[Bug 268069] security/clamav: 1.0.0 does no work with cld and cvd files
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 268069] clamav 1.0.0 does no work with cld and cvd files"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 12 Dec 2022 14:40:28 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268069 --- Comment #17 from fsbruva@yahoo.com --- Good morning. I have been tearing my hair out on this one. Here's the output when starting clamav 1.0.0 on the broken jail, using a known good (downloaded/verified by freshclam 1.0.0 in functioning jail) backup of /var/db/clamav: Attempting to start clamav-clamd 1.0.0 with known good database in broken jail: LibClamAV debug: Loading databases from /var/db/clamav LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 8cbf2717c14dbd1406290693c0dcf014 LibClamAV debug: cli_versig: Decoded signature: 00000000000000000000000000000000 LibClamAV debug: cli_versig: Signature doesn't match. LibClamAV debug: cli_cvdverify: Digital signature verification error LibClamAV Error: Can't load /var/db/clamav/daily.cvd: Can't verify database integrity LibClamAV Error: cli_loaddbdir: error loading database /var/db/clamav/daily.cvd ERROR: Can't verify database integrity Closing the main socket. /usr/local/etc/rc.d/clamav-clamd: WARNING: failed to start clamav_clamd A similar error occurs when running freshclam 1.0.0 in the broken jail. You can see that the correct hash is present in the file.... user@machine:/var/db/clamav # hexdump -vC daily.cvd | head -n10 00000000 43 6c 61 6d 41 56 2d 56 44 42 3a 30 31 20 44 65 |ClamAV-VDB:01 De| 00000010 63 20 32 30 32 32 20 30 33 2d 32 32 20 2d 30 35 |c 2022 03-22 -05| 00000020 30 30 3a 32 36 37 33 37 3a 32 30 31 33 32 33 32 |00:26737:2013232| 00000030 3a 39 30 3a 38 63 62 66 32 37 31 37 63 31 34 64 |:90:8cbf2717c14d| 00000040 62 64 31 34 30 36 32 39 30 36 39 33 63 30 64 63 |bd1406290693c0dc| 00000050 66 30 31 34 3a 78 32 73 4f 65 6e 52 32 36 70 6a |f014:x2sOenR26pj| 00000060 39 44 36 30 4a 67 2f 79 44 44 78 53 64 47 6c 54 |9D60Jg/yDDxSdGlT| 00000070 79 45 78 48 35 4e 66 76 42 36 4a 30 2f 66 79 58 |yExH5NfvB6J0/fyX| 00000080 46 71 4f 41 59 50 6a 2f 37 74 34 52 76 34 66 43 |FqOAYPj/7t4Rv4fC| 00000090 34 65 47 42 4b 69 34 6b 56 2b 62 63 70 46 57 49 |4eGBKi4kV+bcpFWI| When that same file is used in the working jail, when clamav-clamd 1.0.0 is started, here's what you see... LibClamAV debug: Loading databases from /var/db/clamav LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 8cbf2717c14dbd1406290693c0dcf014 LibClamAV debug: cli_versig: Decoded signature: 8cbf2717c14dbd1406290693c0dcf014 I have done the following thus far: 1. Installed all the ports that were unique to the functioning jail (using same OPTIONS) that into the non-working jail to try to solve dependencies issues. 2. Completely rebuilt entire chain and all dependencies in functioning jail, using portmaster -f security/clamav. Afterwards, resulting port install of clamav 1.0.0 still worked in the functioning jail. 3. Copied all ports OPTIONS from the functioning jail into non-working jail, and completely rebuilt entire chain in non-working jail, using portmaster -f security/clamav. Afterwards, resulting port install of clamav 1.0.0 still failed with the same error. 4. Looked at the diff between git releases 0.105 and 1.0. Nothing stood out in libclamav/dsig.c for changes to the behavior of cli_versig() or cli_decodesig() functions, or in libclamav/cvd.c within the cli_cvdload() or cli_cvdcertify() functions. Most of the code for those sections hasn't changed in like 3 years or more. It *might* be related to the upgrade of the TomsFastMath code from commit 375ecf6. But even if it is, I still can't figure why the jails are building differently. My next step is to progressively install the ports unique to the non-working jail into the functioning jail so I can try and detect when a failure occurs. I thought maybe the others seeing this issue could share the list of other ports they have installed, so help me confirm my outcomes. (In reply to doctor from comment #0) Can you please upload a file with the output of `pkg info`? (In reply to ek from comment #3) Can you please upload a file with the output of `pkg info`? (In reply to Arnaud de Prelle from comment #12) Can you please upload a file with the output of `pkg info`? (In reply to Sigi from comment #15) Can you please upload a file with the output of `pkg info`? (In reply to jasiu from comment #16) Can you please upload a file with the output of `pkg info`? -- You are receiving this mail because: You are the assignee for the bug.