FEDORA-2018-e5e5ec6ca2 created by sergiomb 2 years ago for Fedora 27
obsolete

Security fixes CVE-2017-6420 (#1483910), CVE-2017-6418 (#1483908)


  • Fix bugs 1126595,1464269,1126625 and 1258536,
  • Update of main.cvd, daily.cvd and bytecode.cvd

  • Fixes for rhbz 1530678 and 1518016

This update has been submitted for testing by sergiomb.

2 years ago

This update has obsoleted clamav-0.99.2-16.fc27, and has inherited its bugs and notes.

2 years ago

This update has been pushed to testing.

2 years ago
User Icon gbcox commented & provided feedback 2 years ago
karma

This update broke my daemon setup. systemd fills my log with: Received 0 file descriptor(s) from systemd.

After backout, ,everything works fine: systemctl status clamd@scan.service ● clamd@scan.service - Generic clamav scanner daemon Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2018-01-16 07:02:44 PST; 31s ago Main PID: 5701 (clamd) Tasks: 2 (limit: 4915) CGroup: /system.slice/system-clamd.slice/clamd@scan.service └─5701 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes

Jan 16 07:02:54 charon clamd[5701]: Portable Executable support enabled. Jan 16 07:02:54 charon clamd[5701]: ELF support enabled. Jan 16 07:02:54 charon clamd[5701]: Mail files support enabled. Jan 16 07:02:54 charon clamd[5701]: OLE2 support enabled. Jan 16 07:02:54 charon clamd[5701]: PDF support enabled. Jan 16 07:02:54 charon clamd[5701]: SWF support enabled. Jan 16 07:02:54 charon clamd[5701]: HTML support enabled. Jan 16 07:02:54 charon clamd[5701]: XMLDOCS support enabled. Jan 16 07:02:54 charon clamd[5701]: HWP3 support enabled. Jan 16 07:02:54 charon clamd[5701]: Self checking every 600 seconds.

With this applied service never starts - it gets stuck in activating: systemctl status clamd@scan.service ● clamd@scan.service - Generic clamav scanner daemon Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; vendor preset: disabled) Active: activating (start) since Tue 2018-01-16 06:55:34 PST; 1min 22s ago Cntrl PID: 5172 (clamd) Tasks: 2 (limit: 4915) CGroup: /system.slice/system-clamd.slice/clamd@scan.service └─5172 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes

Jan 16 06:55:43 charon clamd[5172]: Portable Executable support enabled. Jan 16 06:55:43 charon clamd[5172]: ELF support enabled. Jan 16 06:55:43 charon clamd[5172]: Mail files support enabled. Jan 16 06:55:43 charon clamd[5172]: OLE2 support enabled. Jan 16 06:55:43 charon clamd[5172]: PDF support enabled. Jan 16 06:55:43 charon clamd[5172]: SWF support enabled. Jan 16 06:55:43 charon clamd[5172]: HTML support enabled. Jan 16 06:55:43 charon clamd[5172]: XMLDOCS support enabled. Jan 16 06:55:43 charon clamd[5172]: HWP3 support enabled. Jan 16 06:55:43 charon clamd[5172]: Self checking every 600 seconds.

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

2 years ago
User Icon sergiomb commented & provided feedback 2 years ago

Hi, thanks for the testing please can you edit /usr/lib/systemd/system/clamd@scan.service and try with :

Type=forking
ExecStart=binary --daemonize=yes

please after edit don't forget run :

systemctl daemon-reload
User Icon gbcox commented & provided feedback 2 years ago

My clamd@scan.service looks like this: .include /lib/systemd/system/clamd@.service

[Unit] Description = Generic clamav scanner daemon

[Install] WantedBy = multi-user.target

So, I modified clamd@.service to look like this: [Unit] Description = clamd scanner (%i) daemon After = syslog.target nss-lookup.target network.target

[Service] Type = forking ExecStart = binary --daemonize=yes Restart = on-failure

Now I receive the following message:

start clamd@scan.service Failed to start clamd@scan.service: Unit clamd@scan.service is not loaded properly: Exec format error. See system logs and 'systemctl status clamd@scan.service' for details.

systemctl status clamd@scan.service ● clamd@scan.service - clamd scanner (scan) daemon Loaded: error (Reason: Exec format error) Active: failed (Result: exit-code) since Wed 2018-01-17 06:10:01 PST; 12min ago Main PID: 7846 (code=exited, status=0/SUCCESS)

Jan 17 06:10:01 charon systemd[1]: Stopped Generic clamav scanner daemon. Jan 17 06:10:01 charon systemd[1]: clamd@scan.service: Start request repeated too quickly. Jan 17 06:10:01 charon systemd[1]: Failed to start Generic clamav scanner daemon. Jan 17 06:10:01 charon systemd[1]: clamd@scan.service: Unit entered failed state. Jan 17 06:10:01 charon systemd[1]: clamd@scan.service: Failed with result 'exit-code'. Jan 17 06:10:06 charon systemd[1]: /lib/systemd/system/clamd@.service:7: Executable path is not absolute: binary /usr/sbin/clamd -c /etc/clamd.d/%i.conf --daemonize=yes Jan 17 06:10:36 charon systemd[1]: /lib/systemd/system/clamd@.service:7: Executable path is not absolute: binary --daemonize=yes Jan 17 06:18:40 charon systemd[1]: /lib/systemd/system/clamd@.service:7: Executable path is not absolute: binary --daemonize=yes Jan 17 06:20:41 charon systemd[1]: /lib/systemd/system/clamd@.service:7: Executable path is not absolute: binary --daemonize=yes Jan 17 06:21:52 charon systemd[1]: /lib/systemd/system/clamd@.service:7: Executable path is not absolute: binary --daemonize=yes

User Icon sergiomb commented & provided feedback 2 years ago

please replace :

ExecStart = binary --daemonize=yes

by

ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --daemonize=yes
User Icon sergiomb commented & provided feedback 2 years ago

sorry my last comment doesn't work either , you don't need to test it ! Thanks

User Icon sergiomb commented & provided feedback 2 years ago

Hi, thanks for the testing please can you edit again /usr/lib/systemd/system/clamd@.service and try with [1] and confirm that is working for you after run [2] , It seems that is working for me now. Thanks

[1]

[Unit]
Description = clamd scanner (%i) daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = forking
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf 
Restart = on-failure

[2]

systemctl daemon-reload 
systemctl start clamd@scan.service

This update has been obsoleted by clamav-0.99.2-18.fc27.

2 years ago
User Icon gbcox commented & provided feedback 2 years ago

Thanks... that worked... here is what I had previously to the change...

[Unit]
Description = clamd scanner (%i) daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = simple
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --foreground=yes
Restart = on-failure
PrivateTmp = true

I did some quick reading and understand that foreground and forking are contradictory - but shouldn't we be keeping PrivateTmp?


Please login to add feedback.

Metadata
Type
security
Karma
-1
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
2 years ago
in testing
2 years ago
BZ#1126595 /etc/tmpfiles.d/clamav-milter.conf is wrong
0
0
BZ#1126625 clamd should use Type=forking instead Type=simple
0
0
BZ#1258536 clamav-server-sysvinit clamd can't create pid file
0
0
BZ#1464269 PrivateTmp = true breaks all ScanOnAccess features
0
0
BZ#1483908 CVE-2017-6418 clamav: out-of-bounds read in libclamav/message.c
0
0
BZ#1483910 CVE-2017-6420 clamav: use-after-free in wwunpack function
0
0
BZ#1518016 the jitoff patch is no longer needed and should be removed
0
0
BZ#1530678 clamav-server requires nmap-ncat, security concerns
0
0

Automated Test Results

Test Cases

0 0 Test Case ClamAV