search

sup-heliotrope / sup

A curses threads-with-tags style email client (mailing list: supmua@googlegroups.com)
http://sup-heliotrope.github.io
GNU General Public License v2.0
889 stars 96 forks source link

sup-mail_1.0.orig.tar.gz #592

Closed colmut01 closed 3 years ago

colmut01 commented 3 years ago

Hello ,

apologies if this is duplicated

A recent AV scan on sup-mail_1.0.orig.tar.gz has identified an iframe exploit , please see the virus total page for this https://www.virustotal.com/gui/file/00b996352d571ae9cabdab9638f10518d4072fd7970ef694ed96c8f990df77aa/detection

can you please advise if this is benign or if it needs to be address

kind regards

danc86 commented 3 years ago

I assume the file in question is the sup 1.0 source tarball?

Given that the antivirus engines are all proprietary (with the exception of Clamav) and they don't generally disclose what fingerprints or triggers they use to identify "viruses", there's no real way to know why they are complaining about the tarball. We keep some examples of malformed spam messages in the sup test suite, to test that we correctly handle them. The test messages are included in the source tarball along with the rest of the test suite and test data. My best guess is that the antivirus engines are tripping up on one of those malformed messages.

If that's the case, it's a false positive. The messages in the test suite are only used by the test suite, they are not loaded by sup itself when you run it, so there is no concern there.

Also, sup is a console mail client so it does not make sense that it could exploit (or be exploited by) some vulnerability in handling of <iframe> in web browsers. If you are at all concerned, just don't configure sup to open anything in your web browser.

I would recommend never opening any HTML emails in your browser regardless. No good can come of HTML-formatted email.