Ubuntu
clamav package

clamav-daemon won't start after upgrade to 0.100.1+dfsg, complaining of "Unknown option StatsEnabled"

Bug #1783632 reported by Dara Poon
266
This bug affects 3 people
Affects Status Importance Assigned to Milestone
clamav (Debian)
Fix Released
Unknown
clamav (Ubuntu)
Fix Released
Undecided
Unassigned
Precise
Fix Released
Undecided
Leonidas S. Barbosa
Trusty
Fix Released
Undecided
Marc Deslauriers
Xenial
Fix Released
Undecided
Marc Deslauriers
Bionic
Fix Released
Undecided
Marc Deslauriers
Cosmic
Fix Released
Undecided
Unassigned

Bug Description

On Ubuntu 16.04 LTS, clamav-daemon was upgraded 0.99.4+addedllvm-0ubuntu0.16.04.1 to 0.100.1+dfsg-1ubuntu0.16.04.1 as part of USN 3722-1 (https://usn.ubuntu.com/3722-1/). After the upgrade clamav-daemon fails to restart:

# systemctl status clamav-daemon
● clamav-daemon.service - Clam AntiVirus userspace daemon
   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled)
  Drop-In: /etc/systemd/system/clamav-daemon.service.d
           └─extend.conf
   Active: failed (Result: exit-code) since Wed 2018-07-25 11:57:22 PDT; 1min 6s ago
     Docs: man:clamd(8)
           man:clamd.conf(5)
           https://www.clamav.net/documents/
  Process: 20017 ExecStart=/usr/sbin/clamd --foreground=true (code=exited, status=1/FAILURE)
  Process: 20013 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS)
  Process: 20008 ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=1/FAILURE)
 Main PID: 20017 (code=exited, status=1/FAILURE)

Jul 25 11:57:22 smtp4 systemd[1]: Starting Clam AntiVirus userspace daemon...
Jul 25 11:57:22 smtp4 mkdir[20008]: /bin/mkdir: cannot create directory ‘/run/clamav’: File exists
Jul 25 11:57:22 smtp4 systemd[1]: Started Clam AntiVirus userspace daemon.
Jul 25 11:57:22 smtp4 clamd[20017]: ERROR: Parse error at line 76: Unknown option StatsEnabled
Jul 25 11:57:22 smtp4 clamd[20017]: ERROR: Can't open/parse the config file /etc/clamav/clamd.conf
Jul 25 11:57:22 smtp4 systemd[1]: clamav-daemon.service: Main process exited, code=exited, status=1/FAILURE
Jul 25 11:57:22 smtp4 systemd[1]: clamav-daemon.service: Unit entered failed state.
Jul 25 11:57:22 smtp4 systemd[1]: clamav-daemon.service: Failed with result 'exit-code'.

The regression seems to have been introduced upstream: 0.99.4 supports StatsEnabled and related options in clamd.conf, whereas 0.100.0 dropped support for those directives. See https://github.com/Cisco-Talos/clamav-devel/commit/16bd67 .

/etc/clamav/clamd.conf could be regenerated programmatically, but that was not automatically done as part of the upgrade. I'm filing this as an Ubuntu bug because a security upgrade should never cause a production server to break, and because USN 3722-1 never mentions the possibility of such breakage.

CVE References

Dara Poon (dpoon)
information type: Public → Public Security
Hans Joachim Desserud (hjd)
tags: added: regression-update xenial
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

/etc/clamav/clamd.conf is in fact supposed to get regenerated by the clamav-daemon postinst.

Could you please attach your /var/log/dist-upgrade/apt.log and /var/log/dist-upgrade/apt-term.log files?

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in clamav (Ubuntu):
status: New → Confirmed
Revision history for this message
Barry Kolts (bhkolts) wrote :

I can confirm this in 14.04.5 Trusty. Attached is the apt log /var/log/apt/term.
A quick work around was to comment out these lines in /etc/clamav/clamd.conf
#StatsEnabled false
#StatsPEDisabled true
#StatsHostID auto
#StatsTimeout 10

As a side note, I use the Thunderbird extension clamrib to scan my emails. Clamrib requires these lines in /etc/clamav.clamd.conf
TCPSocket 3310
TCPAddr localhost
I have these lines added at the bottom of clamd.conf. I'm not sure if this had anything to do with the bug but include it for completeness.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Did you manually modify your clamd.conf file, or did you modify it using dpkg-reconfigure as mentioned at the top of the file?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

When the update was installed, did you get prompted about how to handle the manual modifications to the clamd.conf file?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I will release an update today that warns about the options removed in the new version instead of failing to start when using a configuration file that was manually edited.

Marc Deslauriers (mdeslaur)
Changed in clamav (Ubuntu Precise):
status: New → Confirmed
Changed in clamav (Ubuntu Trusty):
status: New → Confirmed
Changed in clamav (Ubuntu Xenial):
status: New → Confirmed
Changed in clamav (Ubuntu Bionic):
status: New → Confirmed
Changed in clamav (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in clamav (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in clamav (Ubuntu Bionic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in clamav (Ubuntu Precise):
assignee: nobody → Leonidas S. Barbosa (leosilvab)
Revision history for this message
Barry Kolts (bhkolts) wrote :

Marc,
I manually changed clamd.conf. There was no indication from the installer that there was any changes to clamd.conf. The only indication I had was when the Thunderbird extension, clamrib, complained it couldn't connect to clamd. I checked clamd and indeed it was not running. I tried to restart it using the System V init script. It complained about an unknown option StatsEnabled. So I commented out StatsEnabled. and tried to start clamd. It compained about the option StatsTimeout. So I commented it out and repeated this process until clamd started.
Releasing an update warning about changes for user modified clamd.conf should be a good solution.
Thanks for the prompt work on this.

Bug Watch Updater (bug-watch-updater)
Changed in clamav (Debian):
status: Unknown → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.100.1+dfsg-1ubuntu0.14.04.2

---------------
clamav (0.100.1+dfsg-1ubuntu0.14.04.2) trusty-security; urgency=medium

  * SECURITY REGRESSION: clamav-daemon fails to start due to options
    removed in new version and manually edited configuration file.
    (LP: #1783632)
    - debian/patches/Deprecate-unused-options-instead-of-removing-it.patch:
      add patch from Debian stretch to simply warn about removed options.

 -- Marc Deslauriers <email address hidden> Thu, 26 Jul 2018 10:28:32 -0400

Changed in clamav (Ubuntu Trusty):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.100.1+dfsg-1ubuntu0.18.04.2

---------------
clamav (0.100.1+dfsg-1ubuntu0.18.04.2) bionic-security; urgency=medium

  * SECURITY REGRESSION: clamav-daemon fails to start due to options
    removed in new version and manually edited configuration file.
    (LP: #1783632)
    - debian/patches/Deprecate-unused-options-instead-of-removing-it.patch:
      add patch from Debian stretch to simply warn about removed options.

 -- Marc Deslauriers <email address hidden> Thu, 26 Jul 2018 10:24:27 -0400

Changed in clamav (Ubuntu Bionic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.100.1+dfsg-1ubuntu0.16.04.2

---------------
clamav (0.100.1+dfsg-1ubuntu0.16.04.2) xenial-security; urgency=medium

  * SECURITY REGRESSION: clamav-daemon fails to start due to options
    removed in new version and manually edited configuration file.
    (LP: #1783632)
    - debian/patches/Deprecate-unused-options-instead-of-removing-it.patch:
      add patch from Debian stretch to simply warn about removed options.

 -- Marc Deslauriers <email address hidden> Thu, 26 Jul 2018 10:27:58 -0400

Changed in clamav (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.100.1+dfsg-1ubuntu2

---------------
clamav (0.100.1+dfsg-1ubuntu2) cosmic; urgency=medium

  * clamav-daemon may fail to start due to options removed in new version
    and manually edited configuration file. (LP: #1783632)
    - debian/patches/Deprecate-unused-options-instead-of-removing-it.patch:
      add patch from Debian stretch to simply warn about removed options.

 -- Marc Deslauriers <email address hidden> Thu, 26 Jul 2018 11:00:29 -0400

Changed in clamav (Ubuntu Cosmic):
status: Confirmed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I have published an update which ignored the removed options. Thanks for reporting this issue and providing details!

https://usn.ubuntu.com/3722-3/

Revision history for this message
Dara Poon (dpoon) wrote :

Thanks for the updated package.

For the record, I had never modified the contents or metadata of clamd.conf when the failure happened. It was running on the configuration that was auto-generated at install.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package clamav - 0.102.4+dfsg-0ubuntu0.12.04.1

---------------
clamav (0.102.4+dfsg-0ubuntu0.12.04.1) precise-security; urgency=medium

  * Updated to 0.102.2 to fix security issues
    - debian/libclamav9.symbols: updated for new version.
    - debian/rules: bumped CL_FLEVEL to 115.
    - CVE-2020-3327
    - CVE-2020-3350
    - CVE-2020-3481

 -- <email address hidden> (Leonidas S. Barbosa) Fri, 24 Jul 2020 10:33:01 -0300

Changed in clamav (Ubuntu Precise):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.