fix: Issue with --fail-if-cvd-older-than and non-CVD database files

Clamscan and ClamD will throw an error if you use the '--fail-if-cvd-older-than=DAYS' / 'FailIfCvdOlderThan' option and try to load any plaintext signature files. That is, it throws an error when encountering plain signature files like `.ign2`, `.ldb`, `.hdb`, etc. This feature should only verify CVD / CLD files. The feature (and bug) was introduced in ClamAV 1.1.0, here: e4fe665 With this change, the `cl_cvdgetage` checks will skip any file that is not a CVD or CLD. Fixes: #1174
Cisco-Talos · Jul 23, 2024 · 2c7860f · 2c7860f
1 parent 2a5241a
commit 2c7860f
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 1 deletion.
diff --git a/clamscan/manager.c b/clamscan/manager.c
@@ -1251,6 +1251,15 @@ int scanmanager(const struct optstruct *opts)
     if ((opt = optget(opts, "database"))->active) {
         while (opt) {
             if (optget(opts, "fail-if-cvd-older-than")->enabled) {
+                if (LSTAT(opt->strarg, &sb) == -1) {
+                    logg(LOGG_ERROR, "Can't access database directory/file: %s\n", opt->strarg);
+                    ret = 2;
+                    goto done;
+                }
+                if(!S_ISDIR(sb.st_mode) && !CLI_DBEXT_SIGNATURE(opt->strarg)) {
+                    opt = opt->nextarg;
+                    continue;
+                }
                 if (check_if_cvd_outdated(opt->strarg, optget(opts, "fail-if-cvd-older-than")->numarg) != CL_SUCCESS) {
                     ret = 2;
                     goto done;

diff --git a/libclamav/cvd.c b/libclamav/cvd.c
@@ -851,7 +851,7 @@ cl_error_t cl_cvdgetage(const char *path, time_t *age_seconds)
         if (!strcmp(dent->d_name, ".") || !strcmp(dent->d_name, ".."))
             continue;
 
-        if (!CLI_DBEXT(dent->d_name))
+        if (!CLI_DBEXT_SIGNATURE(dent->d_name))
             continue;
 
         if (ends_with_sep)

diff --git a/libclamav/readdb.h b/libclamav/readdb.h
@@ -81,6 +81,10 @@ struct cli_matcher;
         cli_strbcasestr(ext, ".ign") ||  \
         cli_strbcasestr(ext, ".ign2") || \
         cli_strbcasestr(ext, ".imp"))
+#define CLI_DBEXT_SIGNATURE(ext)         \
+    (                                    \
+        cli_strbcasestr(ext, ".cvd") ||  \
+        cli_strbcasestr(ext, ".cld"))
 #else
 #define CLI_DBEXT(ext)                   \
     (                                    \
@@ -120,6 +124,10 @@ struct cli_matcher;
         cli_strbcasestr(ext, ".ign") ||  \
         cli_strbcasestr(ext, ".ign2") || \
         cli_strbcasestr(ext, ".imp"))
+#define CLI_DBEXT_SIGNATURE(ext)         \
+    (                                    \
+        cli_strbcasestr(ext, ".cvd") ||  \
+        cli_strbcasestr(ext, ".cld"))
 #endif
 
 char *cli_virname(const char *virname, unsigned int official);