mirror/clamav
1
0
Fork 0
mirror of https://github.com/Cisco-Talos/clamav.git synced 2026-05-08 23:56:48 -04:00
Code Issues Packages Projects Releases Wiki Activity
6,129 Commits 35 Branches 0 Tags
67cbb218bc8feb515985f92bbdc95d58fea41b68
Commit Graph

6129 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Török Edvin
67cbb218bc Fix infloop in hashtab_remove/insert. 
This only occurs when elements are removed, but that is currently not
used in libclamav (except for a new bytecode API).
 2010-08-10 16:03:11 +03:00
Tomasz Kojm
fae973a25b clamdscan: fix parsing of virus names in extended mode and --stream (bb#2184) 2010-08-10 14:02:11 +02:00
Török Edvin
cdb69c09d4 Fix SELinux detection in enforcing mode. 
It denies access to /proc/filesystems and /selinux/enforce.
 2010-08-10 09:57:25 +03:00
Török Edvin
946a3f0725 Fix SELinux detection. 2010-08-09 23:48:31 +03:00
Török Edvin
d732b5aa67 Reenable JIT selfcheck. 
Lost in startup.cbc conversion.
 2010-08-09 22:40:48 +03:00
Török Edvin
e2a499a09b Fix PaX. 2010-08-09 22:38:16 +03:00
Török Edvin
bc3a632815 Typo. 2010-08-09 19:57:30 +03:00
Török Edvin
5cd4ee8808 Mac OS X can run 64-bit app on 32-bit kernel (bb #2153). 
So don't warn for these mismatches.
 2010-08-09 19:47:32 +03:00
Tomasz Kojm
0b9e8e5a7f libclamav/others.h: bump f-level 2010-08-09 16:50:23 +02:00
Tomasz Kojm
7c75b6fd08 sigtool/sigtool.c: fix handling of --datadir (bb#2180) 2010-08-09 13:22:00 +02:00
Tomasz Kojm
157ba24086 libclamav/matcher-ac.c: improve offset handling (bb#2170) 2010-08-09 13:02:49 +02:00
aCaB
24518b1dd0 bb#2172 2010-08-08 16:00:23 +02:00
aCaB
088f5ced24 Revert "fail win32 build for testing purposes, will be reverted ASAP" 
This reverts commit adb7189782.
 2010-08-06 15:48:56 +02:00
aCaB
adb7189782 fail win32 build for testing purposes, will be reverted ASAP 2010-08-06 15:40:05 +02:00
aCaB
6c6638b01e bb#2171 2010-08-06 13:50:35 +02:00
Török Edvin
38c9fc17cd pdf: stream is sometimes not followed by EOL immediately. 
Retry inflate by skipping after EOL.
See sample id0009445634.
 2010-08-06 14:21:09 +03:00
Török Edvin
4d808a8664 Dump JPG images from PDFs. 
Sometimes a JPG is not a JPG, and may contain HTML malware.
See sample id0008931254.
 2010-08-06 12:48:19 +03:00
Török Edvin
5e2b776b11 Fix parsing of some PDFs. 
/Filter[ was parsed incorrectly. The [ is not part of the name.
 2010-08-06 12:48:19 +03:00
Tomasz Kojm
87374bc051 libclamav/elf.c: fix zero mem alloc warning (bb#2173) 2010-08-06 11:38:35 +02:00
Török Edvin
57549ff480 Obey HeuristicScanPrecedence for pdf. 2010-08-05 22:00:04 +03:00
Török Edvin
cf0f529bb3 pdf: give low priority to Heuristic signature. 2010-08-05 21:55:37 +03:00
Török Edvin
76cdacdd92 pdf: flush on stream end too. 2010-08-05 21:25:05 +03:00
Török Edvin
89590e9974 Output partially extracted blocks in pdf. 
Sometimes PDF claims the zlib data is longer/shorter than it really is.
We always prefer the longest one, which can lead zlib to return an error
when we run off the end.

So dump the remaining extracted data from zlib's buffer to disk, it usually
contains all we need already (and if not we're going to dump the raw inflate
stream anyway).

This fixes 3 missed samples of Exploit.PDF-60 in the regression test.
 2010-08-05 21:18:29 +03:00
aCaB
1bb5a24d3e win32 fixes: bb#2152 and bb#2153 2010-08-05 12:08:13 +02:00
Török Edvin
70c222c99c save lsig counts/offsets (bb #2055). 2010-08-02 23:08:21 +03:00
Török Edvin
d1a28db048 Fix off by two in new pdf parser. 2010-08-02 22:06:42 +03:00
Török Edvin
762d46e8ea Fix matchicon bytecode API (bb #2139). 
Now you can call it both from a normal lsig triggered BC, and from a PE hook BC.
The normal lsig triggered BC has exe_info (but not PE info) which allows it to
invoke the icon matcher API.
Also putting ICONGROUP1 into the ldb trigger of the bytecode works.
 2010-08-02 21:52:15 +03:00
Török Edvin
e865b2d8e3 typo 2010-08-02 19:37:31 +03:00
Török Edvin
7882e72107 Reset virname after iconscan API called from bytecode. 2010-08-02 19:33:38 +03:00
Török Edvin
a8935f90b9 Update startup.cbc (bb #2151). 
It is a compiler bug, shortcircuiting the bigendian path to
return 0xdead11.
Since this test is meant to test libclamav, disable this test for now.
When the compiler is fixed (bb #2157) the test can be readded.
 2010-08-02 19:00:31 +03:00
Török Edvin
213dfdff06 run 1 unit-test at least in test mode (bb #2151). 
Also allow running test mode if JIT is not available, still checking
for failed startup.cbc execution.
 2010-08-02 19:00:12 +03:00
Török Edvin
1dae00ebf4 bytecode: add icon match API. 2010-08-02 18:21:24 +03:00
Török Edvin
dc200c6b19 Add bytecode API for pdf. 2010-08-02 18:21:24 +03:00
Török Edvin
f14bf644de Guard Heuristics.PDF.ObfuscatedNameObject by CL_SCAN_ALGORITHMIC. 2010-08-02 18:21:24 +03:00
aCaB
5b4b8ddff6 be fixes - bb#2151 2010-08-02 17:17:46 +02:00
Tomasz Kojm
e64cde8d5d freshclam/manager.c: don't call cli_bytecode_prepare() when Bytecode is disabled in freshclam.conf (bb#2149) 2010-08-02 16:09:24 +02:00
Tomasz Kojm
9d10f054a5 libclamav/matcher: make icon sigs work with bytecode (bb#2137) 2010-08-02 15:37:37 +02:00
Török Edvin
9acc81d603 pdf: improve handling of truncated files, and fix some filter handling bugs. 
Also don't dump images by default, this will be overridable from bytecode.
 2010-08-01 22:14:44 +03:00
Török Edvin
cacd0927b4 pdf: fix uninitialized values, and bytesleft. 2010-07-30 22:33:56 +03:00
Török Edvin
e8c7cc2185 pdf: avoid negative lengths. 
Thanks to nitrox for reporting.
 2010-07-30 20:43:48 +03:00
Török Edvin
80db7712ec Add filter abbreviations used in images. 2010-07-30 20:41:53 +03:00
Török Edvin
b835a528db Some more fixes for signed/encrypted pdfs. 2010-07-30 20:26:59 +03:00
Török Edvin
edeb59b344 Some flag fixes for pdf. 2010-07-30 19:41:05 +03:00
Török Edvin
f984f75bbc Improve handling of pdf streams. 
Also dump undecompressable streams, since we are not decrypting.
 2010-07-30 19:41:05 +03:00
aCaB
a66201acd1 bump CLI_MAX_ALLOCATION - bb#2124 2010-07-30 17:47:42 +02:00
aCaB
08b5aec381 fix previous: typo in unit_tests, order in cli_exe_info 2010-07-30 16:08:51 +02:00
aCaB
453d818022 use cached metadata in icon parser, add icon unit tests 2010-07-30 15:54:15 +02:00
Tomasz Kojm
3f82dac01f freshclam: fix parsing of extended log entries 2010-07-30 15:16:17 +02:00
Török Edvin
2a599782aa Disable debug code in pdf. 2010-07-30 14:24:52 +03:00
Török Edvin
eb270d5a36 Improve extraction of PDF objects (bb #1596, #1994, #2029). 
Seems to extract most pdf/openaction/and streams (flate, ascii85, asciihex).
Doesn't normalize extracted JS, that will be done once bytecode hooks are added.
 2010-07-30 14:23:10 +03:00