pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

security/clamav: freshclam patch to avoid leaking proxy ip address


freshclam may leak the ip address of a proxy server configured with
"HTTPProxyServer" via DNS requests:

    # /opt/pkgsrc/bin/freshclam --verbose
    Current working dir is /opt/pkgsrc/var/clamav
    Max retries == 3
    ClamAV update process started at Wed May  7 12:45:31 2014
    Using IPv6 aware code
    TTL: 1383
    Software version from DNS: 0.98.1
    main.cvd version from DNS: 55
    Connecting via
    main.cld is up to date (version: 55, sigs: 2424225, f-level: 60, builder: 
    Connecting via
    Trying to download (IP:
    Downloading daily.cvd [100%]
    Loading signatures from daily.cvd
    Properly loaded 935474 signatures from new daily.cvd
    daily.cvd updated (version: 18937, sigs: 935468, f-level: 63, builder: neo)
=>  Querying
    bytecode.cvd version from DNS: 236
    Connecting via
    Trying to download (IP:
    Downloading bytecode-236.cdiff [100%]
    cdiff_apply: Parsed 6 lines and executed 6 commands
    Loading signatures from bytecode.cld
    Properly loaded 43 signatures from new bytecode.cld
    bytecode.cld updated (version: 236, sigs: 43, f-level: 63, builder: 
=>  Querying
    Database updated (3359736 signatures) from
    Clamd successfully notified about the update.

Here, proxy ip address is = 0xD4522008. Apparently this is a
bug, it should instead be the hex ip address of the clamav mirror used.

Bug is filed upstream
( and scheduled to be
fixed in 0.98.5

I have attached a crude patch that entirely disables this type of mirror
stat collection (can't be done in freshclam.conf).

If you don't like your internal proxy addresses exposed, you might
want to put this patch into your $LOCALPATCHES directory.

Matthias Ferdinand
$NetBSD$ (requires login)

mirror_stats leak internal http proxy ip addresses via dns query;
scheduled to be fixed in 0.98.5

--- freshclam/manager.c.orig    2014-01-13 17:02:18.000000000 +0000
+++ freshclam/manager.c
@@ -2071,7 +2071,7 @@ updatedb (const char *dbname, const char
     if (cli_strbcasestr (hostname, ""))
-        mirror_stats = 1;
+        mirror_stats = 0;
     snprintf (cvdfile, sizeof (cvdfile), "%s.cvd", dbname);
     snprintf (cldfile, sizeof (cldfile), "%s.cld", dbname);

Home | Main Index | Thread Index | Old Index