Clam 2942 clam 2941 clam 2930 cvd verification bugs#1668
Clam 2942 clam 2941 clam 2930 cvd verification bugs#1668val-ms wants to merge 3 commits intoCisco-Talos:mainfrom
Conversation
The default CVD certs directory on unix systems is `/usr/local/etc/certs`, which is not unique to ClamAV and may already exist and include other certificates, some of which may have restricted user permissions inaccessible to the running ClamAV application. In this scenario, ClamAV should skip over the cert files it cannot read. Resolves: Cisco-Talos#1665 CLAM-2942
There is a bug affecting ClamAV 1.5.0 and 1.5.1 where it attemps to download the .sign file and verify the .sign or legacy RSA digital signature for CLD files when using the PrivateMirror option. For context, the PrivateMirror option enables you to download either CLD or CVD files from a mirror such that you can serve a private mirror where the signatures are pulled using Freshclam. Note that it is better to use the CVDUpdate utility which always serves digitally signed CVD and CDIFF files. The PrivateMirror capability predates CVDUpdate and is still used by many today. Resolves Cisco-Talos#1626 CLAM-2941
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ff3a265bf3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (dbtype == CVD_TYPE_CVD) { | ||
| // try to get the sign file before verifying the cvd | ||
| // use the cvd name + version to get the signature file |
There was a problem hiding this comment.
The new if (dbtype == CVD_TYPE_CVD) guard wraps the only call to cli_cvdverify, so .cld downloads now skip signature verification entirely. That means a PrivateMirror serving a tampered CLD will be accepted without any cryptographic check, which is a security regression compared to verifying the downloaded database. The fix should still skip downloading .sign for CLD, but it should continue to run cli_cvdverify on CLD files to preserve integrity checks.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
This is true. CLD's aren't signed, and there has always been this risk of using the PrivateMirror options and serving CLD files.
Freshclam's feature to load-test a newly downloaded database is not using the CVDCertsDirectory option to determine the certs directory. The environment variable works, however. In addition to the environment variable, you can work around the issue by disabling load testing. To fix this issue, we need to extend the libfreshclam API adding a `fc_test_database_ex()` function that takes the certs directory as a parameter. Resolves: Cisco-Talos#1630 CLAM-2930
val-ms
force-pushed
the
CLAM-2942-CLAM-2941-CLAM-2930-cvd-verification-bugs
branch
from
ff3a265 to
41af501
Compare
2 participants
Ignore cert files in CVD certs directory which can't be read
The default CVD certs directory on unix systems is
/usr/local/etc/certs, whichis not unique to ClamAV and may already exist and include other certificates,
some of which may have restricted user permissions inaccessible to the running
ClamAV application. In this scenario, ClamAV should skip over the cert files it
cannot read.
Resolves: CVD Verifier is too aggressive re: requirements for other certs found in CVDCertsDirectory #1665
CLAM-2942
Freshclam: Fix CLD verification bug with PrivateMirror option
There is a bug affecting ClamAV 1.5.0 and 1.5.1 where it attemps to
download the .sign file and verify the .sign or legacy RSA digital
signature for CLD files when using the PrivateMirror option.
For context, the PrivateMirror option enables you to download either
CLD or CVD files from a mirror such that you can serve a private mirror
where the signatures are pulled using Freshclam.
Note that it is better to use the CVDUpdate utility which always serves
digitally signed CVD and CDIFF files. The PrivateMirror capability
predates CVDUpdate and is still used by many today.
Resolves Freshclam won't download signature files #1626
CLAM-2941
Freshclam: Fix issue with CVDCertsDirectory when load-testing databases
Freshclam's feature to load-test a newly downloaded database is not using the
CVDCertsDirectory option to determine the certs directory.
The environment variable works, however.
In addition to the environment variable, you can work around the issue by
disabling load testing.
To fix this issue, we need to extend the libfreshclam API adding a
fc_test_database_ex()function that takes the certs directory as aparameter.
Resolves: Self-signed certificate encountered by freshclam #1630
CLAM-2930