Bug 32815

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

A possible heap overflow read bug in the OLE2 file parser that could cause a denial-of-service (DoS) condition. (CVE-2024-20290)

A possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. (CVE-2024-20328)

References:
https://blog.clamav.net/2023/11/clamav-130-122-105-released.html
========================

Updated packages in core/updates_testing:
========================
clamav-1.0.5-1.mga9
clamav-db-1.0.5-1.mga9
clamav-milter-1.0.5-1.mga9
clamd-1.0.5-1.mga9
lib(64)clamav11-1.0.5-1.mga9
lib(64)clamav-devel-1.0.5-1.mga9

from SRPM:
clamav-1.0.5-1.mga9.src.rpm

Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

Installed and tested with one possible issue of high memory usage.

I don't normally use clamav so the tests are somewhat basic.

Tested:
- running clamav-daemon with the systemd service;
- updating malware signatures with freshclam;
- running a scan with clamscan;

One thing I noticed is that both the clamav daemon and the scanner use 2.5 GiB each.
I don't know if this is normal but to me it seems way too much, in particular for
the daemon that is to be always running in the background.



System: Mageia 9, x86_64, Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz.



# uname -a
Linux marte 6.6.14-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Sat Jan 27 01:13:53 UTC 2024 x86_64 GNU/Linux
# rpm -qa | grep clam
lib64clamav11-1.0.3-1.mga9
clamav-db-1.0.3-1.mga9
clamav-1.0.3-1.mga9
clamd-1.0.3-1.mga9



# ps_mem.py 
 Private  +   Shared  =  RAM used       Program
  <SNIP>
  1.2 GiB +   1.2 GiB =   2.5 GiB       clamd
  1.3 GiB +   1.3 GiB =   2.5 GiB       clamscan
---------------------------------
                          5.6 GiB
=================================



# systemctl status clamav-daemon.service 
● clamav-daemon.service - Clam AntiVirus userspace daemon
     Loaded: loaded (/usr/lib/systemd/system/clamav-daemon.service; disabled; preset: disabled)
     Active: active (running) since Fri 2024-02-09 15:37:30 WET; 16min ago
TriggeredBy: ● clamav-daemon.socket
       Docs: man:clamd(8)
             man:clamd.conf(5)
             https://docs.clamav.net/
   Main PID: 3754764 (clamd)
      Tasks: 2 (limit: 19042)
     Memory: 1.2G
        CPU: 14.520s
     CGroup: /system.slice/clamav-daemon.service
             └─3754764 /usr/sbin/clamd --foreground=true

fev 09 15:37:44 marte clamd[3754764]: XMLDOCS support enabled.
fev 09 15:37:44 marte clamd[3754764]: HWP3 support enabled.
fev 09 15:37:44 marte clamd[3754764]: Self checking every 600 seconds.
fev 09 15:37:44 marte clamd[3754764]: Listening daemon: PID: 3754764
fev 09 15:37:44 marte clamd[3754764]: WARNING: MaxThreads * MaxRecursion is too high: 1088, open file descriptor limit is: 1024
fev 09 15:37:44 marte clamd[3754764]: WARNING: MaxQueue value too high, lowering to: 64
fev 09 15:37:44 marte clamd[3754764]: MaxQueue set to: 64
fev 09 15:47:45 marte clamd[3754764]: SelfCheck: Database status OK.
fev 09 15:50:26 marte clamd[3754764]: Client disconnected (FD 9)
fev 09 15:51:27 marte clamd[3754764]: Client disconnected (FD 9)



# freshclam
Current working dir is /var/lib/clamav/
Loaded freshclam.dat:
  version:    1
  uuid:       d69b9c21-f77f-4bb2-9207-33007eb62777
ClamAV update process started at Fri Feb  9 15:37:39 2024
Current working dir is /var/lib/clamav/
Querying current.cvd.clamav.net
TTL: 1013
fc_dns_query_update_info: Software version from DNS: 0.103.11
Current working dir is /var/lib/clamav/
check_for_new_database_version: Local copy of daily found: daily.cld.
query_remote_database_version: daily.cvd version from DNS: 27180
daily.cld database is up-to-date (version: 27180, sigs: 2052672, f-level: 90, builder: raynman)
fc_update_database: daily.cld already up-to-date.
Current working dir is /var/lib/clamav/
check_for_new_database_version: Local copy of main found: main.cvd.
query_remote_database_version: main.cvd version from DNS: 62
main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
fc_update_database: main.cvd already up-to-date.
Current working dir is /var/lib/clamav/
check_for_new_database_version: Local copy of bytecode found: bytecode.cvd.
query_remote_database_version: bytecode.cvd version from DNS: 334
bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
fc_update_database: bytecode.cvd already up-to-date.

CC: (none) => mageia

clamav has always been resource intensive as it loads the database into ram.

That plus the fact it made primarly to detect windows malware and I don't
have any windows installs, means I normally do not have it installed.

Having just installed it.

After running freshclam, htop shows it's using around 2GB of ram, which
is normal.

# time clamscan /home/dave/Documents/eicar.txt 
Loading:    18s, ETA:   0s [========================>]    8.69M/8.69M sigs       
Compiling:   3s, ETA:   0s [========================>]       41/41 tasks 

/s3/bkup/Documents/eicar.txt: Win.Test.EICAR_HDB-1 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8685881
Engine version: 1.0.5
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 21.978 sec (0 m 21 s)
Start Date: 2024:02:24 12:37:19
End Date:   2024:02:24 12:37:41

real    0m21.989s
user    0m20.834s
sys     0m1.150s

Working as expected.

Whiteboard: (none) => MGA9-64-OK
Keywords: feedback => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0048.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED