-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                   AMaViS Security Announcement

Date:                   08/26//2002
affected  version(s):   AMaViS-0.2.1, if ripMIME is used
			amavis-perl/amavisd is _NOT_ affected
Vulnerability Type:     eMail worm W32/Klez may not be detected
			in all cases, second attachment with same
			name overwrites first one 
Priority:               urgent
Solution:               upgrade to amavis-perl/amavisd, or
			fix the ripMIME call
Author:                 Rainer Link <link@suse.de>
Advisory ID:            ASA-2002-1

- ----------------------------------------------------------------------------

1. Problem description
AMaViS may use ripMIME to split a mail message into parts, i.e. the mail
body and the attachment file(s).
The file(s) are written to the directory /var/tmp/scanmails<pid>/unpacked
by default.
ripMIME may overwrite existing files per default, i.e. if a mail contains
two attachments (both have the same file name), the second one overwrites
the first one. 
If the first attachment file was infected by virus, but not the second
file, no virus will be detected.


2. Impact
It is possible that the W32/Klez worm is not detected and an infected
eMail is delivered to the user.   


3. Solution
We strongly recommend to upgrade to amavis-perl/amavisd, 
as the development of AMaViS 0.2.x branch has been discontinued since
July, 2001
(http://marc.theaimsgroup.com/?l=amavis-announce&m=99530451203949&w=2)

1. Open /usr/sbin/scanmails in your favorite editor
2. Search for the following line
   ${metamail} -d ${tmpdir}/unpacked/ -i ${tmpdir}/receivedmail >/dev/null 2>&1
 
   Change this to
   ${metamail} -d ${tmpdir}/unpacked/ -i ${tmpdir}/receivedmail --unique_names >/dev/null 2>&1
3. Save the file
4. Generate a test message with the EICAR Test-File-Virus
   (http://www.eicar.com/anti_virus_test_file.htm)
   to check if ripMIME is configured correctly within the scanmails script.


4. Acknowledgement
This bug was reported by "Brian Erickson" to comp.mail.sendmail


5. References
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=Q5A89.89949%24m91.4424583%40bin5.nnrp.aus1.giganews.com
http://www.amavis.org/security/asa-2000-1.txt
http://www.amavis.org/security/asa-2001-1.txt
http://www.amavis.org/


6. Revision History
08/26/2002: Initial release
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE9agYMmxoFTBO0QHkRApydAKCYB+Bo59df7HRITfZpXu3OQnneqgCgiF6Z
zIFIPoUfvMyeJlN7H1ALnWE=
=RQ1k
-----END PGP SIGNATURE-----