DevHeads.net

american-fuzzy-lop contains exploit samples which trigger ClamAV

(Thanks to Patrick for bringing this issue to my attention.)

American Fuzzy Lop ("afl", Fedora package american-fuzzy-lop) is an
instrumentation-driven fuzzer for binary formats. ClamAV is a
(Windows?) virus scanner.

Afl's documentation comes with some demonstration vulerabilities found
by afl. These are shipped in the source tarball and SRPM and also
installed as a %doc section in the binary
(/usr/share/doc/american-fuzzy-lop/vuln_samples/).

Unfortunately some of these samples trigger ClamAV
"Win.Exploit.CVE_2015_0076-1 FOUND".

In this particular case it appears to be one or more of these files:

jxrlib-crash2.jxr
jxrlib-crash3.jxr
jxrlib-crash4.jxr
jxrlib-crash.jxr
msie-jxr-mem-leak.jxr

which contain a badly formatted JPEG XR file that triggered a mild CVE
in Windows:

<a href="https://technet.microsoft.com/en-us/library/security/ms15-029.aspx" title="https://technet.microsoft.com/en-us/library/security/ms15-029.aspx">https://technet.microsoft.com/en-us/library/security/ms15-029.aspx</a>

(so this is not a false positive or over-active virus scanner).

I'm inclined to ignore this and point people to this posting if there
are any bugs filed. But maybe there is some Fedora policy which
applies here?

Rich.

Comments

Re: american-fuzzy-lop contains exploit samples which trigger Cl

By =?ISO-8859-1?Q?... at 11/13/2017 - 09:44

On Mon, 2017-11-13 at 14:25 +0000, Richard W.M. Jones wrote:
I'm the clamav packager maintainer is anything related with this 2
CVE(s) [1] ?

I was waiting for a new stable release .

Thanks,

[1]
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1483911" title="https://bugzilla.redhat.com/show_bug.cgi?id=1483911">https://bugzilla.redhat.com/show_bug.cgi?id=1483911</a>
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1472778" title="https://bugzilla.redhat.com/show_bug.cgi?id=1472778">https://bugzilla.redhat.com/show_bug.cgi?id=1472778</a>