ClamAV error: CL_EFORMAT: Bad format or broken data

Bug #1015405 reported by Dagaroth
278
This bug affects 4 people
Affects Status Importance Assigned to Milestone
ClamAV
Fix Released
Medium
Hardy Backports
Fix Released
High
Scott Kitterman
Lucid Backports
Fix Released
High
Scott Kitterman
clamav (Debian)
Fix Released
Unknown
clamav (Ubuntu)
Fix Released
High
Scott Kitterman
Natty
Fix Released
High
Steve Beattie
Oneiric
Fix Released
High
Steve Beattie
Precise
Fix Released
High
Steve Beattie
Quantal
Fix Released
High
Scott Kitterman

Bug Description

[IMPACT]

 * Scanning errors on some files of some important types like PDF, DOC, XLS, and tar.bz2.

 * Can cause major disruption of mail servers and other applications

 * Regression from previous releases

 * Bug fix is upstream fix that will be included in the next clamav release.

[TESTCASE]

 * sudo apt-get install clamav (if not already installed) and once the package is installed and signatures are downloaded you are ready to test.

 * With an appropriate test file (the thunderbird bz2 file that is attached to the bug is one such file) run $ clamscan $FILENAME and you should get an error as described in the original bug.

 * Install the updated packages from -proposed

 * Run the test again and it should test OK (no error and no virus found).

[Regression Potential]

 * Nil. Patch taken from upstream and given where the patch is in the code it would be very difficult to regress.

Original bug:

got this in my syslog after update of clamav dunno if its a bug or not

Jun 19 21:47:29 server dansguardian[]: ClamAV error: CL_EFORMAT: Bad format or broken data
Jun 19 21:47:29 server dansguardian[]: scanFile/Memory returned error: -1

update version
0.97.5

ubuntu 11.04

Revision history for this message
In , Draynor (draynor) wrote :

Users have reported that scanning MS compressed files are returning "CL_EFORMAT: Bad format or broken data ERROR". The patch for bug #4626 introduced this behavior. We are currently investigating the correct solution to these reports.

Revision history for this message
In , Draynor (draynor) wrote :

The return value noted here is a scanning error code. This behavior has been seen on files that do not decompress correctly. If using clamav-milter, messages with attachments flagged as CL_EFORMAT trigger the OnFail Action specified in the clamav-milter.conf configuration file. The default Action for OnFail is Defer, so these messages will be rescanned at intervals and never delivered.

There is a workaround to break the loop of re-scanning these broken files. To reject messages with these attachments, change the OnFail Action to Reject. If you prefer the old behavior of the previous release, change the OnFail Action to Accept.

These solutions should be used as a temporary workaround only and in an environment where the connection to clamd is stable. Changing this configuration line will also affect any messages that fail scanning because of transient issues such as dropped connections or out of memory errors. If OnFail is set to Accept, malicious mail may be passed by the scanner. If OnFail is set to Reject, non-malicious mail may be rejected by the scanner. This workaround should be used with caution.

Revision history for this message
In , Draynor (draynor) wrote :

The root cause has been traced to an errorcode-handling change in the patch for bug #4669 and is not LZX-compression specific. Other file formats which have reported to trigger CL_EFORMAT errors include Excel & Word documents as well as PDF files.

Revision history for this message
In , Dfs-q (dfs-q) wrote :
Revision history for this message
In , Scheidell (scheidell) wrote :

I am getting ready to try it on FreeBSD. If anyone wants the ports patch let me know.
This applies cleanly to 0.97.5.

Revision history for this message
In , Dfs-q (dfs-q) wrote :

The patch did not compile for me. This patch did:

diff --git a/libclamav/scanners.c b/libclamav/scanners.c
index e84d735..1055b2c 100644
--- a/libclamav/scanners.c
+++ b/libclamav/scanners.c
@@ -2369,7 +2369,19 @@ static int magic_scandesc(int desc, cli_ctx *ctx, cli_file_t type)
      ctx->fmap--;
      cli_bitset_free(ctx->hook_lsig_matches);
      ctx->hook_lsig_matches = old_hook_lsig_matches;
- ret_from_magicscan(ret);
+ /* Same switch as end of magic_scandesc function */
+ switch(ret) {
+ case CL_EFORMAT:
+ case CL_EMAXREC:
+ case CL_EMAXSIZE:
+ case CL_EMAXFILES:
+ cli_dbgmsg("Descriptor: %s\n", cl_strerror(ret));
+ case CL_CLEAN: /* here, only from cli_checkfp() */
+ cache_add(hash, hashed_size, ctx);
+ ret_from_magicscan(CL_CLEAN);
+ default:
+ ret_from_magicscan(ret);
+ }
  }
     }

Revision history for this message
In , Scheidell (scheidell) wrote :

on of (us?) is off by 30 lines.
The original patch applied fine for me against 0.97.5 source tarball.

are you saying 'it didn't compile' ? or are you saying the patch did not apply?

(I am compiling now, both AMD64 and I386/32)

Revision history for this message
In , Scheidell (scheidell) wrote :

ok, I see:

cli_dbgmsg("Descriptor[%d]: %s\n", fmap_fd(*ctx->fmap), cl_strerror(ret));

gives me:

  CCLD clamscan
../libclamav/.libs/libclamav.so: undefined reference to `fmap_fd'
gmake[2]: *** [clamscan] Error 1
gmake[2]: Leaving directory `/work/a/ports/security/clamav/work/clamav-0.97.5/clamscan'
gmake[1]: *** [all-recursive] Error 1

you changed it to:

cli_dbgmsg("Descriptor: %s\n", cl_strerror(ret));

(still off by 30 lines.. strange)

Revision history for this message
In , Dfs-q (dfs-q) wrote :

> (still off by 30 lines.. strange)

I may have had some other patches... can't remember. I build Debian packages and there may be patches from the Debian maintainer in the mix.

Regards,

David.

Revision history for this message
Marc Cluet (lynxman) wrote :

Hi Dagaroth,

Thank you very much for your report!

This can be caused by an invalid main.cvd file or one that is broken in half after an unsuccessful update.

Your best course of action is to delete the database definitions at /var/lib/clamav and run freshclam so it refreshes all the files again.

Hope this solves your problem!

Changed in clamav (Ubuntu):
status: New → Invalid
Revision history for this message
Dagaroth (dagarothx95) wrote : Re: [Bug 1015405] Re: ClamAV error: CL_EFORMAT: Bad format or broken data

thx that what i did after the update again and all was good :D

freshclam solved it

On Thu, Jun 21, 2012 at 8:26 AM, Marc Cluet <email address hidden>wrote:

> Hi Dagaroth,
>
> Thank you very much for your report!
>
> This can be caused by an invalid main.cvd file or one that is broken in
> half after an unsuccessful update.
>
> Your best course of action is to delete the database definitions at
> /var/lib/clamav and run freshclam so it refreshes all the files again.
>
> Hope this solves your problem!
>
> ** Changed in: clamav (Ubuntu)
> Status: New => Invalid
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1015405
>
> Title:
> ClamAV error: CL_EFORMAT: Bad format or broken data
>
> Status in “clamav” package in Ubuntu:
> Invalid
>
> Bug description:
> got this in my syslog after update of clamav dunno if its a bug or not
>
> Jun 19 21:47:29 server dansguardian[]: ClamAV error: CL_EFORMAT: Bad
> format or broken data
> Jun 19 21:47:29 server dansguardian[]: scanFile/Memory returned error: -1
>
> update version
> 0.97.5
>
> ubuntu 11.04
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1015405/+subscriptions
>

Revision history for this message
Dagaroth (dagarothx95) wrote :

just wondering if u any good with netfilter, btw??

On Thu, Jun 21, 2012 at 10:06 AM, Dagaroth D` <email address hidden> wrote:

> thx that what i did after the update again and all was good :D
>
> freshclam solved it
>
> On Thu, Jun 21, 2012 at 8:26 AM, Marc Cluet <email address hidden>wrote:
>
>> Hi Dagaroth,
>>
>> Thank you very much for your report!
>>
>> This can be caused by an invalid main.cvd file or one that is broken in
>> half after an unsuccessful update.
>>
>> Your best course of action is to delete the database definitions at
>> /var/lib/clamav and run freshclam so it refreshes all the files again.
>>
>> Hope this solves your problem!
>>
>> ** Changed in: clamav (Ubuntu)
>> Status: New => Invalid
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/1015405
>>
>> Title:
>> ClamAV error: CL_EFORMAT: Bad format or broken data
>>
>> Status in “clamav” package in Ubuntu:
>> Invalid
>>
>> Bug description:
>> got this in my syslog after update of clamav dunno if its a bug or not
>>
>> Jun 19 21:47:29 server dansguardian[]: ClamAV error: CL_EFORMAT: Bad
>> format or broken data
>> Jun 19 21:47:29 server dansguardian[]: scanFile/Memory returned error: -1
>>
>> update version
>> 0.97.5
>>
>> ubuntu 11.04
>>
>> To manage notifications about this bug go to:
>>
>> https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1015405/+subscriptions
>>
>
>

Revision history for this message
In , Draynor (draynor) wrote :

There is a one line difference between the versions of the patch for the master code branch and 0.97 branch, and that debug line is it.

Here is the commit for the 0.97 version (the diff David posted):
http://git.clamav.net/gitweb?p=clamav-devel.git;a=commit;h=6a879ad98460303b23a6fc119769a3b463a902f8

The patch should apply cleanly to 0.97.5. Regression tests are running as we speak so we can be confident in the results. I'll give more status details as I have them.

Revision history for this message
In , Jlvazquez (jlvazquez) wrote :

*** Bug 5346 has been marked as a duplicate of this bug. ***

Revision history for this message
In , sergiomb (sergio-sergiomb) wrote :

I hit same error with clamav-0.97.5-1600.fc16 :

https://admin.fedoraproject.org/updates/FEDORA-2012-9577/clamav-0.97.5-1600.fc16

this is a show stopper

Revision history for this message
In , Nrthomas (nrthomas) wrote :

Is there any ETA for shipping this fix ?

Revision history for this message
In , Jhopkins-i (jhopkins-i) wrote :
Revision history for this message
In , Garrod-alwood (garrod-alwood) wrote :

If you are seeing this error, then I suggest completing the patch. It tested on my debian 6.0 compiled 0.97.5 with the patch, the issue no longer occurs. I can't wait till the regression tests are finished.

Revision history for this message
In , sergiomb (sergio-sergiomb) wrote :

(In reply to comment #14)
> If you are seeing this error, then I suggest completing the patch. It tested on
> my debian 6.0 compiled 0.97.5 with the patch, the issue no longer occurs. I
> can't wait till the regression tests are finished.

1 - where is the patch ?
2 - Still not have the answer, when we have a new release ?

Revision history for this message
In , Matthew Olney (molney) wrote :

The fix for bug is currently in regression testing.

Revision history for this message
Christopher Forster (christopherforster) wrote :

ClamAV has a problem on Lubuntu 12.04 running the "-r Scan subdirectories recursively" flag:
"IMT.msp: CL_EFORMAT: Bad format or broken data ERROR"

Revision history for this message
Christopher Forster (christopherforster) wrote :

(gdb) run sudo clamscan -r /host

----------- SCAN SUMMARY -----------
Known viruses: 1267117
Engine version: 0.97.5
Scanned directories: 31678
Scanned files: 159513
Infected files: 0
Total errors: 195
Data scanned: 29222.71 MB
Data read: 45128.95 MB (ratio 0.65:1)
Time: 4827.235 sec (80 m 27 s)
[Inferior 1 (process 4885) exited with code 02]
(gdb) backtrace
No stack.
(gdb) quit

Revision history for this message
Dagaroth (dagarothx95) wrote :

ah i use 11.04 but it seems i resolved the problem already.

On Thu, Jul 5, 2012 at 11:59 AM, Christopher Forster <
<email address hidden>> wrote:

> (gdb) run sudo clamscan -r /host
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 1267117
> Engine version: 0.97.5
> Scanned directories: 31678
> Scanned files: 159513
> Infected files: 0
> Total errors: 195
> Data scanned: 29222.71 MB
> Data read: 45128.95 MB (ratio 0.65:1)
> Time: 4827.235 sec (80 m 27 s)
> [Inferior 1 (process 4885) exited with code 02]
> (gdb) backtrace
> No stack.
> (gdb) quit
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1015405
>
> Title:
> ClamAV error: CL_EFORMAT: Bad format or broken data
>
> Status in “clamav” package in Ubuntu:
> Invalid
>
> Bug description:
> got this in my syslog after update of clamav dunno if its a bug or not
>
> Jun 19 21:47:29 server dansguardian[]: ClamAV error: CL_EFORMAT: Bad
> format or broken data
> Jun 19 21:47:29 server dansguardian[]: scanFile/Memory returned error: -1
>
> update version
> 0.97.5
>
> ubuntu 11.04
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1015405/+subscriptions
>

Revision history for this message
Dagaroth (dagarothx95) wrote :

i used the remedy a few post back
i would be grateful if someone could just verify my netfilter configs are
good.

On Thu, Jul 5, 2012 at 12:18 PM, Dagaroth D` <email address hidden> wrote:

> ah i use 11.04 but it seems i resolved the problem already.
>
>
> On Thu, Jul 5, 2012 at 11:59 AM, Christopher Forster <
> <email address hidden>> wrote:
>
>> (gdb) run sudo clamscan -r /host
>>
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 1267117
>> Engine version: 0.97.5
>> Scanned directories: 31678
>> Scanned files: 159513
>> Infected files: 0
>> Total errors: 195
>> Data scanned: 29222.71 MB
>> Data read: 45128.95 MB (ratio 0.65:1)
>> Time: 4827.235 sec (80 m 27 s)
>> [Inferior 1 (process 4885) exited with code 02]
>> (gdb) backtrace
>> No stack.
>> (gdb) quit
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/1015405
>>
>> Title:
>> ClamAV error: CL_EFORMAT: Bad format or broken data
>>
>> Status in “clamav” package in Ubuntu:
>> Invalid
>>
>> Bug description:
>> got this in my syslog after update of clamav dunno if its a bug or not
>>
>> Jun 19 21:47:29 server dansguardian[]: ClamAV error: CL_EFORMAT: Bad
>> format or broken data
>> Jun 19 21:47:29 server dansguardian[]: scanFile/Memory returned error:
>> -1
>>
>> update version
>> 0.97.5
>>
>> ubuntu 11.04
>>
>> To manage notifications about this bug go to:
>>
>> https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1015405/+subscriptions
>>
>
>

Revision history for this message
In , Xascha (xascha) wrote :

I'm having the same false positive with clamav-0.97.5 + current db, but with an mp4 file. Worked with older db's.

Revision history for this message
In , sergiomb (sergio-sergiomb) wrote :

(In reply to comment #16)
> The fix for bug is currently in regression testing.

and what is the date ( in a number ) that regression testing finish ?

2 - Still not have the answer, when we have a new release ?

we be one week , one month or one year ?

Revision history for this message
In , Dfs-q (dfs-q) wrote :

Yes, the slow reaction to this (IMO) critical bug is very disappointing. Something as serious as this should definitely prompt a new release.

For our customers, we build packages with the patch in Comment #5 or Comment #9 and it works fine.

Regards,

David.

Revision history for this message
Gerald Combs (gerald.combs) wrote :

It looks like this is a known bug in ClamAV 0.97.5 and will be fixed in 0.97.6: https://bugzilla.clamav.net/show_bug.cgi?id=5252

Revision history for this message
In , Scott Kitterman (kitterman) wrote :

(In reply to comment #15)
> (In reply to comment #14)
> > If you are seeing this error, then I suggest completing the patch. It tested on
> > my debian 6.0 compiled 0.97.5 with the patch, the issue no longer occurs. I
> > can't wait till the regression tests are finished.
>
> 1 - where is the patch ?
> 2 - Still not have the answer, when we have a new release ?

Would you please file a release critical bug against the clamav package in Debian for this issue? I'm one of the Debian clamav maintainers and that will help me get the fix into Wheezy (and Squeeze).

Please give some indication of the steps to reproduce the issue so I can better demonstrate the problem/solution and get it approved.

Revision history for this message
Dagaroth (dagarothx95) wrote :

ok, sounds good :D

On Wed, Jul 25, 2012 at 11:44 AM, Gerald Combs <email address hidden> wrote:

> It looks like this is a known bug in ClamAV 0.97.5 and will be fixed in
> 0.97.6: https://bugzilla.clamav.net/show_bug.cgi?id=5252
>
> ** Bug watch added: bugzilla.clamav.net/ #5252
> https://bugzilla.clamav.net/show_bug.cgi?id=5252
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1015405
>
> Title:
> ClamAV error: CL_EFORMAT: Bad format or broken data
>
> Status in “clamav” package in Ubuntu:
> Invalid
>
> Bug description:
> got this in my syslog after update of clamav dunno if its a bug or not
>
> Jun 19 21:47:29 server dansguardian[]: ClamAV error: CL_EFORMAT: Bad
> format or broken data
> Jun 19 21:47:29 server dansguardian[]: scanFile/Memory returned error: -1
>
> update version
> 0.97.5
>
> ubuntu 11.04
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1015405/+subscriptions
>

Revision history for this message
Dagaroth (dagarothx95) wrote :

any idea about this one

pulseaudio[1810]: alsa-sink.c: ALSA woke us up to write new data to the
device, but there was actually nothing to write!
Jul 25 02:45:32 myserver pulseaudio[1810]: alsa-sink.c: Most likely this is
a bug in the ALSA driver 'snd_hda_intel'. Please report this issue to the
ALSA developers.
Jul 25 02:45:32 myserver pulseaudio[1810]: alsa-sink.c: We were woken up
with POLLOUT set -- however a subsequent snd_pcm_avail() returned 0 or
another value < min_avail.

showed up while playing a flash game :D

On Wed, Jul 25, 2012 at 1:52 PM, Dagaroth D` <email address hidden> wrote:

> ok, sounds good :D
>
>
> On Wed, Jul 25, 2012 at 11:44 AM, Gerald Combs <email address hidden>wrote:
>
>> It looks like this is a known bug in ClamAV 0.97.5 and will be fixed in
>> 0.97.6: https://bugzilla.clamav.net/show_bug.cgi?id=5252
>>
>> ** Bug watch added: bugzilla.clamav.net/ #5252
>> https://bugzilla.clamav.net/show_bug.cgi?id=5252
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/1015405
>>
>> Title:
>> ClamAV error: CL_EFORMAT: Bad format or broken data
>>
>> Status in “clamav” package in Ubuntu:
>> Invalid
>>
>> Bug description:
>> got this in my syslog after update of clamav dunno if its a bug or not
>>
>> Jun 19 21:47:29 server dansguardian[]: ClamAV error: CL_EFORMAT: Bad
>> format or broken data
>> Jun 19 21:47:29 server dansguardian[]: scanFile/Memory returned error:
>> -1
>>
>> update version
>> 0.97.5
>>
>> ubuntu 11.04
>>
>> To manage notifications about this bug go to:
>>
>> https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1015405/+subscriptions
>>
>
>

Revision history for this message
In , Carter Browne (cbrowne-cbcs-usa) wrote :

This problems happens on RPMs as well.
I applied the patch and when I try to compile is get:
../libclamav/.libs/libclamav.so: undefined reference to `fmap_fd'

Environment Redhat AS 5.8
GCC gcc44-4.4.6-3

Revision history for this message
In , sergiomb (sergio-sergiomb) wrote :

(In reply to comment #20)
> (In reply to comment #15)
> > (In reply to comment #14)
> > > If you are seeing this error, then I suggest completing the patch. It tested on
> > > my debian 6.0 compiled 0.97.5 with the patch, the issue no longer occurs. I
> > > can't wait till the regression tests are finished.
> >
> > 1 - where is the patch ?
> > 2 - Still not have the answer, when we have a new release ?
>
> Would you please file a release critical bug against the clamav package in
> Debian for this issue? I'm one of the Debian clamav maintainers and that will
> help me get the fix into Wheezy (and Squeeze).
>
> Please give some indication of the steps to reproduce the issue so I can better
> demonstrate the problem/solution and get it approved.

I use and test it in Fedora 16, 0.97.5 have been push to stable updates , due a security concerns, I had to exclude clamav from updates ...

Still not see, where is the patch, neither when we expect a need release ...
At least let me know when was released by writing in this bug report.

Revision history for this message
In , SeanBoran (sean-boran) wrote :

FYI after a regular patching of Ubuntu 11.04, clam has started giving this error too (I hit it on a squid proxy scanning attachments).
The Ubuntu tracking of this bug is:
https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1015405
Any news on when 0.97.6 might appear? Since I'm using standard Ubuntu packages I'd prefer an official clam release that gets pull into Ubuntu, as opposed to compiling from source.

Revision history for this message
In , Befsup (befsup) wrote :

We need this fix too.
This is really urgent.

Revision history for this message
In , Befsup (befsup) wrote :

Please give us a rough date for 0.97.6.
We have to supply our customers with a rough guess when this error will be fixed.

Revision history for this message
Scott Kitterman (kitterman) wrote :

This is a valid bug.

Changed in clamav (Ubuntu):
status: Invalid → Triaged
Changed in clamav (Ubuntu):
milestone: none → ubuntu-12.10-beta-1
assignee: nobody → Scott Kitterman (kitterman)
importance: Undecided → High
Changed in clamav (Ubuntu Precise):
status: New → Triaged
Changed in clamav (Ubuntu Oneiric):
status: New → Triaged
Changed in clamav (Ubuntu Natty):
status: New → Triaged
Changed in lucid-backports:
status: New → Triaged
Changed in hardy-backports:
status: New → Triaged
importance: Undecided → High
Changed in lucid-backports:
importance: Undecided → High
Changed in clamav (Ubuntu Natty):
importance: Undecided → High
Changed in clamav (Ubuntu Oneiric):
importance: Undecided → High
Changed in clamav (Ubuntu Precise):
importance: Undecided → High
Changed in clamav (Ubuntu Natty):
milestone: none → natty-updates
Changed in clamav (Ubuntu Oneiric):
milestone: none → oneiric-updates
Changed in clamav (Ubuntu Precise):
milestone: none → precise-updates
Revision history for this message
In , Scott Kitterman (kitterman) wrote :

I've uploaded an updated package with the patch for this issue to Debian Unstable. From there it will propagate to Debian Wheezy/Squeeze Updates and Ubuntu.

Revision history for this message
In , Draynor (draynor) wrote :

Since I know many of you on this CC list have been asking, the complete 0.97.6 update including this patch is coming very soon.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.97.5+dfsg-6ubuntu1

---------------
clamav (0.97.5+dfsg-6ubuntu1) quantal; urgency=low

  * Merge from Debian unstable (LP: #1015405). Remaining changes:
    - Drop build-dep on electric-fence (in Universe)
    - Add apparmor profiles for clamd and freshclam along with maintainer
      script changes

clamav (0.97.5+dfsg-6) unstable; urgency=medium

  * Urgency medium for RC bug fix the addressess regression from 0.97.3
  * Add changes from upstream commit 6a879ad98460303b23a6fc119769a3b463a902f8
    to fix unpack errors for various compressed files including some .bz2,
    .xls, .doc, and PDF (Closes: #684697)

clamav (0.97.5+dfsg-5) unstable; urgency=low

  * Drop /var/run/clamav from the directories shipped in clamav-base (policy
    9.1.4) and trust it will get cleaned up on boot
    - Thanks to Andreas Beckmann for the cluebat

clamav (0.97.5+dfsg-4) unstable; urgency=low

  * Drop postrm snippets from clamav-base, clamav-freshclam, clamav-daemon,
    and clamav-milter that remove /var/log/clamav, /var/lib/clamav,
    /var/run/clamav, and /etc/clamav and and let dpkg remove the directories
    once they are empty in order to fix problems with directory removal by a
    package that did not own the directory (Closes: #681960)
  * Add /var/run/clamav to directories shipped by clamav-base so dpkg cleanup
    will work for it too.
 -- Scott Kitterman <email address hidden> Tue, 14 Aug 2012 21:29:59 -0400

Changed in clamav (Ubuntu Quantal):
status: Triaged → Fix Released
Revision history for this message
Scott Kitterman (kitterman) wrote :

This file triggers the issue.

description: updated
tags: added: regression-release regression-update
tags: removed: regression-update
Revision history for this message
Scott Kitterman (kitterman) wrote :

Marking as security since this regression was introduced through the security pocket.

security vulnerability: no → yes
Changed in clamav (Ubuntu Precise):
status: Triaged → Confirmed
Revision history for this message
Scott Kitterman (kitterman) wrote :

Oneiric

Changed in clamav (Ubuntu Oneiric):
status: Triaged → Confirmed
Revision history for this message
Scott Kitterman (kitterman) wrote :

Better debdiff for precise

Revision history for this message
Scott Kitterman (kitterman) wrote :

Natty debdiff

Changed in clamav (Ubuntu Natty):
status: Triaged → Confirmed
Revision history for this message
Scott Kitterman (kitterman) wrote :

Accepting clamav/0.97.5+dfsg-1ubuntu0.11.04.2~10.04.2

Changed in lucid-backports:
assignee: nobody → Scott Kitterman (kitterman)
status: Triaged → Fix Released
Revision history for this message
Scott Kitterman (kitterman) wrote :

Accepting clamav/0.97.5+dfsg-1ubuntu0.11.04.2~08.04.2

Changed in hardy-backports:
assignee: nobody → Scott Kitterman (kitterman)
status: Triaged → Fix Released
Changed in clamav:
importance: Unknown → Medium
status: Unknown → In Progress
Changed in clamav (Debian):
status: Unknown → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks Scott, I'm reviewing the natty, oneiric, and precise debdiffs now.

Changed in clamav (Ubuntu Natty):
assignee: nobody → Steve Beattie (sbeattie)
Changed in clamav (Ubuntu Precise):
assignee: nobody → Steve Beattie (sbeattie)
Changed in clamav (Ubuntu Oneiric):
assignee: nobody → Steve Beattie (sbeattie)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.97.5+dfsg-1ubuntu0.12.04.3

---------------
clamav (0.97.5+dfsg-1ubuntu0.12.04.3) precise-security; urgency=low

   * SECURITY REGRESSION: Fix scanning failure. (LP: #1015405)
    - Upstream commit 6a879ad98460303b23a6fc119769a3b463a902f8 to fix unpack
      errors for various compressed files including some .bz2, .xls, .doc, and
      PDF
 -- Scott Kitterman <email address hidden> Tue, 14 Aug 2012 21:51:52 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.97.5+dfsg-1ubuntu0.11.10.3

---------------
clamav (0.97.5+dfsg-1ubuntu0.11.10.3) oneiric-security; urgency=low

  * SECURITY REGRESSION: Fix scanning failure. (LP: #1015405)
    - Upstream commit 6a879ad98460303b23a6fc119769a3b463a902f8 to fix unpack
      errors for various compressed files including some .bz2, .xls, .doc, and
      PDF
 -- Scott Kitterman <email address hidden> Tue, 14 Aug 2012 21:58:45 -0400

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.97.5+dfsg-1ubuntu0.11.04.3

---------------
clamav (0.97.5+dfsg-1ubuntu0.11.04.3) natty-security; urgency=low

  * SECURITY REGRESSION: Fix scanning failure. (LP: #1015405)
    - Upstream commit 6a879ad98460303b23a6fc119769a3b463a902f8 to fix unpack
      errors for various compressed files including some .bz2, .xls, .doc, and
      PDF
 -- Scott Kitterman <email address hidden> Tue, 14 Aug 2012 22:07:10 -0400

Changed in clamav (Ubuntu Natty):
status: Confirmed → Fix Released
Changed in clamav (Ubuntu Oneiric):
status: Confirmed → Fix Released
Changed in clamav (Ubuntu Precise):
status: Confirmed → Fix Released
Revision history for this message
In , Scott Kitterman (kitterman) wrote :

For Debian/Ubuntu users, there is an update to 0.97.5 with the patch that fixes this issue. For Debian it's in Unstable and should get to Wheezy over the weekend and it's in stable-proposed-updates and should get to stable-updates today. For Ubuntu the update is available as of today for all releases.

Revision history for this message
In , Dagaroth (dagarothx95) wrote : Re: [Bug 1015405] Re: ClamAV error: CL_EFORMAT: Bad format or broken data

yup, got it already thx :)

On Thu, Aug 16, 2012 at 8:28 AM, Scott Kitterman <email address hidden>wrote:

> For Debian/Ubuntu users, there is an update to 0.97.5 with the patch
> that fixes this issue. For Debian it's in Unstable and should get to
> Wheezy over the weekend and it's in stable-proposed-updates and should
> get to stable-updates today. For Ubuntu the update is available as of
> today for all releases.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1015405
>
> Title:
> ClamAV error: CL_EFORMAT: Bad format or broken data
>
> Status in The ClamAV Antivirus Scanner:
> In Progress
> Status in Hardy Heron Backports:
> Fix Released
> Status in Lucid Backports:
> Fix Released
> Status in “clamav” package in Ubuntu:
> Fix Released
> Status in “clamav” source package in Natty:
> Fix Released
> Status in “clamav” source package in Oneiric:
> Fix Released
> Status in “clamav” source package in Precise:
> Fix Released
> Status in “clamav” source package in Quantal:
> Fix Released
> Status in “clamav” package in Debian:
> Fix Released
>
> Bug description:
> [IMPACT]
>
> * Scanning errors on some files of some important types like PDF,
> DOC, XLS, and tar.bz2.
>
> * Can cause major disruption of mail servers and other applications
>
> * Regression from previous releases
>
> * Bug fix is upstream fix that will be included in the next clamav
> release.
>
> [TESTCASE]
>
> * sudo apt-get install clamav (if not already installed) and once the
> package is installed and signatures are downloaded you are ready to
> test.
>
> * With an appropriate test file (the thunderbird bz2 file that is
> attached to the bug is one such file) run $ clamscan $FILENAME and you
> should get an error as described in the original bug.
>
> * Install the updated packages from -proposed
>
> * Run the test again and it should test OK (no error and no virus
> found).
>
> [Regression Potential]
>
> * Nil. Patch taken from upstream and given where the patch is in the
> code it would be very difficult to regress.
>
> Original bug:
>
> got this in my syslog after update of clamav dunno if its a bug or not
>
> Jun 19 21:47:29 server dansguardian[]: ClamAV error: CL_EFORMAT: Bad
> format or broken data
> Jun 19 21:47:29 server dansguardian[]: scanFile/Memory returned error: -1
>
> update version
> 0.97.5
>
> ubuntu 11.04
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/clamav/+bug/1015405/+subscriptions
>

Revision history for this message
In , Scott Kitterman (kitterman) wrote :

For Debian/Ubuntu users, there is an update to 0.97.5 with the patch
that fixes this issue. For Debian it's in Unstable and should get to
Wheezy over the weekend and it's in stable-proposed-updates and should
get to stable-updates today. For Ubuntu the update is available as of
today for all releases.

Revision history for this message
In , Kirk-strong (kirk-strong) wrote :

I just built and installed clamav 0.97.5 on a Solaris 11 system that had 0.97.4 running successfully and within a few hours I encountered this issue.

When will 0.97.6 be available and does it include a fix? How can I get the fix prior to 0.97.6 release?

Thanks in advance.

Kirk

Changed in clamav:
status: In Progress → Fix Released
Revision history for this message
In , Draynor (draynor) wrote :

ClamAV 0.97.6 is available. Thanks for your patience.

Revision history for this message
In , E-mui (e-mui) wrote :

(In reply to comment #30)
> ClamAV 0.97.6 is available. Thanks for your patience.

Thanks David! Do you happen to know when the fix will be available for CentOS?

Revision history for this message
In , Draynor (draynor) wrote :

(In reply to comment #31)
> (In reply to comment #30)
> > ClamAV 0.97.6 is available. Thanks for your patience.
>
> Thanks David! Do you happen to know when the fix will be available for CentOS?

With a quick online search, I see several package repositories have rpm files available for 0.97.6 already. You should be able to find the build that you need without much trouble.

Revision history for this message
In , Draynor (draynor) wrote :

*** Bug 5735 has been marked as a duplicate of this bug. ***

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.