Re: ClamAV And unrar - Bug #465207
On Wednesday 27 February 2008, Nick Boyce wrote:
> But it seems to me that simply enabling the --unrar parameter of
> clamscan would not entail incorporating or distributing any unrar
> code at all - the code to parse the --unrar parameter and call the
> non-free unrar binary if specified surely belongs to ClamAV alone ?
> Thus the ClamAV package(s) could remain pure and free, while
> individual sysadmins could make their own decision about whether to
> install the non-free unrar binary package, and then request that
> clamscan call it.
Note that unrar-nonfree has no security support (like all packages in
non-free) . Using it to automatically process potentially malicious
content is a bad idea, IMHO. In fact, unrar-nonfree in stable had a
security issue until the release of etch r3 (CVE-2007-0855).