View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0000434 | file | General | public | 2023-03-15 14:19 | 2023-03-15 14:19 |
| Reporter | toni.reed | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | new | Resolution | open | ||
| Product Version | 5.44 | ||||
| Summary | 0000434: DOS executable detection classifies files inside of OOXML documents as DOS block device drivers | ||||
| Description | file uses a heuristic to determine whether a file is a DOS executable, for example, a DOS block device driver. This heuristic seems too broad and imprecise. It regularly classifies files inside of OOXML documents created by Microsoft Word as DOS block device drivers. The email content filter amavis uses libmagick to determine the file type of email attachments and regularly rejects emails with OOXML documents when it is configured to reject executables for Microsoft operating systems and to unpack OOXML documents (default behaviour). Therefore, this heuristic is more than an exotic classification mistake. Multiple workarounds are documented on the Internet because the issues affects many users of amavis. | ||||
| Steps To Reproduce | 1. Create a file with the following contents: ff ff ff ff 00 00 00 00 For example: $ hexdump \[trash\]/0000.dat 0000000 ffff ffff 0000 0000 0000 0000 0000 0000 0000010 0000 0000 0000 0000 0000 0000 0000 0000 * 0000790 0000 0000 0000793 2. Let file determine the type of the file: $ file \[trash\]/0000.dat [trash]/0000.dat: DOS executable (block device driver) | ||||
| Additional Information | The relevant section in the file msdos seem to be # DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017,Aug 2020 # URL: http://fileformats.archiveteam.org/wiki/DOS_device_driver # Reference: http://www.delorie.com/djgpp/doc/rbinter/it/46/16.html # https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009 0 ulequad&0x07a0ffffffff 0xffffffff and # DOS device driver attributes >4 uleshort&0x8000 0x0000 \bblock device driver However, the heuristic seems to broad that it might also classify other file as DOS executables and the entire heuristic seems to be affected. Classifying DOS executables also seems to be a hard problem as they don't seem to have an easily distinguishable magic number. | ||||
| Tags | No tags attached. | ||||
