On Jul 1, 2012, at 10:13 PM, Hydriz Wikipedia wrote:
> As far as I know, the chances are rather slim, because the MediaWiki software has a
malware checker (I think).
>
> Perhaps we shall see what outputs from the ClamAV checking, before we can know what
is happening.
MediaWiki supports running ClamAV on upload, but WMF isn't running one.
I used to run multiple checks on uploads to Wikimedia Commons, until the
server where it ran had a disk failure.
AFAIK, there's no extra check being done at all.
On 02/07/12 05:27, Kevin Day wrote:
I've been having a lot of problems with ClamAV
crashing, so I've temporarily switched to F-Prot which *did* find something wrong with
the earlier mentioned file, as well as two others:
[Found trojan] <JS/Redir.HY (exact, not disinfectable)>
/z/public/pub/wikimedia/images/wiktionary/fj/c/c4/citibank-car-loan.pdf
[Found exploit] <CVE-2009-0658 (not disinfectable)>
/z/public/pub/wikimedia/images/wikisource/ar/7/7d/الحراب_في_صدر_البهاء_والباب.pdf
[Found exploit] <CVE-2009-0658 (not disinfectable)>
/z/public/pub/wikimedia/images/wikisource/ar/b/be/السنة_لابن_حنبل.pdf
At the rate it's going, it's going to take several days to finish, even with
several running in parallel. I'll let it finish, but it's looking like at minimum
there are some old PDFs that have some exploit code in them.
-- Kevin
Interesting.
I had a really simple code in that project for detecting CVE-2009-0658.
Turns out it would have caught it:
الحراب_في_صدر_البهاء_والباب.pdf PDF uses JBIG2. Beware of the 0-day!
السنة_لابن_حنبل.pdf PDF uses JBIG2. Beware of the 0-day!
Although looking to
http://ar.wikisource.org/wiki/%D9%85%D9%84%D9%81:%D8%A7%D9%84%D8%B3%D9%86%D…
and
http://ar.wikisource.org/wiki/%D9%85%D9%84%D9%81:%D8%A7%D9%84%D8%B3%D9%86%D…,
they could be false positives.
These other files are also malware:
http://ftpmirror.your.org/pub/wikimedia/images/wiktionary/fj/4/4a/quick-mon…
http://ftpmirror.your.org/pub/wikimedia/images/wiktionary/fj/0/01/loan-pers…
those three files were uploaded by the same user, and are the only files
ever uploaded to fjwiktionary.
You may also find some executables. I remember that someone uploaded
once as proof of concept a wine cmd.exe binary.
There were also people uploading embedded files and other nasty bits,
but they *should* be deleted. Clearly we failed here.
As for Nemo bug for detecting wrong pdfs, it's a daunting task. You
would need a -quite complete- pdf parser (and it's not a simple
format!). Even worse, CVE-2009-0658 was an Adobe vulnerability parsing
JBIG2 images, so you would need to verify if the file is consistent or
not (OTOH, detecting usage of JBIG2 is simpler).
Thanks, Kevin!