Package: amavisd-new Severity: important Version: 1:2.10.1-1 X-Debbugs-Cc: debian-security@lists.debian.org Dear maintainer(s),Together with a customer, I stumbled over some nasty issue in the jessie (and currently also testing/unstable) amavisd-new package in Debian (and probably also in earlier versions of the package).
On Debian systems, the amavisd process (using SystemV here, but probably also using systemd) gets launched with the system-wide settings for the LANG and LC_* env variables). In our case, amavisd runs in German (de_DE.UTF-8).
The environment settings of amavis are than passed on to the evoked virus scanner applications. In our case savscan (Sophos Anti-Virus).
The recent version of Sophos Antivirus for Linux has been localized. If a virus gets detected by savscan, I see this on my (German) screen:
"""Virus 'Troj/DocDl-AUK' gefunden in Datei .Junk/cur/1453286635.M577163P24063.office.testdomain.de,S=34583,W=35093:2,Sab/RECHNUNG48122217.doc Virus 'Mal/Phish-A' gefunden in Datei .Junk/cur/1453304872.M447841P9753.office.testdomain.de,S=363101,W=367859:2,Sb/DHL_RECEIPT_TRACKING_s (1).pdf Virus 'Mal/Phish-A' gefunden in Datei .Junk/cur/1453304872.M447607P9756.office.testdomain.de,S=363071,W=367829:2,Sb/DHL_RECEIPT_TRACKING_s (1).pdf Virus 'Troj/DocDl-AVA' gefunden in Datei .Junk/cur/1453372769.M405056P9872.office.testdomain.de,S=70734,W=71737:2,Sab/Invoice_316103_Jul_2013.doc Virus 'Troj/DocDl-AVA' gefunden in Datei .Junk/cur/1453373095.M639960P7529.office.testdomain.de,S=70734,W=71737:2,Sab/Invoice_316103_Jul_2013.doc Virus 'Mal/Phish-A' gefunden in Datei .Junk/cur/1453235831.M554201P24002.office.testdomain.de,S=11275,W=11481:2,Sb/DHL-Details-PDF.htm
"""
As you can see, the av scanner's stdout text is localized (German).
However, the regexp for discovering a virus when using savscan is this:
"""
### http://www.sophos.com/
['Sophos Anti Virus (savscan)', 'savscan',
'-nmbr -nbs -nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
'--no-reset-atime {}',
[0,2], qr/Virus .*? found/m,
qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
],
# # other options to consider: -idedir=/usr/local/sav
"""
As you can see, the regexp scans for the English expression "Virus .*?
found". All of the above virus mails passed amavisd-new and ended up
in the user's INBOX on the customer's server.
The issue here is hidden in the init script of the amavisd-new package in Debian. Upstream recommends this in their documentation's "Tips and FAQ -- general" section:
"""It is best to run amavisd-new in a non-UTF8 locale environment. Either adjust the settings in /etc/sysconfig/i18n (Linux), or set environment variables LANG and LC_ALL to "C" or "en_US" (instead of "en_US.UTF-8") when starting amavisd-new daemon. Depending on the shell used, one may start amavisd-new by (with Bourne or compatible shell):
# su - vscan -c 'LANG=C LC_ALL=C /usr/local/sbin/amavisd'
or the long way:
# su - vscan
$ export LANG; export LC_ALL; LANG=C; LC_ALL=C
$ /usr/local/sbin/amavisd
"""
Please consider applying this change (launch amavisd with LANG=C) to
amavisd-new in Debian testing/stretch and also possibly via
security.debian.org in older releases of Debian. (Feedback from the
security team is appreciated on this).
Thanks, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40das-netzwerkteam.de
Attachment:
pgpcGT23yrSGO.pgp
Description: Digitale PGP-Signatur