file type, the scanner
will treat CL_TYPE_PYTHON_COMPILED the same as CL_TYPE_BINARY_DATA.
That is - we're not adding parser at this time to further break down
.pyc files.
2023-12-14 12:18:08 -05:00
Micah Snyder
3b2f8c044a Support for extracting attachments from OneNote section files
Includes rudimentary support for getting slices from FMap's and for
interacting with libclamav's context structure.

For now will use a Cisco-Talos org fork of the onenote_parser
until the feature to read open a onenote section from a slice (instead
of from a filepath) is added to the upstream.
2023-12-11 15:18:41 -05:00
Andy Ragusa
b4f0836236 Add support for UDF files
Add support for specifically for Beginning Extended Area Descriptor
(BEA01) type of UDF files.
2023-08-03 01:22:35 -07:00
Micah Snyder
6eebecc303 Bump copyright for 2023 2023-02-12 11:20:22 -08:00
micasnyd
140c88aa4e Bump copyright for 2022
Includes minor format corrections.
2022-01-09 14:23:25 -07:00
Micah Snyder (micasnyd)
b9ca6ea103 Update copyright dates for 2021
Also fixes up clang-format.
2021-03-19 15:12:26 -07:00
Micah Snyder
4cce1fcd20 GIF, PNG bugfixes; Add AlertBrokenMedia option
Added a new scan option to alert on broken media (graphics) file
formats. This feature mitigates the risk of malformed media files
intended to exploit vulnerabilities in other software. At present
media validation exists for JPEG, TIFF, PNG, and GIF files.

To enable this feature, set `AlertBrokenMedia yes` in clamd.conf, or
use the `--alert-broken-media` option when using `clamscan`.
These options are disabled by default for now.

Application developers may enable this scan option by enabling
`CL_SCAN_HEURISTIC_BROKEN_MEDIA` for the `heuristic` scan option bit
field.

Fixed PNG parser logic bugs that caused an excess of parsing errors
and fixed a stack exhaustion issue affecting some systems when
scanning PNG files. PNG file type detection was disabled via
signature database update for 0.103.0 to mitigate effects from these
bugs.

Fixed an issue where PNG and GIF files no longer work with Target:5
(graphics) signatures if detected as CL_TYPE_PNG/GIF rather than as
CL_TYPE_GRAPHICS. Target types now support up to 10 possible file
types to make way for additional graphics types in future releases.

Scanning JPEG, TIFF, PNG, and GIF files will no longer return "parse"
errors when file format validation fails. Instead, the scan will alert
with the "Heuristics.Broken.Media" signature prefix and a descriptive
suffix to indicate the issue, provided that the "alert broken media"
feature is enabled.

GIF format validation will no longer fail if the GIF image is missing
the trailer byte, as this appears to be a relatively common issue in
otherwise functional GIF files.

Added a TIFF dynamic configuration (DCONF) option, which was missing.
This will allow us to disable TIFF format validation via signature
database update in the event that it proves to be problematic.
This feature already exists for many other file types.

Added CL_TYPE_JPEG and CL_TYPE_TIFF types.
2021-01-28 12:54:47 -08:00
Micah Snyder
9b9999d778 Rename core scanning functions
Many of the core scanning functions' names no longer represent their
specific purpose or arguments. This commit aims to make the names more
intuitive. Names are now prefixed with "magic" if they involve
file-typing and file-type parsing. In addition, each function now
includes the type of input being scanned whether its "desc", "fmap", or
"buff". Some of the APIs also now specify "type" to indicate that a type
other than "ANY" may be passed in to select the type rather than use
file type magic for type recognition.

| current name              | new name                          |
| ------------------------- | --------------------------------- |
| magic_scandesc()          | cli_magic_scan()                  |
| cli_magic_scandesc_type() | <delete>                          |
| cli_magic_scandesc()      | cli_magic_scan_desc()             |
| cli_base_scandesc()       | cli_magic_scan_desc_type()        |
| cli_partition_scandesc()  | <delete>                          |
| cli_map_scandesc()        | magic_scan_nested_fmap_type()     |
| cli_map_scan()            | cli_magic_scan_nested_fmap_type() |
| cli_mem_scandesc()        | cli_magic_scan_buff()             |
| cli_scanbuff()            | cli_scan_buff()                   |
| cli_scandesc()            | cli_scan_desc()                   |
| cli_fmap_scandesc()       | cli_scan_fmap()                   |
| cli_scanfile()            | cli_magic_scan_file()             |
| cli_scandir()             | cli_magic_scan_dir()              |
| cli_filetype2()           | cli_determine_fmap_type()         |
| cli_filetype()            | cli_compare_ftm_file()            |
| cli_partitiontype()       | cli_compare_ftm_partition()       |
| cli_scanraw()             | scanraw()                         |
2020-06-03 11:00:40 -04:00
Aldo Mazzeo
f366b7c703 Transforming the PNG checker into a PNG exploit seeker 2020-05-08 13:24:25 -04:00
Aldo Mazzeo
153a87a74b Making the GIF parser more tolerant and supporting GIF overlays 2020-04-23 10:48:07 -07:00
Micah Snyder
206dbaefe8 Update copyright dates for 2020 2020-01-03 15:44:07 -05:00
Micah Snyder
5f4f69102d Correcting types from int to cl_error_t where appropriate. Eliminating unused variables and referencing unused parameters to remove warnings. 2019-10-02 16:08:25 -04:00
Micah Snyder
0450e68551 Added new EGG archive extraction feature, written from scratch based on ESTsoft's EGG archive specification.
EGG extraction support includes deflate, bzip2, and lzma decompression. AZO (LZO?) decompression not yet supported. Solid archives not yet supported. Split archives may have some limited success.

This commit also includes updates to autoconf iconv.m4 file enable detection of libiconv in alternative install locations.
2019-10-02 16:08:25 -04:00
Micah Snyder
52cddcbcfd Updating and cleaning up copyright notices. 2019-10-02 16:08:18 -04:00
Micah Snyder
b3e82e5e61 Replacing libclamav/cltypes.h with clamav-types.h.in, which generates a header clamav-types.h that we install alongside clamav.h. 2019-10-02 16:08:17 -04:00
Micah Snyder
72fd33c8b2 clang-format'd using new .clang-format rules. 2019-10-02 16:08:16 -04:00
Micah Snyder (micasnyd)
56bb195e07 bb12102: adding CL_TYPE_LNK for Windows Shortcut Files. 2018-12-02 23:07:01 -05:00
Steven Morgan
aedd18ac32 bb11586 - change CL_TYPE_EPS to CL_TYPE_PS. 2016-06-28 17:39:06 -04:00
Steven Morgan
e98acd72db bb11586 - add file type CL_TYPE_EPS for raw scan matching of PostScript files. 2016-06-28 11:37:31 -04:00
Kevin Lin
ef48d7cbeb MHTML: added filetype and switch case 2016-05-26 17:05:35 -04:00
Kevin Lin
c6f7be5536 ooxml_hwp: add support for filetyping and preclassification 2015-12-17 16:18:17 -05:00
Kevin Lin
6cd5a9dc4e hwpole2: new filetype and handler for hwp embedded ole2 files 2015-12-17 16:18:17 -05:00
Kevin Lin
904fe15510 add HMPML filetype, tab fixes in filetype.c 2015-12-16 16:16:01 -05:00
Kevin Lin
146fbb29ad add HWP 3.x internal filetypes 2015-12-09 10:41:52 -05:00
Mickey Sola
46a35abe56 mass update of copyright headers 2015-09-17 13:41:26 -04:00
Kevin Lin
e7b3198df2 bb#9858 - added target 14 for binary (unidentified) files 2015-07-23 16:37:15 -04:00
Kevin Lin
4cdcd47de8 added enums for Word 2003 XML and Excel 2003 XML files 2015-03-10 14:01:35 -04:00
Shawn Webb
30a7509744 Add proof-of-concept XDP support.
This feature requires libxml2 support. This commit bumps FLEVEL and
introduces a new filetype based on the expected XML namespace for XDP
files.
2014-07-31 19:11:22 -04:00
Shawn Webb
221825fd59 Update copyright information. 2014-04-30 15:42:11 -04:00
Steven Morgan
de46d3e356 Add new target type for json properties file and scanning of the same. 2014-04-29 17:15:07 -04:00
Kevin Lin
2612de2916 mbr: lowered magic otf scanning priority
scanners: removed redundant call to scan function
pe_icons: collected 'broken image' dbgmsgs into single dbgmsg
2014-03-24 18:45:48 -04:00
Kevin Lin
6c2feae2be libclamav: linked MBR and APM parsing
filetypes: handled file misclassification as mbr
2014-02-06 19:01:44 -05:00
Kevin Lin
fce85dd750 libclamav: added GPT parsing for raw DMGs 2014-01-24 14:25:47 -05:00
Steve Morgan
70ef8414df Add file type recognition for Office Open XML. 2013-10-17 16:54:21 -04:00
Steve Morgan
43d7f6f64d XZ file type support 2013-10-08 17:17:44 -04:00
David Raynor
2d69fdbb2f libclamav: partition magic buffer size tweak to match magic 2013-09-23 03:19:07 -04:00
David Raynor
1d1c4b154f bb #1570: partition typing and HFS+ 2013-09-17 16:45:48 -04:00
David Raynor
ca019d6d94 libclamav: stub work for DMG (bb #1570) and XAR (bb #3801) formats 2013-08-27 13:44:11 -04:00
David Raynor
703a9258ea bb #6702: Add Java class type and target 2013-02-07 14:08:03 -05:00
Török Edvin
569bdeebe8 Merge branch 'fmapify'
* fmapify: (54 commits)
  workaround for unrar not supporting fmap.
  stfu on large lzma allocs
  handle 7z encryption detection albeit post extraction and blockencrypted
  add 7z SFX support - bb#3063
  fix makefile for external LLVM 2.9
  fix wrong interaction between prescan_cb caching and postscan_cb
  bytecode_watchdog: fix use of unaddressable data
  UPgrade lzma SDK to version 9.20 Also fmapify
  export cl_fmap_close
  cli_map_scandesc convenience API
  Introduce cli_map_scandesc to scan a portion of the existing file
  fix utf16_to_utf8, and add testcase
  cli_utf16_to_utf8
  fmapify jpeg_exploit
  fmaify cli_scan_riff
  fmapify mydoom
  export filetype cb
  factor out common code
  fix mem API of new fmap
  unit tests for new fmap scan API
  ...

Conflicts:
	libclamav/Makefile.in
	libclamav/c++/Makefile.am
	libclamav/c++/Makefile.in
	libclamav/filetypes_int.h
	libclamav/scanners.c
	libclamav/str.c
	unit_tests/check_clamav.c
2012-01-04 15:52:33 +02:00
aCaB
583cd65fc4 Add support for scanning different types of iso9660 image files.
The allowed sector size is within 2048 to 2448 (2352 raw + 96 sub).
Right now only the only file system supported is plain iso9660 with
optional Joliet extensions.
Additionally files with multi extents and interleaved files are not
supported.

Finally, due to the multiple possible ways to interpret the content
of a cd/dvd, I cannot guarantee that we scan the "right" files.
2011-11-14 21:46:47 +01:00
aCaB
9a47aa20e6 add 7z SFX support - bb#3063 2011-11-01 12:27:46 +01:00