search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.19k stars 684 forks source link

Improper handling of Parent Directory function in rootfs directory. (Debian 12 Linux Container) #1311

Open jjbyrnes29 opened 1 month ago

jjbyrnes29 commented 1 month ago

Describe the bug

Improper handling of Parent Directory .. in / in Debian 12 Linux Container Image (Debian 12 LXC Image on Proxmox 8.2.4)

How to reproduce the problem

Run the following commands on a Debian 12 LXC Image.

sudo apt-get install clamav clamav-daemon

clamscan -r -i /

Specifically for better bug testing, will exclude scanning from all named directories from /: clamscan -r -i / --exclude-dir=/bin --exclude-dir=/boot --exclude-dir=/dev --exclude-dir=/etc --exclude-dir=/home --exclude-dir=/lib --exclude-dir=/lib64 --exclude-dir=/lost+found --exlude-dir=/media --exclude-dir=/mnt --exclude-dir=/opt --exclude-dir=/proc --exclude-dir=/root --exclude-dir=/run --exclude-dir=/sbin --exclude-dir=/sys --exclude-dir=/tmp --exclude-dir=/usr --exclude-dir=/var

Replace this text with the output from the ClamAV command: See Attachments for Output

Attachments

Linux Container Scanning, will throw error.

LXC Scan

Virtual Machine, will not throw error.

VM Clamscan
micahsnyder commented 1 month ago

It feels like there should be an error message printed before the scan summary. Was there an error message? Or just a scan summary saying there was an error?

I gave that a go on my own computer using Docker. You mentioned it is a "debian 12 container". I don't have the proxmox image, so I just started the basic debian:12 image, like this:

docker run -it debian:12 /bin/bash

Then within the container, I ran:

apt update && apt install -y clamav clamav-daemon
freshclam
clamscan -r -i / --exclude-dir=/bin --exclude-dir=/boot --exclude-dir=/dev --exclude-dir=/etc --exclude-dir=/home --exclude-dir=/lib --exclude-dir=/lib64 --exclude-dir=/lost+found --exlude-dir=/media --exclude-dir=/mnt --exclude-dir=/opt --exclude-dir=/proc --exclude-dir=/root --exclude-dir=/run --exclude-dir=/sbin --exclude-dir=/sys --exclude-dir=/tmp --exclude-dir=/usr --exclude-dir=/var

That last command is a copy-paste from above.

I found there is a typo: "exlude" instead of "exclude". I fixed the typo and re-ran:

clamscan -r -i / --exclude-dir=/bin --exclude-dir=/boot --exclude-dir=/dev --exclude-dir=/etc --exclude-dir=/home --exclude-dir=/lib --exclude-dir=/lib64 --exclude-dir=/lost+found --exclude-dir=/media --exclude-dir=/mnt --exclude-dir=/opt --exclude-dir=/proc --exclude-dir=/root --exclude-dir=/run --exclude-dir=/sbin --exclude-dir=/sys --exclude-dir=/tmp --exclude-dir=/usr --exclude-dir=/var

That worked fine. The output was:

----------- SCAN SUMMARY -----------
Known viruses: 8696251
Engine version: 1.0.5
Scanned directories: 2
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 13.174 sec (0 m 13 s)
Start Date: 2024:07:17 19:10:55
End Date:   2024:07:17 19:11:08

One thing to note: I did all this as the root user in the debian:12 container. It's different than in your proxmox container, which is running as some user account, not root.