From 2c7860f2bbf1b52f6fe6349bea7a4230c88c3cdf Mon Sep 17 00:00:00 2001 From: "Stiliyan Tonev (Bark)" Date: Fri, 12 Jul 2024 16:57:09 +0300 Subject: [PATCH] fix: Issue with `--fail-if-cvd-older-than` and non-CVD database files Clamscan and ClamD will throw an error if you use the '--fail-if-cvd-older-than=DAYS' / 'FailIfCvdOlderThan' option and try to load any plaintext signature files. That is, it throws an error when encountering plain signature files like `.ign2`, `.ldb`, `.hdb`, etc. This feature should only verify CVD / CLD files. The feature (and bug) was introduced in ClamAV 1.1.0, here: https://github.com/Cisco-Talos/clamav/commit/e4fe6654c1618bacf3bff9ed64c52615c8c53a97 With this change, the `cl_cvdgetage` checks will skip any file that is not a CVD or CLD. Fixes: https://github.com/Cisco-Talos/clamav/issues/1174 --- clamscan/manager.c | 9 +++++++++ libclamav/cvd.c | 2 +- libclamav/readdb.h | 8 ++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/clamscan/manager.c b/clamscan/manager.c index db3a8f46b6..3c2c03c0a0 100644 --- a/clamscan/manager.c +++ b/clamscan/manager.c @@ -1251,6 +1251,15 @@ int scanmanager(const struct optstruct *opts) if ((opt = optget(opts, "database"))->active) { while (opt) { if (optget(opts, "fail-if-cvd-older-than")->enabled) { + if (LSTAT(opt->strarg, &sb) == -1) { + logg(LOGG_ERROR, "Can't access database directory/file: %s\n", opt->strarg); + ret = 2; + goto done; + } + if(!S_ISDIR(sb.st_mode) && !CLI_DBEXT_SIGNATURE(opt->strarg)) { + opt = opt->nextarg; + continue; + } if (check_if_cvd_outdated(opt->strarg, optget(opts, "fail-if-cvd-older-than")->numarg) != CL_SUCCESS) { ret = 2; goto done; diff --git a/libclamav/cvd.c b/libclamav/cvd.c index 5003de9ce4..6d54dc7998 100644 --- a/libclamav/cvd.c +++ b/libclamav/cvd.c @@ -851,7 +851,7 @@ cl_error_t cl_cvdgetage(const char *path, time_t *age_seconds) if (!strcmp(dent->d_name, ".") || !strcmp(dent->d_name, "..")) continue; - if (!CLI_DBEXT(dent->d_name)) + if (!CLI_DBEXT_SIGNATURE(dent->d_name)) continue; if (ends_with_sep) diff --git a/libclamav/readdb.h b/libclamav/readdb.h index d5742e62c5..a353e2a7bc 100644 --- a/libclamav/readdb.h +++ b/libclamav/readdb.h @@ -81,6 +81,10 @@ struct cli_matcher; cli_strbcasestr(ext, ".ign") || \ cli_strbcasestr(ext, ".ign2") || \ cli_strbcasestr(ext, ".imp")) +#define CLI_DBEXT_SIGNATURE(ext) \ + ( \ + cli_strbcasestr(ext, ".cvd") || \ + cli_strbcasestr(ext, ".cld")) #else #define CLI_DBEXT(ext) \ ( \ @@ -120,6 +124,10 @@ struct cli_matcher; cli_strbcasestr(ext, ".ign") || \ cli_strbcasestr(ext, ".ign2") || \ cli_strbcasestr(ext, ".imp")) +#define CLI_DBEXT_SIGNATURE(ext) \ + ( \ + cli_strbcasestr(ext, ".cvd") || \ + cli_strbcasestr(ext, ".cld")) #endif char *cli_virname(const char *virname, unsigned int official);