Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scripts: improve CLAMAV_MESSAGE_SIZE_LIMIT usage #3332

Merged
merged 3 commits into from May 12, 2023
Merged

scripts: improve CLAMAV_MESSAGE_SIZE_LIMIT usage #3332

merged 3 commits into from May 12, 2023

Conversation

georglauterbach
Copy link
Member

Description

Addes sanity check for ClamAV size & adjusted MaxScanSize. The second part is of special importance! See https://askubuntu.com/a/1448525, which explains that the maximum scan size is important as well. We previously just set the maximum file size, which actually is pretty insecure as we silently not scan mile bigger than MaxScanSize. This is corrected now.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (README.md or the documentation under docs/)
  • If necessary I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

@georglauterbach
add sanity check for Clam size & adjusted MaxScanSize
8a28390 
The second part is of special importance! See
<https://askubuntu.com/a/1448525>, which explains that the maximum scan
size is important as well. We previously just set the maximum file size,
which actually is pretty insecure as we silently not scan mile bigger
than `MaxScanSize`. This is corrected now.
@georglauterbach
add SlamAV size configuration to Rspamd
6372446
@georglauterbach georglauterbach added this to the v13.0.0 milestone May 12, 2023
@georglauterbach georglauterbach self-assigned this May 12, 2023
@georglauterbach
Copy link
Member Author

I added this to the Rspmd tracking project, but this is primarily about ClamAV.

@georglauterbach georglauterbach linked an issue May 12, 2023 that may be closed by this pull request
bug report: ClamAV: failed to scan, maximum retransmits exceed #3320
Closed
12 tasks
@georglauterbach georglauterbach merged commit 78b7f0c into master May 12, 2023
7 checks passed
@georglauterbach georglauterbach deleted the clamav/improvements branch May 12, 2023 14:04
ap-wtioit
ap-wtioit reviewed May 15, 2023
View reviewed changes
target/scripts/startup/setup.d/security/misc.sh
"s/^MaxFileSize.*/MaxFileSize ${CLAMAV_MESSAGE_SIZE_LIMIT}/" \

# do a short sanity checks; ClamAV stops scanning at more that 4GB file size
if [[ $(numfmt --from=si "${CLAMAV_MESSAGE_SIZE_LIMIT}") -gt $(numfmt --from=si 4G) ]]
Copy link
Contributor

@ap-wtioit ap-wtioit May 15, 2023
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry, for catching this now. i think clamav is not using the SI system for their limit variables.

i think the M / G in the clamav variables is actually MiB / GiB, so this check is not correct as it checks for 4000000000 instead of 4294967296.

Could it be that the correct check would involve:

if [[ $(numfmt --from=iec "${CLAMAV_MESSAGE_SIZE_LIMIT}") -gt $(numfmt --from=iec 4G) ]]

edit: but i could not find a clear documentation for that. only https://blog.clamav.net/2022/01/clamav-01035-and-01042-security-patch.html where it states that the internal max file size was still 2 GiB for 0.103.5

edit: my initial assumtion was wrong 4000M seems to be 4G (si) in clamav. however when testing with clamscan an actual 4G file does not get scanned:
docker run --rm mailserver/docker-mailserver:latest bash -c 'set -ex; dd if=/dev/zero bs=1000 count=$(numfmt --from=si 4M) of=zero.txt && du -hs zero.txt && clamscan --max-filesize=4000M --max-scansize=4000M --alert-exceeds-max zero.txt'

++ numfmt --from=si 4M
+ dd if=/dev/zero bs=1000 count=4000000 of=zero.txt
4000000+0 records in
4000000+0 records out
4000000000 bytes (4.0 GB, 3.7 GiB) copied, 3.90953 s, 1.0 GB/s
+ du -hs zero.txt
3.8G	zero.txt
+ clamscan --max-filesize=4000M --max-scansize=4000M --alert-exceeds-max zero.txt
LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
/zero.txt: Heuristics.Limits.Exceeded.MaxFileSize FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8664779
Engine version: 0.103.8
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 3814.70 MB (ratio 0.00:1)
Time: 12.713 sec (0 m 12 s)
Start Date: 2023:05:15 08:07:48
End Date:   2023:05:15 08:08:01

where a 2G file does get scanned:
docker run --rm mailserver/docker-mailserver:latest bash -c 'set -ex; dd if=/dev/zero bs=1000 count=$(numfmt --from=si 2000K) of=zero.txt && du -hs zero.txt && clamscan --max-filesize=4000M --max-scansize=4000M --alert-exceeds-max zero.txt'

++ numfmt --from=si 2000K
+ dd if=/dev/zero bs=1000 count=2000000 of=zero.txt
2000000+0 records in
2000000+0 records out
2000000000 bytes (2.0 GB, 1.9 GiB) copied, 1.9642 s, 1.0 GB/s
+ du -hs zero.txt
1.9G	zero.txt
+ clamscan --max-filesize=4000M --max-scansize=4000M --alert-exceeds-max zero.txt
LibClamAV Warning: **************************************************
LibClamAV Warning: ***  The virus database is older than 7 days!  ***
LibClamAV Warning: ***   Please update it as soon as possible.    ***
LibClamAV Warning: **************************************************
/zero.txt: OK

----------- SCAN SUMMARY -----------
Known viruses: 8664779
Engine version: 0.103.8
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 4062.65 MB
Data read: 1907.35 MB (ratio 2.13:1)
Time: 343.906 sec (5 m 43 s)
Start Date: 2023:05:15 08:09:26
End Date:   2023:05:15 08:15:10

@ap-wtioit ap-wtioit mentioned this pull request May 15, 2023
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ap-wtioit ap-wtioit ap-wtioit left review comments

@casperklein casperklein casperklein approved these changes

Assignees

@georglauterbach georglauterbach

Labels
area/scripts kind/bug/fix A fix (PR) for a confirmed bug priority/high service/security/clamav service/security/rspamd
Projects
Rspamd integration
Status: Done
Milestone
v13.0.0
Development

Successfully merging this pull request may close these issues.

bug report: ClamAV: failed to scan, maximum retransmits exceed
3 participants
@georglauterbach @casperklein @ap-wtioit