Re: ClamAV And unrar - Bug #465207

To: Nick Boyce <nick@glimmer.demon.co.uk>
Cc: debian-security@lists.debian.org
Subject: Re: ClamAV And unrar - Bug #465207
From: Stefan Fritsch <sf@sfritsch.de>
Date: Wed, 27 Feb 2008 21:45:14 +0100
Message-id: <[🔎] 200802272145.15437.sf@sfritsch.de>
In-reply-to: <[🔎] 47C4CCA7.4070902@glimmer.demon.co.uk>
References: <[🔎] 47C4CCA7.4070902@glimmer.demon.co.uk>

On Wednesday 27 February 2008, Nick Boyce wrote:
> But it seems to me that simply enabling the --unrar parameter of
> clamscan would not entail incorporating or distributing any unrar
> code at all - the code to parse the --unrar parameter and call the
> non-free unrar binary if specified surely belongs to ClamAV alone ?
>
> Thus the ClamAV package(s) could remain pure and free, while
> individual sysadmins could make their own decision about whether to
> install the non-free unrar binary package, and then request that
> clamscan call it.

Note that unrar-nonfree has no security support (like all packages in 
non-free) . Using it to automatically process potentially malicious 
content is a bad idea, IMHO. In fact, unrar-nonfree in stable had a 
security issue until the release of etch r3 (CVE-2007-0855).

Cheers,
Stefan

Reply to:

Follow-Ups:
- Re: ClamAV And unrar - Bug #465207
  - From: Nick Boyce <nick@glimmer.demon.co.uk>

References:
- ClamAV And unrar - Bug #465207
  - From: Nick Boyce <nick@glimmer.demon.co.uk>

Prev by Date: Re: ClamAV And unrar - Bug #465207
Next by Date: Re: ClamAV And unrar - Bug #465207
Previous by thread: Re: ClamAV And unrar - Bug #465207
Next by thread: Re: ClamAV And unrar - Bug #465207
Index(es):
- Date
- Thread