Reading through a vulnerability report about ClamAV, I came across a phrase that filled me with dread: “The file name is not sanitized”. It’s a feature, VirusEvent, that can be enabled in the ClamnAV config. And that configuration includes a string formatting function, where the string includes %v and %s, which gets replaced with a detected virus name and the file name from the email. And now you see the problem, I hope: The filename is attacker supplied input.
This is a companion discussion topic for the original entry at https://hackaday.com/2024/02/16/this-week-in-security-filename-not-sanitized-monikerlink-and-snap-attack/