Open Schroeffu opened 2 years ago
Some rust ar packages can be used?
@Sanesecurity your link seems to be broken. But yeah would be easier to bring in an AR support from an existing Rust crate.
We're presently integrating support for two archive types in Rust: ALZ and LHZ.
The LHZ one is using an existing Rust crate (delharc) and may be a decent example if someone wants to do the same for AR support.
Odd... here's some separate links
https://crates.io/crates/ar https://sources.debian.org/src/rust-ar/0.9.0-1/ https://github.com/mdsteele/rust-ar
Is this implemented with 1.4.0? See Cgangelog https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.4.0
Is this implemented with 1.4.0? See Cgangelog https://github.com/Cisco-Talos/clamav/releases/tag/clamav-1.4.0
Just ALZ and LHA/LZH file types. Not AR. So .deb
AR archives are still just treated as binary data.
Feature Request
Would it may be possible to enhance ClamAV to support unpacking "AR" Archive format. This would make it possible to scan all .deb packages for malware inside, what not yet seems to be working as long as inside .deb other archives are (GZIP).
.deb packages are "AR" Archive format. Viruses in mypackage.deb (AR Archive Type) > data.tar.zst (gzip archive type) > Viruses inside of this GZIP are not detected.
Clamav-Users Mailinglist discussion about that: https://lists.clamav.net/pipermail/clamav-users/2022-July/012780.html
How to reproduce the problem
-- mysoftware_version_1-1.deb [AR Archive Type] --- data.tar.zst > [GZIP Archive Type] ------ /usr/bin/mysoftware/xyz/files_myvirus_abc
wget "https://seafile.schroeffu.ch/f/876b201b6d614d66a87e/?dl=1" -O /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan -z /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb
Now unpack & scan again, malware detected:
ar x /tmp/gimp_2.10.30-1build1_amd64_eicar_and_realmalware.deb && clamdscan -z /tmp/data.tar.zst