american-fuzzy-lop contains exploit samples which trigger ClamAV

(Thanks to Patrick for bringing this issue to my attention.)

American Fuzzy Lop ("afl", Fedora package american-fuzzy-lop) is an
instrumentation-driven fuzzer for binary formats. ClamAV is a
(Windows?) virus scanner.

Afl's documentation comes with some demonstration vulerabilities found
by afl. These are shipped in the source tarball and SRPM and also
installed as a %doc section in the binary

Unfortunately some of these samples trigger ClamAV
"Win.Exploit.CVE_2015_0076-1 FOUND".

In this particular case it appears to be one or more of these files:


which contain a badly formatted JPEG XR file that triggered a mild CVE
in Windows:

<a href="" title=""></a>

(so this is not a false positive or over-active virus scanner).

I'm inclined to ignore this and point people to this posting if there
are any bugs filed. But maybe there is some Fedora policy which
applies here?



Re: american-fuzzy-lop contains exploit samples which trigger Cl

By =?ISO-8859-1?Q?... at 11/13/2017 - 10:44

On Mon, 2017-11-13 at 14:25 +0000, Richard W.M. Jones wrote:
I'm the clamav packager maintainer is anything related with this 2
CVE(s) [1] ?

I was waiting for a new stable release .


<a href="" title=""></a>
<a href="" title=""></a>

Re: american-fuzzy-lop contains exploit samples which trigger Cl

By Richard W.M. Jones at 11/13/2017 - 13:06

On Mon, Nov 13, 2017 at 02:44:14PM +0000, Sérgio Basto wrote:
No I don't think so. It's not an exploit in ClamAV, it's an exploit
in Windows that ClamAV is identifying (correctly).