Bug 11959 – RAR Version 5 not supported

Bug 11959 - RAR Version 5 not supported


Summary:	RAR Version 5 not supported

Status:	RESOLVED FIXED

Product:	ClamAV
Classification:	ClamAV
Component:	libclamav
Version:	0.99.3-beta1
Hardware:	x86_64 GNU/Linux

Importance:	P3 normal
Target Milestone:	0.99.4
Assigned To:	Micah Snyder

URL:
Whiteboard:
Keywords:

Duplicates:	11681 11927 12040 12043 12050 12191 12195 12206 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-11-17 02:03 EST by JAF
Modified:	2019-03-09 15:46 EST (History)
CC List:	13 users (show)

See Also:
QA Contact:

Attachments
rar5 wont scan (1.45 MB, application/octet-stream) 2017-11-21 04:39 EST, Steve Basford	no flags	Details
sample 1 (311.83 KB, application/octet-stream) 2017-11-21 05:38 EST, JAF	no flags	Details
sample2 (557.26 KB, application/octet-stream) 2017-11-21 05:39 EST, JAF	no flags	Details
sample3 (89.33 KB, application/octet-stream) 2018-01-19 04:00 EST, JAF	no flags	Details
sample4 (175.85 KB, application/octet-stream) 2018-01-19 04:00 EST, JAF	no flags	Details
sample5 (158.16 KB, application/octet-stream) 2018-02-01 03:58 EST, JAF	no flags	Details
sampe6 (301.13 KB, application/octet-stream) 2018-02-08 09:16 EST, JAF	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description JAF 2017-11-17 02:03:33 EST

hi,

do you already know, that RAR fileformat Version 5 is not supported?

it's very easy to detect my the different magic number, also see here.
https://en.wikipedia.org/wiki/RAR_(file_format)

if you want i can also upload samples i catch with my mail filters...

br johannes

Comment 1 Steven Morgan 2017-11-20 12:08:15 EST

Johannes,

Thanks, we will review for 0.99.4.

Comment 2 JAF 2017-11-21 00:09:48 EST

steve,

thanks for the information.

do you want me to upload my malware samples?

johannes

Comment 3 Steve Basford 2017-11-21 04:39:33 EST

Created attachment 7318 [details]
rar5 wont scan

malware .r11 (rar v5)

Comment 4 Steve Basford 2017-11-21 04:41:24 EST

Details for attachment:

Details: RAR 5

        Name: IMGS 20171311.exe
        Type: File
        Size: 1564447
 Packed size: 1520320
       Ratio: 97%
       mtime: 2017-11-13 04:23,385
  Attributes: ..A....
       CRC32: 00C83466
     Host OS: Windows
 Compression: RAR 5.0(v0) -m3 -md=2M

Clamscan debug:


LibClamAV debug: searching for unrar, user-searchpath:
LibClamAV debug: searching for unrar: libclamunrar_iface.dll.6.0.4 not found
LibClamAV debug: searching for unrar: libclamunrar_iface.dll.6 not found
LibClamAV debug: unrar support loaded from libclamunrar_iface unrar
LibClamAV debug: in scanrar()

LibClamAV debug: No bytecodes loaded, not running builtin test
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: Recognized RAR file
LibClamAV debug: cache_check: 2d3a2ffa250cb34248e9d6778aee13a1 is negative
LibClamAV debug: in scanrar()
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Descriptor[3]: Can't unpack some data
LibClamAV debug: cli_magic_scandesc: returning 0  at line 2559
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up

Comment 5 JAF 2017-11-21 05:38:51 EST

Created attachment 7319 [details]
sample 1

Comment 6 JAF 2017-11-21 05:39:26 EST

Created attachment 7320 [details]
sample2

Comment 7 JAF 2018-01-19 04:00:34 EST

Created attachment 7357 [details]
sample3

Comment 8 JAF 2018-01-19 04:00:54 EST

Created attachment 7358 [details]
sample4

Comment 9 JAF 2018-02-01 03:58:13 EST

Created attachment 7368 [details]
sample5

Comment 10 JAF 2018-02-08 09:16:57 EST

Created attachment 7373 [details]
sampe6

Comment 11 Micah Snyder 2018-02-08 10:15:33 EST

Thanks for the continued sample submissions.  We don't presently have the resources to research & develop code to support RAR v5, but these will help when we get the chance.  Sorry it's been so quiet.  We're feverishly working on other things at the moment.

Comment 12 JAF 2018-02-08 10:19:29 EST

do you want me to upload further samples when i got them?

johannes

Comment 13 Micah Snyder 2018-02-08 12:41:12 EST

Honestly, haven't had the chance to review any of these yet -- but I won't complain, and it certainly demonstrates your interest in the feature request.

Comment 14 Micah Snyder 2018-03-02 11:14:06 EST

*** Bug 11681 has been marked as a duplicate of this bug. ***

Comment 15 Micah Snyder 2018-03-02 11:19:06 EST

*** Bug 11927 has been marked as a duplicate of this bug. ***

Comment 16 Micah Snyder 2018-03-02 11:20:37 EST

*** Bug 12040 has been marked as a duplicate of this bug. ***

Comment 17 Micah Snyder 2018-03-02 11:22:13 EST

*** Bug 12043 has been marked as a duplicate of this bug. ***

Comment 18 Jimmy 2018-03-02 19:52:22 EST

Here is GNU GPL license code that can handle RAR5 at github https://github.com/DrMcCoy/dmc_unrar

Comment 19 Micah Snyder 2018-03-07 09:45:19 EST

*** Bug 12050 has been marked as a duplicate of this bug. ***

Comment 20 Steve Basford 2018-05-08 08:55:45 EDT

Lot's of Rar v5 Malware today:


08/05/2018  08:06           678,662 DELIVERY_ADDRESS_CONFIRMATION.r02
08/05/2018  08:06           678,682 DHL_AWBXXX765647675476565475754.r02
08/05/2018  08:05           219,168 Evidence.rar
08/05/2018  08:04           678,662 INVOICE#001346287897683454545.r02
08/05/2018  08:07           269,806 RFQ#049395,pdf.r00
08/05/2018  08:07           270,345 RFQ456785,PDF.r00
08/05/2018  08:04           678,664 STATEMENT_OF_ACCOUNT.r03

Inside RARv5:

2018-05-07 11:31:56 ....A       993037       678464  DELIVERY ADDRESS CONFIRMATION.jar
2018-05-07 11:31:56 ....A       993037       678464  DHL AWBXXX65675454674646556746467865785.jar
2018-05-06 23:39:04 ....A       655360       219092  Evidence.exe
2018-05-07 11:31:56 ....A       993037       678464  INVOICE#001346287897683454545.jar
2018-05-07 11:31:56 ....A       993037       678464  STATEMENT OF ACCOUNT____PDF___.jar


Can't do a hash sig, as nothing extracted, can't do a CDB either.

Think this needs bumping up the priority list please.

Comment 21 Micah Snyder 2018-05-08 13:25:19 EDT

Yup, we hear you.  Adding v5 support is on our short-list for v0.101.

Comment 22 Micah Snyder 2018-08-27 09:57:43 EDT

I'm getting close to finishing the development portion of this, though there will quite a bit of testing required.  

We're switching to Rarlab's C++ based Unrar (5.6.5) library.  The good news being that it has better coverage than any other rar extraction library out there.  

The bad news is that libclamunrar (vanilla unrar from Rarlab) will still have the same "restrictive" GPL-incompatible license (it's freeware, but you may not reverse engineer it to create a RAR archive compressor).

Comment 23 Micah Snyder 2018-09-25 11:20:24 EDT

*** Bug 12191 has been marked as a duplicate of this bug. ***

Comment 24 Micah Snyder 2018-09-26 13:05:44 EDT

*** Bug 12195 has been marked as a duplicate of this bug. ***

Comment 25 Micah Snyder 2018-10-12 09:01:15 EDT

*** Bug 12206 has been marked as a duplicate of this bug. ***

Comment 26 Micah Snyder 2018-10-20 00:31:13 EDT

Unrar 5 support implemented and just merged into dev/0.101 in this series of commits that switches to use rarlab's C++ based unrar library:

https://github.com/Cisco-Talos/clamav-devel/commit/01eebc1369fbfebec9d19514ac031fbdec5579c2
https://github.com/Cisco-Talos/clamav-devel/commit/78dab009058aefe7cc4922bf7ec554217c1d6c97
https://github.com/Cisco-Talos/clamav-devel/commit/e4aaa6edf0de95ed2162fad5342bd81595b7d431
https://github.com/Cisco-Talos/clamav-devel/commit/959a7b3fa957b5728cc53dc86ca54f3e1def85bf
https://github.com/Cisco-Talos/clamav-devel/commit/4f1230269ba445ff98f1d1988e55fa328b3b9494