search

davispuh / ruby-libmspack

Ruby wrapper for libmspack. Library for compressing and decompressing Microsoft compression formats, CAB, CHM, HLP, LIT, KWAJ and SZDD.
The Unlicense
3 stars 4 forks source link

Inclusion of libmspack test files triggers anti-virus warnings #2

Closed ronaldtse closed 2 years ago

ronaldtse commented 2 years ago

As described here: https://github.com/metanorma/chocolatey-metanorma/issues/66#issuecomment-995613224

The inclusion of the ext/libmspack/test folder in the compiled gem is causing anti-virus engines to flag those files in the gem.

In particular, these are test files that trigger CVEs and should not have been included in the gem:

libmspack-0.10.1\ext\libmspack\test\test_files\chmd\cve-2015-4468-namelen-bounds.chm
libmspack-0.10.1\ext\libmspack\test\test_files\chmd\cve-2015-4469-namelen-bounds.chm
libmspack-0.10.1\ext\libmspack\test\test_files\chmd\cve-2015-4472-namelen-bounds.chm
libmspack-0.10.1\ext\libmspack\test\test_files\chmd\cve-2017-6419-lzx-negative-spaninfo.chm

A sample virus scan results can be seen here: https://www.virustotal.com/gui/file/3894e66aa4aef6e71ea83865021aff61450c1ab8a9f137baf1e671ecf58a94c0/behavior

(This was also reported here: https://github.com/metanorma/chocolatey-metanorma/issues/61#issuecomment-968661076)

davispuh commented 2 years ago

Root cause is stupid AVs. Those cve files are purposely made to test against those vulnerabilities so they are valid.

But I agree that including them in gem distribution isn't that useful unless someone wants run tests after building but currently that's not done. So fixing would be very simple, just change spec.files += Dir.glob('ext/**/*') in libmspack.gemspec

ronaldtse commented 2 years ago

@davispuh I've created a PR at #3 to fix this issue. Thanks!

davispuh commented 2 years ago

Merged with update and released v0.10.1.2

ronaldtse commented 2 years ago

Thank you @davispuh !