Re: [Clamav-users] Exploit.W32.MS05-002 False Positives

Top Page
Attachments:
Message as email
+ (text/plain)
+ bad-riff.diff (text/x-patch)
+ signature.asc (application/pgp-signature)
+ (text/plain)
Delete this message
Reply to this message
Author: Trog
Date:  
To: ClamAV users ML
Subject: Re: [Clamav-users] Exploit.W32.MS05-002 False Positives
On Tue, 2005-02-08 at 15:31 +0000, Francis Stevens wrote:

> >
> > Same here, what is the fix?
> >
>
> My "fix" was to go back to 0.81. Hopefully the ClamAV team will be able
> to suggest a better one....
>


You can apply the enclosed patch if you want less stringent checking.

-trog

--- libclamav/special.c    5 Feb 2005 15:50:18 -0000    1.8
+++ libclamav/special.c    8 Feb 2005 14:47:06 -0000    1.9
@@ -224,6 +224,12 @@
        return 0;
    }

+    if (memcmp(&form_type, "ACON", 4) != 0) {
+        /* Only scan MS animated icon files */
+        /* There is a *lot* of broken software out there that produces bad RIFF files */
+        return 0;
+    }
+
    chunk_size = riff_endian_convert_32(chunk_size, big_endian);

    do {
@@ -234,6 +240,6 @@

    if (offset < chunk_size) {
        retval = 2;
-    };
+    }
    return retval;
}
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users