decompression_bomb.gif detected as BC.Gif.Exploit.Agent-1425366.Agent only by ClamAV

[ronator]

Hi all,

I wanted to raise this project's attention as I could not resolve an issue with ClamAV despite creating a false-positive report via web form. After some investigation, I am 100% sure your file is not infected. However, ClamAV does not act on it. I have reached out to them again via Discord some minutes ago.

I am aware, that this is NOT an issue but I wanted to make sure you are aware of the false accusations. I was not able to get ClamAV team fix this within the last two weeks, I am sorry.

What are your OS, Python and Pillow versions?

• OS: Ubuntu 20
• Python: 3.8
• Pillow: 9.4

[radarhere]

We've had issues in the past where antivirus software has flagged out test images as being exploits, like #4730. In cases like that, it is true that they are exploits - it's just that they are only exploits for past versions of Pillow. We've since fixed the problems, and so to silence these unnecessary warnings, we move the problematic files into a different repository.

But I'd like to try and figure out some more information first. I'm having trouble finding anything to tell me what "BC.Gif.Exploit.Agent-1425366.Agent" means. Do you have a link you can post?

Let us know if ClamAV does respond to you.

[ronator]

Dear @radarhere,
unfortunately, ClamAV has not published any information about that type, which is apparently disturbing. However, if you Google for "BC.Gif.Exploit.Agent", you may notice other projects being affected by ClamAV in the past. Imho, ClamAV refers to that term for files which may attempt to trigger an exploit.

I will check later that day in discord for ClamAV feedback. I had provided them w/ the link to this issue as well.
Please let me know if our analysis are matching.

Best regards,
Ron

[radarhere]

I've created PR #6964 to resolve this by moving the image into another repository.

If it is merged, then in the next release of Pillow, the test image will no longer be part of our main repository. Instead, it will just be in https://github.com/python-pillow/test-images and only tested on our CI builds.

[hugovk]

Thank you for your efforts reporting this to ClamAV, and for letting us know!

Plan A is always to get the AV tool to stop reporting these, as it's always better for us to keep test files versioned with the source code, so that others can take a single release and fully test it, including that there are no security regressions.

And therefore moving test files outside the repo worsens the security of the project.

Our next release is scheduled for 1st April, let's give ClamAV until late March to fix their AV, and we can consider #6964 as a last resort.

[ronator]

@hugovk @radarhere
It seems, they will fix it soon according to their feedback in discord:

In enjoyed that collaboration. I consider this as soon-to-be-resolved. You may not need any follow-up.

Best regards

[radarhere]

Excellent. Kindly let us know when it is dropped.

[radarhere]

@ronator any updates?

[github-actions]

Closing this issue as no feedback has been received.