[Bug 268069] security/clamav: 1.0.0 does no work with cld and cvd files

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 12 Dec 2022 14:40:28 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268069

--- Comment #17 from fsbruva@yahoo.com ---
Good morning.

I have been tearing my hair out on this one. Here's the output when starting
clamav 1.0.0 on the broken jail, using a known good (downloaded/verified by
freshclam 1.0.0 in functioning jail) backup of /var/db/clamav:

Attempting to start clamav-clamd 1.0.0 with known good database in broken jail:

LibClamAV debug: Loading databases from /var/db/clamav
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 8cbf2717c14dbd1406290693c0dcf014
LibClamAV debug: cli_versig: Decoded signature:
00000000000000000000000000000000
LibClamAV debug: cli_versig: Signature doesn't match.
LibClamAV debug: cli_cvdverify: Digital signature verification error
LibClamAV Error: Can't load /var/db/clamav/daily.cvd: Can't verify database
integrity
LibClamAV Error: cli_loaddbdir: error loading database /var/db/clamav/daily.cvd
ERROR: Can't verify database integrity
Closing the main socket.
/usr/local/etc/rc.d/clamav-clamd: WARNING: failed to start clamav_clamd

A similar error occurs when running freshclam 1.0.0 in the broken jail.

You can see that the correct hash is present in the file....
user@machine:/var/db/clamav # hexdump -vC daily.cvd | head -n10
00000000  43 6c 61 6d 41 56 2d 56  44 42 3a 30 31 20 44 65  |ClamAV-VDB:01 De|
00000010  63 20 32 30 32 32 20 30  33 2d 32 32 20 2d 30 35  |c 2022 03-22 -05|
00000020  30 30 3a 32 36 37 33 37  3a 32 30 31 33 32 33 32  |00:26737:2013232|
00000030  3a 39 30 3a 38 63 62 66  32 37 31 37 63 31 34 64  |:90:8cbf2717c14d|
00000040  62 64 31 34 30 36 32 39  30 36 39 33 63 30 64 63  |bd1406290693c0dc|
00000050  66 30 31 34 3a 78 32 73  4f 65 6e 52 32 36 70 6a  |f014:x2sOenR26pj|
00000060  39 44 36 30 4a 67 2f 79  44 44 78 53 64 47 6c 54  |9D60Jg/yDDxSdGlT|
00000070  79 45 78 48 35 4e 66 76  42 36 4a 30 2f 66 79 58  |yExH5NfvB6J0/fyX|
00000080  46 71 4f 41 59 50 6a 2f  37 74 34 52 76 34 66 43  |FqOAYPj/7t4Rv4fC|
00000090  34 65 47 42 4b 69 34 6b  56 2b 62 63 70 46 57 49  |4eGBKi4kV+bcpFWI|

When that same file is used in the working jail, when clamav-clamd 1.0.0 is
started, here's what you see...

LibClamAV debug: Loading databases from /var/db/clamav
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 8cbf2717c14dbd1406290693c0dcf014
LibClamAV debug: cli_versig: Decoded signature:
8cbf2717c14dbd1406290693c0dcf014


I have done the following thus far:
1. Installed all the ports that were unique to the functioning jail (using same
OPTIONS) that into the non-working jail to try to solve dependencies issues.
2. Completely rebuilt entire chain and all dependencies in functioning jail,
using portmaster -f security/clamav. Afterwards, resulting port install of
clamav 1.0.0 still worked in the functioning jail.
3. Copied all ports OPTIONS from the functioning jail into non-working jail,
and completely rebuilt entire chain in non-working jail, using portmaster -f
security/clamav. Afterwards, resulting port install of clamav 1.0.0 still
failed with the same error.
4. Looked at the diff between git releases 0.105 and 1.0. Nothing stood out in
libclamav/dsig.c for changes to the behavior of cli_versig() or cli_decodesig()
functions, or in libclamav/cvd.c within the cli_cvdload() or cli_cvdcertify()
functions. Most of the code for those sections hasn't changed in like 3 years
or more. It *might* be related to the upgrade of the TomsFastMath code from
commit 375ecf6. But even if it is, I still can't figure why the jails are
building differently.

My next step is to progressively install the ports unique to the non-working
jail into the functioning jail so I can try and detect when a failure occurs. I
thought maybe the others seeing this issue could share the list of other ports
they have installed, so help me confirm my outcomes.

(In reply to doctor from comment #0)
Can you please upload a file with the output of `pkg info`?

(In reply to ek from comment #3)
Can you please upload a file with the output of `pkg info`?

(In reply to Arnaud de Prelle from comment #12)
Can you please upload a file with the output of `pkg info`?

(In reply to Sigi from comment #15)
Can you please upload a file with the output of `pkg info`?

(In reply to jasiu from comment #16)
Can you please upload a file with the output of `pkg info`?

-- 
You are receiving this mail because:
You are the assignee for the bug.