Stowage/clamav
2
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2025-10-19 10:23:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

base: Stowage:e98b0075e6cb5f7a40e6f19f220b5a55ce733eec
Branches Tags
Stowage:main
Stowage:dev/1.5.1
Stowage:dev/1.5.2
Stowage:rel/1.5
Stowage:dev/1.4.4
Stowage:rel/1.4
Stowage:rel/1.0
Stowage:rel/1.3
Stowage:rel/0.103
Stowage:CLAM-2277-ExtractImagesFromOle2
Stowage:rel/1.2
Stowage:feature/integrate-clamav-sys
Stowage:CLAM-2787-pdf-rendering-pdfium
Stowage:rel/1.1
Stowage:rel/0.105
Stowage:rel/0.104
Stowage:rel/0.102
Stowage:rel/0.101
Stowage:rel/0.100
Stowage:rel/0.99
Stowage:0.99.3
Stowage:0.99.2
Stowage:0.99.1
Stowage:0.99
Stowage:0.98
Stowage:0.98.7
Stowage:0.98.6
Stowage:0.98.5
Stowage:0.98.4
Stowage:0.98.3
Stowage:0.98.2
Stowage:0.98.1
Stowage:0.97
Stowage:0.96
Stowage:0.95
Stowage:clamav-1.5.1
Stowage:clamav-1.5.0
Stowage:clamav-1.5.0-rc
Stowage:clamav-1.4.3
Stowage:clamav-1.0.9
Stowage:clamav-1.5.0-beta
Stowage:clamav-1.4.2
Stowage:clamav-1.0.8
Stowage:clamav-1.4.1
Stowage:clamav-1.3.2
Stowage:clamav-1.0.7
Stowage:clamav-0.103.12
Stowage:clamav-1.4.0
Stowage:clamav-1.4.0-rc
Stowage:clamav-1.0.6
Stowage:clamav-1.2.3
Stowage:clamav-1.3.1
Stowage:clamav-1.0.5
Stowage:clamav-1.2.2
Stowage:clamav-1.3.0
Stowage:clamav-1.3.0-rc2
Stowage:clamav-1.3.0-rc
Stowage:clamav-1.2.1
Stowage:clamav-1.1.3
Stowage:clamav-1.0.4
Stowage:clamav-0.103.11
Stowage:clamav-1.2.0
Stowage:clamav-1.1.2
Stowage:clamav-1.0.3
Stowage:clamav-0.103.10
Stowage:clamav-1.1.1
Stowage:clamav-1.0.2
Stowage:clamav-0.103.9
Stowage:clamav-1.2.0-rc
Stowage:clamav-1.1.0
Stowage:clamav-1.1.0-rc
Stowage:clamav-0.103.8
Stowage:clamav-0.105.2
Stowage:clamav-1.0.1
Stowage:clamav-1.0.0
Stowage:clamav-1.0.0-rc2
Stowage:clamav-1.0.0-rc
Stowage:clamav-0.103.7
Stowage:clamav-0.104.4
Stowage:clamav-0.105.1
Stowage:clamav-0.104.3
Stowage:clamav-0.105.0
Stowage:clamav-0.103.6
Stowage:clamav-0.105.0-rc2
Stowage:clamav-0.105.0-rc
Stowage:clamav-0.104.2
Stowage:clamav-0.103.5
Stowage:clamav-0.103.4
Stowage:clamav-0.104.1
Stowage:clamav-0.104.0
Stowage:clamav-0.104.0-rc2
Stowage:clamav-0.103.3
Stowage:clamav-0.103.2
Stowage:clamav-0.103.1
Stowage:clamav-0.103.0
Stowage:clamav-0.103.0-rc2
Stowage:clamav-0.103.0-rc
Stowage:clamav-0.102.4
Stowage:clamav-0.102.3
Stowage:clamav-0.102.2
Stowage:clamav-0.101.5
Stowage:clamav-0.102.1
Stowage:clamav-0.102.0
Stowage:clamav-0.102.0-rc
Stowage:clamav-0.101.4
Stowage:clamav-0.102.0-beta
Stowage:clamav-0.101.3
Stowage:clamav-0.101.2
Stowage:clamav-0.100.3
Stowage:clamav-0.101.1
Stowage:clamav-0.101.0
Stowage:clamav-0.101.0-rc
Stowage:clamav-0.101.0-beta
Stowage:clamav-0.100.2
Stowage:clamav-0.100.1
Stowage:clamav-0.100.0
Stowage:clamav-0.100.0-rc
Stowage:clamav-0.99.4
Stowage:clamav-0.100-beta
Stowage:clamav-0.99.3
Stowage:clamav-0.99.3-beta2
Stowage:clamav-0.99.3-beta1
Stowage:clamav-0.99.2
Stowage:clamav-0.99.1
Stowage:clamav-0.99.1-beta1
Stowage:clamav-0.99
Stowage:clamav-0.99-rc2
Stowage:clamav-0.99-rc1
Stowage:clamav-0.99-beta2
Stowage:clamav-0.99-beta1
Stowage:clamav-0.98.7
Stowage:clamav-0.98.6
Stowage:clamav-0.98.5
Stowage:clamav-0.98.5-rc2
Stowage:clamav-0.98.5-rc1
Stowage:clamav-0.98.5beta
Stowage:clamav-0.98.4
Stowage:clamav-0.98.4-rc1
Stowage:clamav-0.98.3
Stowage:clamav-0.98.2
Stowage:clamav-0.98.1
Stowage:clamav-0.98.1rc
Stowage:clamav-0.98-dmgxar
Stowage:clamav-0.98
Stowage:clamav-0.98rc2
Stowage:clamav-0.98rc
Stowage:clamav-0.97.8
Stowage:clamav-0.97.7
Stowage:clamav-0.97.6
Stowage:clamav-0.97.5
Stowage:clamav-0.97.4
Stowage:clamav-0.97.3
Stowage:clamav-0.97.2
Stowage:clamav-0.97.1
Stowage:clamav-0.97
Stowage:clamav-0.97rc
Stowage:clamav-0.96.5
Stowage:clamav-0.96.4
Stowage:clamav-0.96.3
Stowage:clamav-0.96.2
Stowage:clamav-0.96.1
Stowage:clamav-0.96
Stowage:clamav-0.96rc2
Stowage:clamav-0.96rc1
Stowage:clamav-0.95.3
Stowage:merge-llvm-79908
Stowage:r5076
Stowage:clamav-0.95.2
Stowage:clamav-0.95.1
Stowage:clamav-0.95
Stowage:clamav-0.95rc2
Stowage:clamav-0.95rc1
Stowage:clamav-0.94.2
Stowage:clamav-0.94.1
Stowage:0.94.1rc1
Stowage:clamav-0.94.1rc1
Stowage:clamav-0.94
Stowage:clamav-0.94rc1
Stowage:0.93.3
Stowage:clamav-0.93.1rc1
Stowage:clamav-0.93
Stowage:clamav-20080204
Stowage:clamav-0.92
Stowage:clamav-0.92_sf
Stowage:clamav-0.92rc2
Stowage:clamav-0.92rc1
Stowage:clamav-0.91
Stowage:clamav-0.91rc2
Stowage:clamav-0.90.1
Stowage:clamav-0.88.1
Stowage:clamav-0.88.7
Stowage:clamav-0.88.6
Stowage:clamav-0.88.5
Stowage:clamav-0.88.4
Stowage:clamav-0.88.3
Stowage:clamav-0.88.2
Stowage:clamav-0.88
Stowage:clamav-0.87.1
Stowage:clamav-0.87
Stowage:clamav-0.86.2
Stowage:clamav-0.86.1
Stowage:clamav-0.86
Stowage:clamav-0.86rc1
Stowage:clamav-0.85.1
Stowage:clamav-0.85
Stowage:clamav-0.84
Stowage:clamav-0.84rc2
Stowage:clamav-0.83
Stowage:clamav-0.82
Stowage:clamav-0.75.1
Stowage:clamav-0.75
Stowage:clamav-0.74
Stowage:clamav-0.73
Stowage:clamav-0.72
Stowage:clamav-0.90
Stowage:clamav-0.90rc3
Stowage:clamav-0.90rc2
Stowage:clamav-0.90rc1
Stowage:clamav-0.84rc1
Stowage:clamav-0.81
Stowage:clamav-0.80rc4
Stowage:clamav-0.80rc3
Stowage:clamav-0.80rc1
Stowage:clamav-0.80rc
Stowage:clamav-0.80
Stowage:clamav-0.71
Stowage:clamav-0.70
Stowage:clamav-0.90@2749
Stowage:clamav-0.90rc3@2754
Stowage:clamav-0.90rc3@2666
Stowage:CLAMAV_090RC3
Stowage:clamav-0.90rc2@2754
Stowage:clamav-0.90rc2@2468
Stowage:CLAMAV_090RC2
Stowage:clamav-0.90rc1@2754
Stowage:clamav-0.90rc1@2403
Stowage:CLAMAV_090RC1
Stowage:clamav-0.84rc1@2754
Stowage:clamav-0.84rc1@1466
Stowage:CLAMAV_0_84RC1
Stowage:clamav-0.81@2754
Stowage:clamav-0.81@1286
Stowage:CLAMAV_0_81
Stowage:clamav-0.80rc1@2754
Stowage:clamav-0.80rc1@1265
Stowage:CLAMAV_0_80RC1
Stowage:clamav-0.80@2754
Stowage:clamav-0.80@1021
Stowage:CLAMAV_0_80
Stowage:clamav-0.80rc4@988
Stowage:clamav-0.80rc4@2754
Stowage:CLAMAV_0_80RC4
Stowage:clamav-0.80rc3@939
Stowage:clamav-0.80rc3@2754
Stowage:CLAMAV_0_80RC3
Stowage:clamav-0.80rc@909
Stowage:clamav-0.80rc@2754
Stowage:CLAMAV_0_80RC
Stowage:clamav-0.74@643
Stowage:clamav-0.73@612
Stowage:clamav-0.72@594
Stowage:clamav-0.71@565
Stowage:clamav-0.71@2754
Stowage:CLAMAV_0_71
Stowage:clamav-0.70@502
Stowage:clamav-0.70@2754
Stowage:CLAMAV_0_70
Stowage:start
..
compare: Stowage:82a321a5898eae53ec0dda8d8f24fe834b8e2771
Branches Tags
Stowage:dev/1.5.1
Stowage:dev/1.5.2
Stowage:rel/1.5
Stowage:main
Stowage:dev/1.4.4
Stowage:rel/1.4
Stowage:rel/1.0
Stowage:rel/1.3
Stowage:rel/0.103
Stowage:CLAM-2277-ExtractImagesFromOle2
Stowage:rel/1.2
Stowage:feature/integrate-clamav-sys
Stowage:CLAM-2787-pdf-rendering-pdfium
Stowage:rel/1.1
Stowage:rel/0.105
Stowage:rel/0.104
Stowage:rel/0.102
Stowage:rel/0.101
Stowage:rel/0.100
Stowage:rel/0.99
Stowage:0.99.3
Stowage:0.99.2
Stowage:0.99.1
Stowage:0.99
Stowage:0.98
Stowage:0.98.7
Stowage:0.98.6
Stowage:0.98.5
Stowage:0.98.4
Stowage:0.98.3
Stowage:0.98.2
Stowage:0.98.1
Stowage:0.97
Stowage:0.96
Stowage:0.95
Stowage:clamav-1.5.1
Stowage:clamav-1.5.0
Stowage:clamav-1.5.0-rc
Stowage:clamav-1.4.3
Stowage:clamav-1.0.9
Stowage:clamav-1.5.0-beta
Stowage:clamav-1.4.2
Stowage:clamav-1.0.8
Stowage:clamav-1.4.1
Stowage:clamav-1.3.2
Stowage:clamav-1.0.7
Stowage:clamav-0.103.12
Stowage:clamav-1.4.0
Stowage:clamav-1.4.0-rc
Stowage:clamav-1.0.6
Stowage:clamav-1.2.3
Stowage:clamav-1.3.1
Stowage:clamav-1.0.5
Stowage:clamav-1.2.2
Stowage:clamav-1.3.0
Stowage:clamav-1.3.0-rc2
Stowage:clamav-1.3.0-rc
Stowage:clamav-1.2.1
Stowage:clamav-1.1.3
Stowage:clamav-1.0.4
Stowage:clamav-0.103.11
Stowage:clamav-1.2.0
Stowage:clamav-1.1.2
Stowage:clamav-1.0.3
Stowage:clamav-0.103.10
Stowage:clamav-1.1.1
Stowage:clamav-1.0.2
Stowage:clamav-0.103.9
Stowage:clamav-1.2.0-rc
Stowage:clamav-1.1.0
Stowage:clamav-1.1.0-rc
Stowage:clamav-0.103.8
Stowage:clamav-0.105.2
Stowage:clamav-1.0.1
Stowage:clamav-1.0.0
Stowage:clamav-1.0.0-rc2
Stowage:clamav-1.0.0-rc
Stowage:clamav-0.103.7
Stowage:clamav-0.104.4
Stowage:clamav-0.105.1
Stowage:clamav-0.104.3
Stowage:clamav-0.105.0
Stowage:clamav-0.103.6
Stowage:clamav-0.105.0-rc2
Stowage:clamav-0.105.0-rc
Stowage:clamav-0.104.2
Stowage:clamav-0.103.5
Stowage:clamav-0.103.4
Stowage:clamav-0.104.1
Stowage:clamav-0.104.0
Stowage:clamav-0.104.0-rc2
Stowage:clamav-0.103.3
Stowage:clamav-0.103.2
Stowage:clamav-0.103.1
Stowage:clamav-0.103.0
Stowage:clamav-0.103.0-rc2
Stowage:clamav-0.103.0-rc
Stowage:clamav-0.102.4
Stowage:clamav-0.102.3
Stowage:clamav-0.102.2
Stowage:clamav-0.101.5
Stowage:clamav-0.102.1
Stowage:clamav-0.102.0
Stowage:clamav-0.102.0-rc
Stowage:clamav-0.101.4
Stowage:clamav-0.102.0-beta
Stowage:clamav-0.101.3
Stowage:clamav-0.101.2
Stowage:clamav-0.100.3
Stowage:clamav-0.101.1
Stowage:clamav-0.101.0
Stowage:clamav-0.101.0-rc
Stowage:clamav-0.101.0-beta
Stowage:clamav-0.100.2
Stowage:clamav-0.100.1
Stowage:clamav-0.100.0
Stowage:clamav-0.100.0-rc
Stowage:clamav-0.99.4
Stowage:clamav-0.100-beta
Stowage:clamav-0.99.3
Stowage:clamav-0.99.3-beta2
Stowage:clamav-0.99.3-beta1
Stowage:clamav-0.99.2
Stowage:clamav-0.99.1
Stowage:clamav-0.99.1-beta1
Stowage:clamav-0.99
Stowage:clamav-0.99-rc2
Stowage:clamav-0.99-rc1
Stowage:clamav-0.99-beta2
Stowage:clamav-0.99-beta1
Stowage:clamav-0.98.7
Stowage:clamav-0.98.6
Stowage:clamav-0.98.5
Stowage:clamav-0.98.5-rc2
Stowage:clamav-0.98.5-rc1
Stowage:clamav-0.98.5beta
Stowage:clamav-0.98.4
Stowage:clamav-0.98.4-rc1
Stowage:clamav-0.98.3
Stowage:clamav-0.98.2
Stowage:clamav-0.98.1
Stowage:clamav-0.98.1rc
Stowage:clamav-0.98-dmgxar
Stowage:clamav-0.98
Stowage:clamav-0.98rc2
Stowage:clamav-0.98rc
Stowage:clamav-0.97.8
Stowage:clamav-0.97.7
Stowage:clamav-0.97.6
Stowage:clamav-0.97.5
Stowage:clamav-0.97.4
Stowage:clamav-0.97.3
Stowage:clamav-0.97.2
Stowage:clamav-0.97.1
Stowage:clamav-0.97
Stowage:clamav-0.97rc
Stowage:clamav-0.96.5
Stowage:clamav-0.96.4
Stowage:clamav-0.96.3
Stowage:clamav-0.96.2
Stowage:clamav-0.96.1
Stowage:clamav-0.96
Stowage:clamav-0.96rc2
Stowage:clamav-0.96rc1
Stowage:clamav-0.95.3
Stowage:merge-llvm-79908
Stowage:r5076
Stowage:clamav-0.95.2
Stowage:clamav-0.95.1
Stowage:clamav-0.95
Stowage:clamav-0.95rc2
Stowage:clamav-0.95rc1
Stowage:clamav-0.94.2
Stowage:clamav-0.94.1
Stowage:0.94.1rc1
Stowage:clamav-0.94.1rc1
Stowage:clamav-0.94
Stowage:clamav-0.94rc1
Stowage:0.93.3
Stowage:clamav-0.93.1rc1
Stowage:clamav-0.93
Stowage:clamav-20080204
Stowage:clamav-0.92
Stowage:clamav-0.92_sf
Stowage:clamav-0.92rc2
Stowage:clamav-0.92rc1
Stowage:clamav-0.91
Stowage:clamav-0.91rc2
Stowage:clamav-0.90.1
Stowage:clamav-0.88.1
Stowage:clamav-0.88.7
Stowage:clamav-0.88.6
Stowage:clamav-0.88.5
Stowage:clamav-0.88.4
Stowage:clamav-0.88.3
Stowage:clamav-0.88.2
Stowage:clamav-0.88
Stowage:clamav-0.87.1
Stowage:clamav-0.87
Stowage:clamav-0.86.2
Stowage:clamav-0.86.1
Stowage:clamav-0.86
Stowage:clamav-0.86rc1
Stowage:clamav-0.85.1
Stowage:clamav-0.85
Stowage:clamav-0.84
Stowage:clamav-0.84rc2
Stowage:clamav-0.83
Stowage:clamav-0.82
Stowage:clamav-0.75.1
Stowage:clamav-0.75
Stowage:clamav-0.74
Stowage:clamav-0.73
Stowage:clamav-0.72
Stowage:clamav-0.90
Stowage:clamav-0.90rc3
Stowage:clamav-0.90rc2
Stowage:clamav-0.90rc1
Stowage:clamav-0.84rc1
Stowage:clamav-0.81
Stowage:clamav-0.80rc4
Stowage:clamav-0.80rc3
Stowage:clamav-0.80rc1
Stowage:clamav-0.80rc
Stowage:clamav-0.80
Stowage:clamav-0.71
Stowage:clamav-0.70
Stowage:clamav-0.90@2749
Stowage:clamav-0.90rc3@2754
Stowage:clamav-0.90rc3@2666
Stowage:CLAMAV_090RC3
Stowage:clamav-0.90rc2@2754
Stowage:clamav-0.90rc2@2468
Stowage:CLAMAV_090RC2
Stowage:clamav-0.90rc1@2754
Stowage:clamav-0.90rc1@2403
Stowage:CLAMAV_090RC1
Stowage:clamav-0.84rc1@2754
Stowage:clamav-0.84rc1@1466
Stowage:CLAMAV_0_84RC1
Stowage:clamav-0.81@2754
Stowage:clamav-0.81@1286
Stowage:CLAMAV_0_81
Stowage:clamav-0.80rc1@2754
Stowage:clamav-0.80rc1@1265
Stowage:CLAMAV_0_80RC1
Stowage:clamav-0.80@2754
Stowage:clamav-0.80@1021
Stowage:CLAMAV_0_80
Stowage:clamav-0.80rc4@988
Stowage:clamav-0.80rc4@2754
Stowage:CLAMAV_0_80RC4
Stowage:clamav-0.80rc3@939
Stowage:clamav-0.80rc3@2754
Stowage:CLAMAV_0_80RC3
Stowage:clamav-0.80rc@909
Stowage:clamav-0.80rc@2754
Stowage:CLAMAV_0_80RC
Stowage:clamav-0.74@643
Stowage:clamav-0.73@612
Stowage:clamav-0.72@594
Stowage:clamav-0.71@565
Stowage:clamav-0.71@2754
Stowage:CLAMAV_0_71
Stowage:clamav-0.70@502
Stowage:clamav-0.70@2754
Stowage:CLAMAV_0_70
Stowage:start

10 commits
e98b0075e6 ... 82a321a589

Author SHA1 Message Date
Val S.
82a321a589
Fix embedded RAR archive extraction issue 
If the current layer has a file descriptor, ClamAV is passing the path
for that file to the UnRAR module, even if the RAR we want to scan is
just some small embedded bit (e.g. detected by RARSFX signature).

We need to drop the RAR portion to a new file for the UnRAR module
because it does not accept file buffers to be scanned, only file paths.

CLAM-2900
 2025-10-13 23:44:45 -04:00
Val S.
4395c4bac1
Update Rust dependencies; Fix image fuzzy hash values 
Large range testing identified some files where image fuzzy hashing
produces different hashes with ClamAV 1.5 vs 1.4.

With my investigation, I found the issue is with changes in Rust library
dependencies, though it actually wasn't any change with the 'image' or
'jpeg-decoder' crates. After running a simple `cargo update` to update
all non-pinned versions.
I confirmed that this does not affect the minimum supported Rust version
(MSRV).

CLAM-2899
 2025-10-13 15:10:58 -04:00
Val S.
1b96e96c5c
Fix compiler warning 
Mismatched declaration and definition.
 2025-10-13 15:10:58 -04:00
Val S.
f184a1e776
Increase limit for finding PE files embedded in other PE files 
I am seeing missed detections since we changed to prohibit embedded
file type identification when inside an embedded file.
In particular, I'm seeing this issue with PE files that contain multiple
other MSEXE as well as a variety of false positives for PE file headers.

For example, imagine a PE with four concatenated DLL's, like so:
```
  [ EXE file   | DLL #1  | DLL #2  | DLL #3  | DLL #4 ]
```

And note that false positives for embedded MSEXE files are fairly common.
So there may be a few mixed in there.

Before limiting embedded file identification we might interpret the file
structure something like this:
```
MSEXE: {
  embedded MSEXE #1: false positive,
  embedded MSEXE #2: false positive,
  embedded MSEXE #3: false positive,
  embedded MSEXE #4: DLL #1: {
    embedded MSEXE #1: false positive,
    embedded MSEXE #2: DLL #2: {
      embedded MSEXE #1: DLL #3: {
        embedded MSEXE #1: false positive,
        embedded MSEXE #2: false positive,
        embedded MSEXE #3: false positive,
        embedded MSEXE #4: false positive,
        embedded MSEXE #5: DLL #4
      }
      embedded MSEXE #2: false positive,
      embedded MSEXE #3: false positive,
      embedded MSEXE #4: false positive,
      embedded MSEXE #5: false positive,
      embedded MSEXE #6: DLL #4
    }
    embedded MSEXE #3: DLL #3,
    embedded MSEXE #4: false positive,
    embedded MSEXE #5: false positive,
    embedded MSEXE #6: false positive,
    embedded MSEXE #7: false positive,
    embedded MSEXE #8: DLL #4
  }
}
```

This is obviously terrible, which is why why we don't allow detecting
embedded files within other embedded files.
So after we enforce that limit, the same file may be interpreted like
this instead:
```
MSEXE: {
  embedded MSEXE #1:  false positive,
  embedded MSEXE #2:  false positive,
  embedded MSEXE #3:  false positive,
  embedded MSEXE #4:  DLL #1,
  embedded MSEXE #5:  false positive,
  embedded MSEXE #6:  DLL #2,
  embedded MSEXE #7:  DLL #3,
  embedded MSEXE #8:  false positive,
  embedded MSEXE #9:  false positive,
  embedded MSEXE #10: false positive,
  embedded MSEXE #11: false positive,
  embedded MSEXE #12: DLL #4
}
```

That's great! Except that we now exceed the "MAX_EMBEDDED_OBJ" limit
for embedded type matches (limit 10, but 12 found). That means we won't
see or extract the 4th DLL anymore.

My solution is to lift the limit when adding an matched MSEXE type.
We already do this for matched ZIPSFX types.
While doing this, I've significantly tidied up the limits checks to
make it more readble, and removed duplicate checks from within the
`ac_addtype()` function.

CLAM-2897
 2025-10-13 15:10:58 -04:00
Val S.
f7e9c511fc
Loosen restrictions on embedded file identification 
In regression testing against a large sample set, I found that strictly
disallowing any embedded file identification if any previous layer was
an embedded file resulted in missed detections.

Specifically, I found an MSEXE file which has an embedded RAR, which in
turn had another MSEXE that itself had an embedded 7ZIP containing... malware.
sha256: c3cf573fd3d1568348506bf6dd6152d99368a7dc19037d135d5903bc1958ea85

To make it so ClamAV can extract all that, we must loosen the
restriction and allow prior layers to be embedded, just not the current
layer.

I've also added some logic to prevent attempting to extract an object at
the same offset twice. The `fpt->offset`s appear in order, but if you
have multiple file type magic signatures match on the same address, like
maybe you accidentally load two different .ftm files, then you'd get
duplicates and double-extraction.
As a bonus, I found I could also skip over offsets within a valid ZIP,
ARJ, and CAB since we now have the length of those from the header check
and as I know we don't want to extract embedded contents in that way.
 2025-10-13 15:10:55 -04:00
Val S.
97f89f43e7
Fix issue detecting VBA projects 
Previously for documents containing VBA projects, the VBA was treated
as an object within the document and not as a normalized version of
the document. I apparently switched it say that the VBA is a normalized
version of the document. This kind of makes sense in that presently
Javascript extracted from HTML is treated as a normalized version of the
HTML. But it probably shouldn't.

Normalized layers are treated as the same file as the parent.
So now those older signatures that match on VBA projects using
"Container:CL_TYPE_MSOLE2" are failing to match.

So this commit switches it back. VBA project bits written out to a temp
file for scanning will be treated as being contained within the document.

CLAM-2896
 2025-10-13 15:10:29 -04:00
Val S.
045a809645
Fix issue recording OOXML document metadata 
The ZIP single record search feature is used to find specific files when
parsing OOXML documents. I observed that the core properties for a
PowerPoint file were missing in a test as compared with the previous
release.

The error handling check for the unzip search returns CL_VIRUS when
there is a match, not CL_SUCCESS!

CLAM-2886
 2025-10-13 15:10:28 -04:00
Val S.
ea2ad8c879
Scan performance optimization for TNEF message scans 
Uncompressed ZIP-based TNEF message attachments, like OOXML office
document attachments, get double-extracted because of embedded file type
recognition.

To prevent excessive scan times, disable embedded file type recognition
for TNEF files and relay on TNEF parsing to extract attachments.

CLAM-2885
 2025-10-13 15:10:28 -04:00
Val S.
90949e434f
Fix ZIP parser issue recording empty file entries 
If csize (and usize) are 0, like with a directory or other empty file
entry, then the functionionality to record file record information when
indexing the central directory and each associated file record will
neglect to store the `local_header_offset` or `local_header_size`.
That causes problems later after sorting the file records and then
checking for overlapping files.

CLAM-2884
 2025-10-13 15:10:26 -04:00
Val S.
92b4a3e291
Fix ZIP parser issue using central directory 
The function which indexes a ZIP central directory is not advancing
to the next central directory record thus exceeding the max-files scan
limit for many ZIPs.

CLAM-2884
 2025-10-13 15:09:36 -04:00
2 changed files with 573 additions and 429 deletions
Download patch file Download diff file Expand all files Collapse all files

992
Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

10
libclamav/scanners.c
View file

@ -534,9 +534,15 @@ static cl_error_t cli_scanrar(cli_ctx *ctx)
int tmpfd = -1;
#ifdef _WIN32
if ((SCAN_UNPRIVILEGED) || (NULL == ctx->fmap->path) || (0 != _access_s(ctx->fmap->path, R_OK))) {
if ((SCAN_UNPRIVILEGED) ||
(NULL == ctx->fmap->path) ||
(0 != _access_s(ctx->fmap->path, R_OK)) ||
(ctx->fmap->nested_offset > 0) || (ctx->fmap->len < ctx->fmap->real_len)) {
#else
if ((SCAN_UNPRIVILEGED) || (NULL == ctx->fmap->path) || (0 != access(ctx->fmap->path, R_OK))) {
if ((SCAN_UNPRIVILEGED) ||
(NULL == ctx->fmap->path) ||
(0 != access(ctx->fmap->path, R_OK)) ||
(ctx->fmap->nested_offset > 0) || (ctx->fmap->len < ctx->fmap->real_len)) {
#endif
/* If map is not file-backed have to dump to file for scanrar. */
status = fmap_dump_to_file(ctx->fmap, ctx->fmap->path, ctx->this_layer_tmpdir, &tmpname, &tmpfd, 0, SIZE_MAX);