-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 24 Jun 2004, Trog wrote:
> On Mon, 2004-06-21 at 18:35, Christopher X. Candreva wrote:
> > Segmentation Fault
> Please test with current CVS (as of now).
> Thanks
> -trog
Before proceeding I have to appoligise in advance for this email.
yesterday I became aware that our nightly virus scan of our main file
server was dieing at some point during it's scan. I should have caught on
to it earlier but have been really busy and have taken (script) steps to
make sure this sort of thing gets a bigger red flag. the following problem
also invloves a coinfidential Word document (if such a thing actually
exists) so I can't give you the file that caused the problem. Hopefully
however I can make up for these embarrassments by providing you with all I
could find out about the problem.
My first clue (that I noticed) was core files appearing at approx 5:20 in
the morning. I tracked it down to the virus scan cron job.
/usr/local/bin/clamscan -r -i /public
The first one started appearing around the start of June 2004.
This corresponded to when I upgraded this particular box to ClamAV 0.72
I nailed it down to one Word 97 doc the was causing the above command to
Seg Fault - Sig 11.
I quarantined the file and manually ran the cron job again, no problems. I
also updated my script to falg any failure of clamscan to provide a report
of it's final result. I know it's my fault that I failed to realise the
report was missing in the cron email by hey I'm human and snowed under.
Its a matter of survival at the minute.
Recalling a clamd dieing thread on this list I wondered if I had stumbled
upon a similar problem but happening with clamscan.
I therefore checked out a CVS snapshot 20/06/2004 at 11:10 am BST onto my
devel-box (AMD Athlone running mandrake 9.2 non-stock)
built it with debug and and scanned the word file. Result - no problem and
file was clean.
then I used the stable build that was actually installed on the machine.
ClamAV-0.71 - Again Result no problem and file was clean.
I then configured stable build 0.73 (which is the version installed on
the fiel server that had the original problem) with debug and ran that -
Result CORE DUMP
I then did the same for ClamAV-0.72 - Result CORE DUMP
Summary :
ClamAV-0.71 : Okay
ClamAV-0.72 : Bug appeared
ClamAV-0.73 : Bug still in
clamav-devel : Bug fixed.
Hence the reason for this email. You appear to have fixed the problem and
this is now verified on a file other than the one you were wokring on.
Although I should have picked this up earlier and I can't send you the
confidential document that caused the problem I want to help so :-
I hope I can help in some way by sending you the debug output from the
various ClamAV versions invloved :-
- -------------------------------------------------------------------------
ClamAV-0.71
LibClamAV debug: Loading databases from /usr/local/share/clamav
LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd
LibClamAV debug: /usr/local/share/clamav/daily.cvd: CVD file detected
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 0ed8af09ec51f2b748a47b70004e487b
LibClamAV debug: Decoded signature: 0ed8af09ec51f2b748a47b70004e487b
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /home/jim/tmp/clamav-af31046a87829d3c/COPYING
LibClamAV debug: Unpacking /home/jim/tmp/clamav-af31046a87829d3c/viruses.db2
LibClamAV debug: Loading databases from /home/jim/tmp/clamav-af31046a87829d3c
LibClamAV debug: Loading /home/jim/tmp/clamav-af31046a87829d3c/viruses.db2
LibClamAV debug: Initializing trie.
LibClamAV debug: Loading /usr/local/share/clamav/main.cvd
LibClamAV debug: /usr/local/share/clamav/main.cvd: CVD file detected
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 2afa38b2ececc44e99e396f97e94adef
LibClamAV debug: Decoded signature: 2afa38b2ececc44e99e396f97e94adef
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /home/jim/tmp/clamav-c77e9a5b022c1c96/COPYING
LibClamAV debug: Unpacking /home/jim/tmp/clamav-c77e9a5b022c1c96/viruses.db
LibClamAV debug: Loading databases from /home/jim/tmp/clamav-c77e9a5b022c1c96
LibClamAV debug: Loading /home/jim/tmp/clamav-c77e9a5b022c1c96/viruses.db
LibClamAV debug: Recognized OLE2 container file
LibClamAV debug: in cli_scanole2()
LibClamAV debug: in cli_ole2_extract()
LibClamAV debug:
Magic: 0xLibClamAV debug: d0LibClamAV debug: cfLibClamAV debug:
11LibClamAV debug: e0LibClamAV debug: a1LibClamAV debug: b1LibClamAV debug:
1aLibClamAV debug: e1LibClamAV debug:
LibClamAV debug: CLSID: {LibClamAV debug: 0 LibClamAV debug: 0
LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV
debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0
LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV
debug: 0 LibClamAV debug: }
LibClamAV debug: Minor version: 0x3e
LibClamAV debug: DLL version: 0x3
LibClamAV debug: Byte Order: -2
LibClamAV debug: Big Block Size: 9
LibClamAV debug: Small Block Size: 6
LibClamAV debug: BAT count: 4
LibClamAV debug: Prop start: 458
LibClamAV debug: SBAT cutoff: 4096
LibClamAV debug: SBat start: 460
LibClamAV debug: SBat block count: 1
LibClamAV debug: XBat start: -2
LibClamAV debug: XBat block count: 0
LibClamAV debug: Root EntryLibClamAV debug: [root]LibClamAV
debug: bLibClamAV debug: 128 0
LibClamAV debug: WordDocumentLibClamAV debug: [file]LibClamAV
debug: bLibClamAV debug: 195116 0
LibClamAV debug: ERROR: handler failed
LibClamAV debug: VBA scan dir: /home/jim/tmp/clamav-1612df06d19d5f7e
LibClamAV debug: in vba56_dir_read()
LibClamAV debug: Can't open /home/jim/tmp/clamav-1612df06d19d5f7e/_VBA_PROJECT
LibClamAV debug: magic: 0xa5ec
LibClamAV debug: version: 0x00c1
LibClamAV debug: product: 0x4035
LibClamAV debug: lid: 0x0409
LibClamAV debug: macro offset: 0x26e60000
LibClamAV debug: macro len: 0x0000
LibClamAV debug: read start_id failed
/home/jim/M001-002-001-15_DocsIssuedtoTrivirix.doc: OK
ERROR: Can't access file 1
1: No such file or directory
- ----------- SCAN SUMMARY -----------
Known viruses: 21620
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.27 MB
I/O buffer size: 131072 bytes
Time: 1.028 sec (0 m 1 s)
- -------------------------------------------------------------------------
ClamAV-0.72
LibClamAV debug: Loading databases from /usr/local/share/clamav
LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd
LibClamAV debug: /usr/local/share/clamav/daily.cvd: CVD file detected
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 0ed8af09ec51f2b748a47b70004e487b
LibClamAV debug: Decoded signature: 0ed8af09ec51f2b748a47b70004e487b
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /home/jim/tmp/clamav-07c53cd37353a3b3/COPYING
LibClamAV debug: Unpacking /home/jim/tmp/clamav-07c53cd37353a3b3/viruses.db2
LibClamAV debug: Loading databases from /home/jim/tmp/clamav-07c53cd37353a3b3
LibClamAV debug: Loading /home/jim/tmp/clamav-07c53cd37353a3b3/viruses.db2
LibClamAV debug: Initializing trie.
LibClamAV debug: Loading /usr/local/share/clamav/main.cvd
LibClamAV debug: /usr/local/share/clamav/main.cvd: CVD file detected
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 2afa38b2ececc44e99e396f97e94adef
LibClamAV debug: Decoded signature: 2afa38b2ececc44e99e396f97e94adef
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /home/jim/tmp/clamav-a21e71f388ffff06/COPYING
LibClamAV debug: Unpacking /home/jim/tmp/clamav-a21e71f388ffff06/viruses.db
LibClamAV debug: Loading databases from /home/jim/tmp/clamav-a21e71f388ffff06
LibClamAV debug: Loading /home/jim/tmp/clamav-a21e71f388ffff06/viruses.db
LibClamAV debug: Recognized OLE2 container file
LibClamAV debug: in cli_scanole2()
LibClamAV debug: in cli_ole2_extract()
LibClamAV debug: mmap'ed file
LibClamAV debug:
Magic: 0xLibClamAV debug: d0LibClamAV debug: cfLibClamAV debug:
11LibClamAV debug: e0LibClamAV debug: a1LibClamAV debug: b1LibClamAV debug:
1aLibClamAV debug: e1LibClamAV debug:
LibClamAV debug: CLSID: {LibClamAV debug: 0 LibClamAV debug: 0
LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV
debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0
LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV
debug: 0 LibClamAV debug: }
LibClamAV debug: Minor version: 0x3e
LibClamAV debug: DLL version: 0x3
LibClamAV debug: Byte Order: -2
LibClamAV debug: Big Block Size: 9
LibClamAV debug: Small Block Size: 6
LibClamAV debug: BAT count: 4
LibClamAV debug: Prop start: 458
LibClamAV debug: SBAT cutoff: 4096
LibClamAV debug: SBat start: 460
LibClamAV debug: SBat block count: 1
LibClamAV debug: XBat start: -2
LibClamAV debug: XBat block count: 0
LibClamAV debug: Root EntryLibClamAV debug: [root]LibClamAV
debug: bLibClamAV debug: 128 0
LibClamAV debug: WordDocumentLibClamAV debug: [file]LibClamAV
debug: bLibClamAV debug: 195116 0
Segmentation fault (core dumped)
- -------------------------------------------------------------------------
ClamAV-0.73
LibClamAV debug: Loading databases from /usr/local/share/clamav
LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd
LibClamAV debug: /usr/local/share/clamav/daily.cvd: CVD file detected
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 0ed8af09ec51f2b748a47b70004e487b
LibClamAV debug: Decoded signature: 0ed8af09ec51f2b748a47b70004e487b
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /home/jim/tmp/clamav-7b22aba4f7df3bee/COPYING
LibClamAV debug: Unpacking /home/jim/tmp/clamav-7b22aba4f7df3bee/viruses.db2
LibClamAV debug: Loading databases from /home/jim/tmp/clamav-7b22aba4f7df3bee
LibClamAV debug: Loading /home/jim/tmp/clamav-7b22aba4f7df3bee/viruses.db2
LibClamAV debug: Initializing trie.
LibClamAV debug: Loading /usr/local/share/clamav/main.cvd
LibClamAV debug: /usr/local/share/clamav/main.cvd: CVD file detected
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 2afa38b2ececc44e99e396f97e94adef
LibClamAV debug: Decoded signature: 2afa38b2ececc44e99e396f97e94adef
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /home/jim/tmp/clamav-51ef84dd0ff826d9/COPYING
LibClamAV debug: Unpacking /home/jim/tmp/clamav-51ef84dd0ff826d9/viruses.db
LibClamAV debug: Loading databases from /home/jim/tmp/clamav-51ef84dd0ff826d9
LibClamAV debug: Loading /home/jim/tmp/clamav-51ef84dd0ff826d9/viruses.db
LibClamAV debug: Recognized OLE2 container file
LibClamAV debug: in cli_scanole2()
LibClamAV debug: in cli_ole2_extract()
LibClamAV debug: mmap'ed file
LibClamAV debug:
Magic: 0xLibClamAV debug: d0LibClamAV debug: cfLibClamAV debug:
11LibClamAV debug: e0LibClamAV debug: a1LibClamAV debug: b1LibClamAV debug:
1aLibClamAV debug: e1LibClamAV debug:
LibClamAV debug: CLSID: {LibClamAV debug: 0 LibClamAV debug: 0
LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV
debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0
LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV
debug: 0 LibClamAV debug: }
LibClamAV debug: Minor version: 0x3e
LibClamAV debug: DLL version: 0x3
LibClamAV debug: Byte Order: -2
LibClamAV debug: Big Block Size: 9
LibClamAV debug: Small Block Size: 6
LibClamAV debug: BAT count: 4
LibClamAV debug: Prop start: 458
LibClamAV debug: SBAT cutoff: 4096
LibClamAV debug: SBat start: 460
LibClamAV debug: SBat block count: 1
LibClamAV debug: XBat start: -2
LibClamAV debug: XBat block count: 0
LibClamAV debug: Root EntryLibClamAV debug: [root]LibClamAV
debug: bLibClamAV debug: 128 0
LibClamAV debug: WordDocumentLibClamAV debug: [file]LibClamAV
debug: bLibClamAV debug: 195116 0
Segmentation fault (core dumped)
- -------------------------------------------------------------------------
clamav-devl 24062004-1110
LibClamAV debug: Loading databases from /usr/local/share/clamav
LibClamAV debug: Loading /usr/local/share/clamav/daily.cvd
LibClamAV debug: /usr/local/share/clamav/daily.cvd: CVD file detected
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 0ed8af09ec51f2b748a47b70004e487b
LibClamAV debug: Decoded signature: 0ed8af09ec51f2b748a47b70004e487b
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /home/jim/tmp/clamav-eff720e0075b8229/COPYING
LibClamAV debug: Unpacking /home/jim/tmp/clamav-eff720e0075b8229/viruses.db2
LibClamAV debug: Loading databases from /home/jim/tmp/clamav-eff720e0075b8229
LibClamAV debug: Loading /home/jim/tmp/clamav-eff720e0075b8229/viruses.db2
LibClamAV debug: Initializing trie.
LibClamAV debug: Loading /usr/local/share/clamav/main.cvd
LibClamAV debug: /usr/local/share/clamav/main.cvd: CVD file detected
LibClamAV debug: in cli_cvdload()
LibClamAV debug: MD5(.tar.gz) = 2afa38b2ececc44e99e396f97e94adef
LibClamAV debug: Decoded signature: 2afa38b2ececc44e99e396f97e94adef
LibClamAV debug: Digital signature is correct.
LibClamAV debug: in cli_untgz()
LibClamAV debug: Unpacking /home/jim/tmp/clamav-62b6ad92e6f5ed5c/COPYING
LibClamAV debug: Unpacking /home/jim/tmp/clamav-62b6ad92e6f5ed5c/viruses.db
LibClamAV debug: Loading databases from /home/jim/tmp/clamav-62b6ad92e6f5ed5c
LibClamAV debug: Loading /home/jim/tmp/clamav-62b6ad92e6f5ed5c/viruses.db
LibClamAV debug: Recognized OLE2 container file
LibClamAV debug: in cli_scanole2()
LibClamAV debug: in cli_ole2_extract()
LibClamAV debug: mmap'ed file
LibClamAV debug:
Magic: 0xLibClamAV debug: d0LibClamAV debug: cfLibClamAV debug:
11LibClamAV debug: e0LibClamAV debug: a1LibClamAV debug: b1LibClamAV debug:
1aLibClamAV debug: e1LibClamAV debug:
LibClamAV debug: CLSID: {LibClamAV debug: 0 LibClamAV debug: 0
LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV
debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0
LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV debug: 0 LibClamAV
debug: 0 LibClamAV debug: }
LibClamAV debug: Minor version: 0x3e
LibClamAV debug: DLL version: 0x3
LibClamAV debug: Byte Order: -2
LibClamAV debug: Big Block Size: 9
LibClamAV debug: Small Block Size: 6
LibClamAV debug: BAT count: 4
LibClamAV debug: Prop start: 458
LibClamAV debug: SBAT cutoff: 4096
LibClamAV debug: SBat start: 460
LibClamAV debug: SBat block count: 1
LibClamAV debug: XBat start: -2
LibClamAV debug: XBat block count: 0
LibClamAV debug: Root Entry LibClamAV debug: [root] LibClamAV
debug: b LibClamAV debug: 128 0
LibClamAV debug: WordDocument LibClamAV debug: [file] LibClamAV
debug: b LibClamAV debug: 195116 0
LibClamAV debug: ERROR: handler failed
LibClamAV debug: 1Table LibClamAV debug: [file] LibClamAV
debug: b LibClamAV debug: 20367 0
LibClamAV debug: Data LibClamAV debug: [file] LibClamAV
debug: b LibClamAV debug: 7852 0
LibClamAV debug: _1_CompObj LibClamAV debug: [file] LibClamAV
debug: r LibClamAV debug: 106 0
LibClamAV debug: _5_DocumentSummaryInformation LibClamAV debug: [file] LibClamAV
debug: b LibClamAV debug: 4096 0
LibClamAV debug: _5_SummaryInformation LibClamAV debug: [file] LibClamAV
debug: b LibClamAV debug: 4096 0
LibClamAV debug: VBA scan dir: /home/jim/tmp/clamav-3f521f4dc7f808e8
LibClamAV debug: in vba56_dir_read()
LibClamAV debug: Can't open /home/jim/tmp/clamav-3f521f4dc7f808e8/_VBA_PROJECT
LibClamAV debug: Open Current User failed
LibClamAV debug: magic: 0xa5ec
LibClamAV debug: version: 0x00c1
LibClamAV debug: product: 0x4035
LibClamAV debug: lid: 0x0409
LibClamAV debug: macro offset: 0x26e60000
LibClamAV debug: macro len: 0x0000
LibClamAV debug: read start_id failed
/home/jim/M001-002-001-15_DocsIssuedtoTrivirix.doc: OK
- ----------- SCAN SUMMARY -----------
Known viruses: 21620
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.29 MB
I/O buffer size: 131072 bytes
Time: 0.995 sec (0 m 0 s)
- -------------------------------------------------------------------------
Notice also that 0.71, although it doesn't core dump, it reports an error
"ERROR: Can't access file 1
1: No such file or directory"
Anyway, I hope this helps. I'll keep the file quarentined until 0.80.
Please let me know if there is anything more I can do to help.
Jim :-)
Dr James Allen
GnuPG key : ftp://ftp.heartsine.co.uk/hst_gpg_public_keys/jim.allen.hst.gpg.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
iD8DBQFA2sbQRdAZy0oJ0LwRAhmPAJ9jyGYWrR9T3LbQM1X87DrDEkMkeACfVYM5
Yv6g1oXpv6rlUaPT0J5sLSE=
=RIr/
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
