FEDORA-2018-e5e5ec6ca2

security update in Fedora 27 for clamav

Status: obsolete

Security fixes CVE-2017-6420 (#1483910), CVE-2017-6418 (#1483908)


  • Fix bugs 1126595,1464269,1126625 and 1258536,
  • Update of main.cvd, daily.cvd and bytecode.cvd

  • Fixes for rhbz 1530678 and 1518016

Comments 13

This update has been submitted for testing by sergiomb.

This update has obsoleted clamav-0.99.2-16.fc27, and has inherited its bugs and notes.

This update has been pushed to testing.

This update broke my daemon setup. systemd fills my log with: Received 0 file descriptor(s) from systemd.

After backout, ,everything works fine: systemctl status clamd@scan.service ● clamd@scan.service - Generic clamav scanner daemon Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2018-01-16 07:02:44 PST; 31s ago Main PID: 5701 (clamd) Tasks: 2 (limit: 4915) CGroup: /system.slice/system-clamd.slice/clamd@scan.service └─5701 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes

Jan 16 07:02:54 charon clamd[5701]: Portable Executable support enabled. Jan 16 07:02:54 charon clamd[5701]: ELF support enabled. Jan 16 07:02:54 charon clamd[5701]: Mail files support enabled. Jan 16 07:02:54 charon clamd[5701]: OLE2 support enabled. Jan 16 07:02:54 charon clamd[5701]: PDF support enabled. Jan 16 07:02:54 charon clamd[5701]: SWF support enabled. Jan 16 07:02:54 charon clamd[5701]: HTML support enabled. Jan 16 07:02:54 charon clamd[5701]: XMLDOCS support enabled. Jan 16 07:02:54 charon clamd[5701]: HWP3 support enabled. Jan 16 07:02:54 charon clamd[5701]: Self checking every 600 seconds.

With this applied service never starts - it gets stuck in activating: systemctl status clamd@scan.service ● clamd@scan.service - Generic clamav scanner daemon Loaded: loaded (/usr/lib/systemd/system/clamd@scan.service; enabled; vendor preset: disabled) Active: activating (start) since Tue 2018-01-16 06:55:34 PST; 1min 22s ago Cntrl PID: 5172 (clamd) Tasks: 2 (limit: 4915) CGroup: /system.slice/system-clamd.slice/clamd@scan.service └─5172 /usr/sbin/clamd -c /etc/clamd.d/scan.conf --foreground=yes

Jan 16 06:55:43 charon clamd[5172]: Portable Executable support enabled. Jan 16 06:55:43 charon clamd[5172]: ELF support enabled. Jan 16 06:55:43 charon clamd[5172]: Mail files support enabled. Jan 16 06:55:43 charon clamd[5172]: OLE2 support enabled. Jan 16 06:55:43 charon clamd[5172]: PDF support enabled. Jan 16 06:55:43 charon clamd[5172]: SWF support enabled. Jan 16 06:55:43 charon clamd[5172]: HTML support enabled. Jan 16 06:55:43 charon clamd[5172]: XMLDOCS support enabled. Jan 16 06:55:43 charon clamd[5172]: HWP3 support enabled. Jan 16 06:55:43 charon clamd[5172]: Self checking every 600 seconds.

karma: -1

Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.

Hi, thanks for the testing please can you edit /usr/lib/systemd/system/clamd@scan.service and try with :

Type=forking
ExecStart=binary --daemonize=yes

please after edit don't forget run :

systemctl daemon-reload

My clamd@scan.service looks like this: .include /lib/systemd/system/clamd@.service

[Unit] Description = Generic clamav scanner daemon

[Install] WantedBy = multi-user.target

So, I modified clamd@.service to look like this: [Unit] Description = clamd scanner (%i) daemon After = syslog.target nss-lookup.target network.target

[Service] Type = forking ExecStart = binary --daemonize=yes Restart = on-failure

Now I receive the following message:

start clamd@scan.service Failed to start clamd@scan.service: Unit clamd@scan.service is not loaded properly: Exec format error. See system logs and 'systemctl status clamd@scan.service' for details.

systemctl status clamd@scan.service ● clamd@scan.service - clamd scanner (scan) daemon Loaded: error (Reason: Exec format error) Active: failed (Result: exit-code) since Wed 2018-01-17 06:10:01 PST; 12min ago Main PID: 7846 (code=exited, status=0/SUCCESS)

Jan 17 06:10:01 charon systemd[1]: Stopped Generic clamav scanner daemon. Jan 17 06:10:01 charon systemd[1]: clamd@scan.service: Start request repeated too quickly. Jan 17 06:10:01 charon systemd[1]: Failed to start Generic clamav scanner daemon. Jan 17 06:10:01 charon systemd[1]: clamd@scan.service: Unit entered failed state. Jan 17 06:10:01 charon systemd[1]: clamd@scan.service: Failed with result 'exit-code'. Jan 17 06:10:06 charon systemd[1]: /lib/systemd/system/clamd@.service:7: Executable path is not absolute: binary /usr/sbin/clamd -c /etc/clamd.d/%i.conf --daemonize=yes Jan 17 06:10:36 charon systemd[1]: /lib/systemd/system/clamd@.service:7: Executable path is not absolute: binary --daemonize=yes Jan 17 06:18:40 charon systemd[1]: /lib/systemd/system/clamd@.service:7: Executable path is not absolute: binary --daemonize=yes Jan 17 06:20:41 charon systemd[1]: /lib/systemd/system/clamd@.service:7: Executable path is not absolute: binary --daemonize=yes Jan 17 06:21:52 charon systemd[1]: /lib/systemd/system/clamd@.service:7: Executable path is not absolute: binary --daemonize=yes

please replace :

ExecStart = binary --daemonize=yes

by

ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --daemonize=yes

sorry my last comment doesn't work either , you don't need to test it ! Thanks

Hi, thanks for the testing please can you edit again /usr/lib/systemd/system/clamd@.service and try with [1] and confirm that is working for you after run [2] , It seems that is working for me now. Thanks

[1]

[Unit]
Description = clamd scanner (%i) daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = forking
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf 
Restart = on-failure

[2]

systemctl daemon-reload 
systemctl start clamd@scan.service

This update has been obsoleted by clamav-0.99.2-18.fc27.

Thanks... that worked... here is what I had previously to the change...

[Unit]
Description = clamd scanner (%i) daemon
After = syslog.target nss-lookup.target network.target

[Service]
Type = simple
ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf --foreground=yes
Restart = on-failure
PrivateTmp = true

I did some quick reading and understand that foreground and forking are contradictory - but shouldn't we be keeping PrivateTmp?


Add Comment & Feedback
Toggle Preview

Comment fields support Fedora-Flavored Markdown.

-1 0 +1 Feedback Guidelines
#1483910 CVE-2017-6420 clamav: use-after-free in wwunpack function
#1483908 CVE-2017-6418 clamav: out-of-bounds read in libclamav/message.c
#1126595 /etc/tmpfiles.d/clamav-milter.conf is wrong
#1464269 PrivateTmp = true breaks all ScanOnAccess features
#1126625 clamd should use Type=forking instead Type=simple
#1258536 clamav-server-sysvinit clamd can't create pid file
#1530678 clamav-server requires nmap-ncat, security concerns
#1518016 the jitoff patch is no longer needed and should be removed
Test Case ClamAV
Is the update generally functional?
Content Type
RPM
Status
obsolete
Test Gating Status
Tests not running
Submitted by
Update Type
security
Karma
-1
stable threshold: 3
unstable threshold: -3
Autopush
Disabled
Dates
submitted 3 months ago
in testing 3 months ago

Related Bugs 8

00 #1483910 CVE-2017-6420 clamav: use-after-free in wwunpack function
00 #1483908 CVE-2017-6418 clamav: out-of-bounds read in libclamav/message.c
00 #1126595 /etc/tmpfiles.d/clamav-milter.conf is wrong
00 #1464269 PrivateTmp = true breaks all ScanOnAccess features
00 #1126625 clamd should use Type=forking instead Type=simple
00 #1258536 clamav-server-sysvinit clamd can't create pid file
00 #1530678 clamav-server requires nmap-ncat, security concerns
00 #1518016 the jitoff patch is no longer needed and should be removed

Automated Test Results

Test Cases

00 Test Case ClamAV