Merge pull request #1415 from micahsnyder/CLAM-2628-Fix-CVD-dsig-veri…

…fication-when-hash-starts-with-zero Fix CVD dsig verification when hash starts with zeros
Cisco-Talos · Jan 12, 2025 · 7df9f85 · 7df9f85
2 parents 7f60cc7 + 4d389f3
commit 7df9f85
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 6 deletions.
diff --git a/libclamav/dsig.c b/libclamav/dsig.c
@@ -88,7 +88,7 @@ static unsigned char *cli_decodesig(const char *sig, unsigned int plen, BIGNUM *
     BIGNUM *r = NULL, *p = NULL, *c = NULL;
     BN_CTX *bn_ctx = NULL;
     unsigned int bn_bytes;
-    ;
+    unsigned char *plain_offset = NULL;
 
     r = BN_new();
     if (!r) {
@@ -144,9 +144,12 @@ static unsigned char *cli_decodesig(const char *sig, unsigned int plen, BIGNUM *
         cli_errmsg("cli_decodesig: Can't allocate memory for 'plain'\n");
         goto done;
     }
-    if (!BN_bn2bin(p, plain)) {
-        goto done;
-    }
+
+    // If bn_bytes is smaller than plen, we need to offset the plain buffer.
+    // If we didn't, then a hash that should start with 00 would end with 00 instead.
+    plain_offset = plain + plen - bn_bytes;
+
+    BN_bn2bin(p, plain_offset);
 
     ret_sig = plain;
     plain   = NULL;

diff --git a/sigtool/sigtool.c b/sigtool/sigtool.c
@@ -1155,6 +1155,20 @@ static int build(const struct optstruct *opts)
         free(tarfile);
         return -1;
     }
+
+    // Check if the MD5 starts with 00. If it does, we'll return CL_ELAST_ERROR. The caller may try again for better luck.
+    // This is to avoid a bug in hash verification with ClamAV 1.1 -> 1.4. The bug was fixed in 1.5.0.
+    // TODO: Remove this workaround when no one is using those versions.
+    if (pt[0] == '0' && pt[1] == '0') {
+        // print out the pt hash
+        mprintf(LOGG_INFO, "The tar.gz MD5 starts with 00, which will fail to verify in ClamAV 1.1 -> 1.4: %s\n", pt);
+        fclose(fh);
+        unlink(tarfile);
+        free(tarfile);
+        free(pt);
+        return CL_ELAST_ERROR;
+    }
+
     rewind(fh);
     sprintf(header + strlen(header), "%s:", pt);
     free(pt);
@@ -3768,9 +3782,15 @@ int main(int argc, char **argv)
         ret = asciinorm(opts);
     else if (optget(opts, "utf16-decode")->enabled)
         ret = utf16decode(opts);
-    else if (optget(opts, "build")->enabled)
+    else if (optget(opts, "build")->enabled) {
         ret = build(opts);
-    else if (optget(opts, "unpack")->enabled)
+        if (ret == CL_ELAST_ERROR) {
+            // build() returns CL_ELAST_ERROR the hash starts with 00. This will fail to verify with ClamAV 1.1 -> 1.4.
+            // Retry the build again to get new hashes.
+            mprintf(LOGG_WARNING, "Retrying the build for a chance at a better hash.\n");
+            ret = build(opts);
+        }
+    } else if (optget(opts, "unpack")->enabled)
         ret = unpack(opts);
     else if (optget(opts, "unpack-current")->enabled)
         ret = unpack(opts);