Bug#902899: clamd: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed in stable update
On 2018-07-05 23:52:31 [+0200], Bernhard Schmidt wrote: > Hi Sebastian, Hi Bernhard, > I totally agree and I have already done this. I have filed a bug because > I assume this will hit at least some people on the next Stretch point > release hard. Not sure whether one can workaround this in clamav (and it > might already be too late). Today is last day I guess due to the freeze for the point release. I sneaked into a fix for removed options but I think this is it. I have currently no idea where to start working around the yara thing. It is known by both upstram sides (clamav and unofficial-sigs) since April or so and there was no progress since. And I can't change the world :) So lets see how many people complain here after the point release… > Bernhard Sebastian
Bug#902899: clamd: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed in stable update
On 05.07.2018 23:44, Sebastian Andrzej Siewior wrote: Hi Sebastian, > I suggest you remove the offending file. I have no other recommendation. I totally agree and I have already done this. I have filed a bug because I assume this will hit at least some people on the next Stretch point release hard. Not sure whether one can workaround this in clamav (and it might already be too late). Bernhard
Bug#902899: clamd: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed in stable update
control: forwarded -1 https://bugzilla.clamav.net/show_bug.cgi?id=12077 On 2018-07-05 22:54:58 [+0200], Bernhard Schmidt wrote: > On 04.07.2018 14:00, Sebastian Andrzej Siewior wrote: > > Hi Sebastian, Hi Bernhard, > Attached. Note that antidebug_antivm.yar is the one with the errors on > loading, but the actual assertion is later when the first (?) mail is > processed with clamd. So it might be related to any of the .yara? files. > > Thanks for looking into this. While trying to forward this upstream I found a report :) So upstream wants to address it but has no timeline. It considers the rule file as broken and it doesn't work bug now clamav actually complains. I suggest you remove the offending file. I have no other recommendation. > Bernhard Sebastian
Bug#902899: [Pkg-clamav-devel] Bug#902899: clamd: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed in stable update
On 04.07.2018 14:00, Sebastian Andrzej Siewior wrote: Hi Sebastian, > On 2018-07-03 09:04:21 [+0200], Bernhard Schmidt wrote: >> Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): >> /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe" >> Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): >> /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe" >> Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): >> /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe" >> Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): >> /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe" >> Jul 03 07:30:24 mail clamd[21927]: LibClamAV Warning: cli_loadyara: failed >> to parse or load 7 yara rules from file >> /var/lib/clamav/antidebug_antivm.yar, successfully >> Jul 03 07:40:12 mail clamd[21927]: clamd: yara_exec.c:177: yr_execute_code: >> Assertion `sp == 0' failed. >> >> 0.99.4+dfsg-1+deb9u1 -> 0.100.0+dfsg-0+deb9u1 >> >> This is probably related to using third-party signatures, but still a >> regression. > > okay. It is not just "probably". Could you please make the file > available? I will try to forwarded it to clamav upstream and see what > they intend to do about it. The progress on the github issue looks > stale. Attached. Note that antidebug_antivm.yar is the one with the errors on loading, but the actual assertion is later when the first (?) mail is processed with clamd. So it might be related to any of the .yara? files. Thanks for looking into this. Bernhard clamav-yar.tgz Description: application/gtar-compressed
Bug#902899: [Pkg-clamav-devel] Bug#902899: clamd: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed in stable update
On 2018-07-03 09:04:21 [+0200], Bernhard Schmidt wrote: > Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): > /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe" > Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): > /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe" > Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): > /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe" > Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): > /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe" > Jul 03 07:30:24 mail clamd[21927]: LibClamAV Warning: cli_loadyara: failed to > parse or load 7 yara rules from file /var/lib/clamav/antidebug_antivm.yar, > successfully > Jul 03 07:40:12 mail clamd[21927]: clamd: yara_exec.c:177: yr_execute_code: > Assertion `sp == 0' failed. > > 0.99.4+dfsg-1+deb9u1 -> 0.100.0+dfsg-0+deb9u1 > > This is probably related to using third-party signatures, but still a > regression. okay. It is not just "probably". Could you please make the file available? I will try to forwarded it to clamav upstream and see what they intend to do about it. The progress on the github issue looks stale. > Best Regards, > Bernhard Sebastian
Bug#902899: clamd: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed in stable update
Package: clamav-daemon Version: 0.100.0+dfsg-0+deb9u1 Severity: important Hi, after upgrading my Stretch mailserver with the packages from stretch-proposed-updates clamav-daemon dies with the following error message root@mail:~# systemctl status clamav-daemon ● clamav-daemon.service - Clam AntiVirus userspace daemon Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/clamav-daemon.service.d └─extend.conf Active: failed (Result: signal) since Tue 2018-07-03 07:40:12 CEST; 1h 18min ago Docs: man:clamd(8) man:clamd.conf(5) https://www.clamav.net/documents/ Process: 21927 ExecStart=/usr/sbin/clamd --foreground=true (code=killed, signal=ABRT) Process: 21923 ExecStartPre=/bin/chown clamav /run/clamav (code=exited, status=0/SUCCESS) Process: 21922 ExecStartPre=/bin/mkdir /run/clamav (code=exited, status=1/FAILURE) Main PID: 21927 (code=killed, signal=ABRT) Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 544 undefined identifier "pe" Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 557 undefined identifier "pe" Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 603 undefined identifier "pe" Jul 03 07:30:24 mail clamd[21927]: LibClamAV Error: yyerror(): /var/lib/clamav/antidebug_antivm.yar line 614 undefined identifier "pe" Jul 03 07:30:24 mail clamd[21927]: LibClamAV Warning: cli_loadyara: failed to parse or load 7 yara rules from file /var/lib/clamav/antidebug_antivm.yar, successfully Jul 03 07:30:36 mail clamd[21927]: Tue Jul 3 07:30:36 2018 -> Database correctly reloaded (6790696 signatures) Jul 03 07:40:12 mail clamd[21927]: clamd: yara_exec.c:177: yr_execute_code: Assertion `sp == 0' failed. Jul 03 07:40:12 mail systemd[1]: clamav-daemon.service: Main process exited, code=killed, status=6/ABRT Jul 03 07:40:12 mail systemd[1]: clamav-daemon.service: Unit entered failed state. Jul 03 07:40:12 mail systemd[1]: clamav-daemon.service: Failed with result 'signal'. 0.99.4+dfsg-1+deb9u1 -> 0.100.0+dfsg-0+deb9u1 This is probably related to using third-party signatures, but still a regression. Best Regards, Bernhard -- Package-specific info: --- configuration --- Checking configuration files in /etc/clamav Config file: clamd.conf --- BlockMax disabled PreludeEnable disabled PreludeAnalyzerName = "ClamAV" LogFile = "/var/log/clamav/clamav.log" LogFileUnlock disabled LogFileMaxSize = "4294967295" LogTime = "yes" LogClean disabled LogSyslog disabled LogFacility = "LOG_LOCAL6" LogVerbose disabled LogRotate = "yes" ExtendedDetectionInfo = "yes" PidFile disabled TemporaryDirectory disabled DatabaseDirectory = "/var/lib/clamav" OfficialDatabaseOnly disabled LocalSocket = "/var/run/clamav/clamd.ctl" LocalSocketGroup = "clamav" LocalSocketMode = "666" FixStaleSocket = "yes" TCPSocket disabled TCPAddr disabled MaxConnectionQueueLength = "15" StreamMaxLength = "26214400" StreamMinPort = "1024" StreamMaxPort = "2048" MaxThreads = "12" ReadTimeout = "180" CommandReadTimeout = "5" SendBufTimeout = "200" MaxQueue = "100" IdleTimeout = "30" ExcludePath disabled MaxDirectoryRecursion = "15" FollowDirectorySymlinks disabled FollowFileSymlinks disabled CrossFilesystems = "yes" SelfCheck = "3600" DisableCache disabled VirusEvent disabled ExitOnOOM disabled AllowAllMatchScan = "yes" Foreground disabled Debug disabled LeaveTemporaryFiles disabled User = "clamav" Bytecode = "yes" BytecodeSecurity = "TrustSigned" BytecodeTimeout = "6" BytecodeUnsigned disabled BytecodeMode = "Auto" DetectPUA disabled ExcludePUA disabled IncludePUA disabled AlgorithmicDetection = "yes" ScanPE = "yes" ScanELF = "yes" DetectBrokenExecutables disabled ScanMail = "yes" ScanPartialMessages disabled PhishingSignatures = "yes" PhishingScanURLs = "yes" PhishingAlwaysBlockCloak disabled PhishingAlwaysBlockSSLMismatch disabled PartitionIntersection disabled HeuristicScanPrecedence disabled StructuredDataDetection disabled StructuredMinCreditCardCount = "3" StructuredMinSSNCount = "3" StructuredSSNFormatNormal = "yes" StructuredSSNFormatStripped disabled ScanHTML = "yes" ScanOLE2 = "yes" OLE2BlockMacros disabled ScanPDF = "yes" ScanSWF = "yes" ScanXMLDOCS = "yes" ScanHWP3 = "yes" ScanArchive = "yes" ArchiveBlockEncrypted disabled ForceToDisk disabled MaxScanSize = "104857600" MaxFileSize = "26214400" MaxRecursion = "16" MaxFiles = "1" MaxEmbeddedPE = "10485760" MaxHTMLNormalize = "10485760" MaxHTMLNoTags = "2097152" MaxScriptNormalize = "5242880" MaxZipTypeRcg = "1048576" MaxPartitions = "50" MaxIconsPE = "100" MaxRecHWP3 = "16" PCREMatchLimit = "1" PCRERecMatchLimit = "5000" PCREMaxFileSize = "26214400" ScanOnAccess disabled OnAccessMountPath disabled OnAccessIncludePath disabled OnAccessExcludePath disabled