@@ -1,3 +1,10 @@

+Mon May 10 12:25:09 BST 2004 (njh)

+----------------------------------

+  * libclamav:		Don't call cli_filetype() so often since it gives

+  		false positives about the start of bounce messages which

+		opens up DoS attacks, and allows worms hidden in bounce

+		messages to be hidden with ease

+

 Mon May 10 02:43:32 CEST 2004 (tk)

 ----------------------------------

   * clamscan, sigtool: compare clamav.conf's DatabaseDirectory against the

@@ -17,6 +17,9 @@

  *

  * Change History:

  * $Log: mbox.c,v $

+ * Revision 1.70  2004/05/10 11:24:18  nigelhorne

+ * Handle bounce message false positives

+ *

  * Revision 1.69  2004/05/06 11:26:49  nigelhorne

  * Force attachments marked as RFC822 messages to be scanned

  *

@@ -198,7 +201,7 @@

  * Compilable under SCO; removed duplicate code with message.c

  *

  */

-static	char	const	rcsid[] = "$Id: mbox.c,v 1.69 2004/05/06 11:26:49 nigelhorne Exp $";

+static	char	const	rcsid[] = "$Id: mbox.c,v 1.70 2004/05/10 11:24:18 nigelhorne Exp $";

 #if HAVE_CONFIG_H

 #include "clamav-config.h"

@@ -1432,26 +1435,28 @@ parseEmailBody(message *messageIn, blob **blobsIn, int nBlobs, text *textIn, con

 					}

 					blobDestroy(b);

 				}

-			} else if((encodingLine(mainMessage) != NULL) &&

-				  ((t_line = bounceBegin(mainMessage)) != NULL)) {

-				/*

-				 * Attempt to save the original (unbounced)

-				 * message - clamscan will find that in the

-				 * directory and call us again (with any luck)

-				 * having found an e-mail message to handle

-				 */

-				if((b = textToBlob(t_line, NULL)) != NULL) {

-					cli_dbgmsg("Found a bounce message\n");

-

-					saveFile(b, dir);

-

-					blobDestroy(b);

-				}

 			} else {

 				bool saveIt;

+				bool savedBounce = FALSE;

 				cli_dbgmsg("Not found uuencoded file\n");

+				if((encodingLine(mainMessage) != NULL) &&

+				   ((t_line = bounceBegin(mainMessage)) != NULL))

+					/*

+					 * Attempt to save the original (unbounced)

+					 * message - clamscan will find that in the

+					 * directory and call us again (with any luck)

+					 * having found an e-mail message to handle

+					 */

+					if((b = textToBlob(t_line, NULL)) != NULL) {

+						cli_dbgmsg("Found a bounce message\n");

+

+						saveFile(b, dir);

+

+						blobDestroy(b);

+						savedBounce = TRUE;

+					}

 				if(messageGetMimeType(mainMessage) == MESSAGE)

 					/*

 					 * Quick peek, if the encapsulated

@@ -1465,7 +1470,7 @@ parseEmailBody(message *messageIn, blob **blobsIn, int nBlobs, text *textIn, con

 					 * Some bounces include the message

 					 * body without the headers

 					 */

-					if((b = blobCreate()) != NULL) {

+					if((!savedBounce) && ((b = blobCreate()) != NULL)) {

 						cli_dbgmsg("Found a bounce message with no header\n");

 						blobAddData(b, "Received: by clamd\n", 19);

@@ -17,6 +17,9 @@

  *

  * Change History:

  * $Log: message.c,v $

+ * Revision 1.55  2004/05/10 11:24:18  nigelhorne

+ * Handle bounce message false positives

+ *

  * Revision 1.54  2004/05/06 18:01:25  nigelhorne

  * Force attachments marked as RFC822 messages to be scanned

  *

@@ -159,7 +162,7 @@

  * uuencodebegin() no longer static

  *

  */

-static	char	const	rcsid[] = "$Id: message.c,v 1.54 2004/05/06 18:01:25 nigelhorne Exp $";

+static	char	const	rcsid[] = "$Id: message.c,v 1.55 2004/05/10 11:24:18 nigelhorne Exp $";

 #if HAVE_CONFIG_H

 #include "clamav-config.h"

@@ -735,6 +738,15 @@ messageAddLine(message *m, const char *line, int takeCopy)

 	/*

 	 * See if this line marks the start of a non MIME inclusion that

 	 * will need to be scanned

+	 *

+	 * Notes that X- lines are not taken as start of mails because

+	 * cli_filetype() is too keen: any line it finds that starts X-

+	 * is seen to be the start of a new message, which results in too

+	 * many false positives for locating the possible start of a bounce,

+	 * and allows some instances of Worm.SomeFool.Gen-1 to get through in

+	 * bounce messages which end up not being correctly handled because

+	 * the real start of a bounce header is missed because of the earlier

+	 * false positive

 	 */

 	if(line) {

 		if((m->encoding == NULL) &&

@@ -742,6 +754,7 @@ messageAddLine(message *m, const char *line, int takeCopy)

 		   (strstr(line, "7bit") == NULL))

 			m->encoding = m->body_last;

 		else if((m->bounce == NULL) &&

+			(strncmp(line, "X-", 2) != 0) &&	/*!!*/

 			(cli_filetype(line, strlen(line)) == CL_MAILFILE))

 				m->bounce = m->body_last;

 		else if((m->binhex == NULL) &&