Bug 12407 – Bug in SSN detection in DLP module causes false positives

Bug 12407 - Bug in SSN detection in DLP module causes false positives


Summary:	Bug in SSN detection in DLP module causes false positives

Status:	NEW

Product:	ClamAV
Classification:	ClamAV
Component:	libclamav
Version:	stable
Hardware:	x86_64 All

Importance:	P3 normal
Target Milestone:	0.101.0
Assigned To:	ClamAV team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-09-30 11:47 EDT by Micah Snyder
Modified:	2019-09-30 11:47 EDT (History)
CC List:	0 users

See Also:
QA Contact:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Micah Snyder 2019-09-30 11:47:34 EDT

Wagde on the clamav-users mailing list reported a bug in the SSN detection algorithm in the DLP module:

https://lists.gt.net/clamav/users/77165

See https://github.com/Cisco-Talos/clamav-devel/blob/dev/0.102/libclamav/dlp.c#L295 where "%3d-%2d-%4d" and "%3d%2d%4d" format strings for sscanf() are used with the assumption that the numbers must of width 3, 2, and 4.  In reality, the width specifier is a maximum: http://www.cplusplus.com/reference/cstdio/scanf/

The easy fix would be to make sure that Area >= 100, Group >= 10, and Serial >= 1000 -- though as per the comments it seems like sscanf() is an inefficient choice for the implementation.