Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

message "LibClamAV Warning: PNG: Unexpected early end-of-file." #1208

Open
panewt opened this issue Mar 20, 2024 · 3 comments
Open

message "LibClamAV Warning: PNG: Unexpected early end-of-file." #1208

panewt opened this issue Mar 20, 2024 · 3 comments

Comments

@panewt
Copy link

panewt commented Mar 20, 2024

Describe the bug

I run /usr/bin/clamscan on a Rocky 9.3 system (aka RHEL9) and get the message ""LibClamAV Warning: PNG: Unexpected early end-of-file.". This is not really a "bug" per se, but the lack of announcing which file popped this error means there is no information to check what is causing this. The only way I have found is to run in verbose mode and that is an incredibly inefficient way to deal with it as it seems that it would be easy for clamscan to give the name of the file when it flags the warning

I see lots of references to this online but nothing that I can ascertain is ClamAV's response to people going (liberally paraphrased) "huh?"

Thanks in advance for considering providing this info

How to reproduce the problem

See "Describe the bug" but obviously need to have some file which will produce that warning

Replace this text with the output from the ClamAV command:
+++ START +++
[paul@grotto ~]$ clamconf -n
Checking configuration files in /etc

Config file: clamd.d/scan.conf

LogSyslog = "yes"
User = "clamscan"

freshclam.conf not found

mail/clamav-milter.conf not found

Software settings

Version: 1.0.5
Optional features supported: MEMPOOL AUTOIT_EA06 BZIP2 LIBXML2 PCRE2 ICONV JSON

Database information

Database directory: /var/lib/clamav
main.cvd: version 62, sigs: 6647427, built on Thu Sep 16 05:32:42 2021
daily.cld: version 27219, sigs: 2055706, built on Tue Mar 19 01:25:53 2024
bytecode.cld: version 335, sigs: 86, built on Tue Feb 27 07:37:24 2024
Total number of signatures: 8703219

Platform information

uname: Linux 5.14.0-362.24.1.el9_3.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 13 17:33:16 UTC 2024 x86_64
OS: Linux, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.11 (1.2.11), compile flags: a9
platform id: 0x0a21a5a508000000020b0401

Build information

GNU C: 11.4.1 20230605 (Red Hat 11.4.1-2) (11.4.1)
sizeof(void*) = 8
Engine flevel: 165, dconf: 165
[paul@grotto ~]$
+++ END ++

Attachments

If applicable, add screenshots to help explain your problem.

If the issue is reproducible only when scanning a specific file, attach it to the ticket.
@micahsnyder
Copy link
Contributor

We changed this warning to a debug-level in the 1.3 release: 00b7853

Perhaps we should backport it for the next 1.0 patch version.

@Kangie
Copy link
Contributor

Kangie commented Mar 21, 2024
edited

I'm seeing this as a test failure on arm in 1.0.5: https://bugs.gentoo.org/show_bug.cgi?id=927361

================================================================== FAILURES ===================================================================
______________________________________________________________ TC.test_allmatch _______________________________________________________________

self = <heuristics_test.TC testMethod=test_allmatch>

    def test_allmatch(self):
        '''
        This test uses a ZIP that has two things:
        1. malformed file that will alert with  --alert-broken-media
        2. the clam.exe file that will alert normally.
        The idea is that since the malformed file is first, the heuristic alert will be encountered first.
    
        In this test we use --allmatch but we don't use --heuristic-scan-precedence.
        That means the NDB sig should alert first, even though the heuristic is encountered first.
        Note the verify_output() uses STRICT_ORDER.
        '''
        self.step_name('Test that a clam heuristic alert will alert LAST in allmatch mode without heuristic-precedence.')
    
        testfile = TC.heuristics_testfile
    
        command = '{valgrind} {valgrind_args} {clamscan} -d {clam_exe_db} {testfiles} --alert-broken-media \
             --allmatch'.format(
            valgrind=TC.valgrind, valgrind_args=TC.valgrind_args, clamscan=TC.clamscan,
            clam_exe_db=TC.path_tmp / 'clam.ndb',
            testfiles=testfile,
        )
        output = self.execute_command(command)
    
>       assert output.ec == 1  # virus
E       AssertionError: assert -7 == 1
E        +  where -7 = CmdResult(ec=-7, out='', err='LibClamAV Warning: PNG: Unexpected early end-of-file.\n').ec

/var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5/unit_tests/clamscan/heuristics_test.py:158: AssertionError
------------------------------------------------------------ Captured stdout call -------------------------------------------------------------

[INFO]: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[INFO]: Test that a clam heuristic alert will alert LAST in allmatch mode without heuristic-precedence.
[INFO]: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[DEBUG]: Run command:   /var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5_build/clamscan/clamscan -d /var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5_build/unit_tests/TC-zmxnc9aw/clam.ndb /var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5_build/unit_tests/TC-zmxnc9aw/heuristics-test.zip --alert-broken-media              --allmatch 
[DEBUG]: Exit code: -7
[DEBUG]: stdout: 
[DEBUG]: stderr: LibClamAV Warning: PNG: Unexpected early end-of-file.


_________________________________________________________ TC.test_allmatch_precedence _________________________________________________________

self = <heuristics_test.TC testMethod=test_allmatch_precedence>

    def test_allmatch_precedence(self):
        '''
        This test uses a ZIP that has two things:
        1. malformed file that will alert with  --alert-broken-media
        2. the clam.exe file that will alert normally.
        The idea is that since the malformed file is first, the heuristic alert will be encountered first.
    
        In this test we use --allmatch AND we use --heuristic-scan-precedence.
        That means the heuristic is encountered first and should be treated equally, so it should alert first.
        Note the verify_output() uses STRICT_ORDER.
        '''
        self.step_name('Test that a clam heuristic alert will alert FIRST in allmatch mode with heuristic-precedence.')
    
        testfile = TC.heuristics_testfile
    
        command = '{valgrind} {valgrind_args} {clamscan} -d {clam_exe_db} {testfiles} --alert-broken-media \
             --allmatch \
             --heuristic-scan-precedence'.format(
            valgrind=TC.valgrind, valgrind_args=TC.valgrind_args, clamscan=TC.clamscan,
            clam_exe_db=TC.path_tmp / 'clam.ndb',
            testfiles=testfile,
        )
        output = self.execute_command(command)
    
>       assert output.ec == 1  # virus
E       AssertionError: assert -7 == 1
E        +  where -7 = CmdResult(ec=-7, out='/var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5_build/unit_tests/TC-zmxnc9aw/heuristics-test.zip: Heuristics.Broken.Media.PNG.EOFReadingChunk FOUND\n', err='LibClamAV Warning: PNG: Unexpected early end-of-file.\n').ec

/var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5/unit_tests/clamscan/heuristics_test.py:190: AssertionError
------------------------------------------------------------ Captured stdout call -------------------------------------------------------------

[INFO]: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[INFO]: Test that a clam heuristic alert will alert FIRST in allmatch mode with heuristic-precedence.
[INFO]: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[DEBUG]: Run command:   /var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5_build/clamscan/clamscan -d /var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5_build/unit_tests/TC-zmxnc9aw/clam.ndb /var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5_build/unit_tests/TC-zmxnc9aw/heuristics-test.zip --alert-broken-media              --allmatch              --heuristic-scan-precedence 
[DEBUG]: Exit code: -7
[DEBUG]: stdout: /var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5_build/unit_tests/TC-zmxnc9aw/heuristics-test.zip: Heuristics.Broken.Media.PNG.EOFReadingChunk FOUND

[DEBUG]: stderr: LibClamAV Warning: PNG: Unexpected early end-of-file.


_____________________________________________________ TC.test_hidden_by_strong_indicator ______________________________________________________

self = <heuristics_test.TC testMethod=test_hidden_by_strong_indicator>

    def test_hidden_by_strong_indicator(self):
        '''
        This test uses a ZIP that has two things:
        1. malformed file that will alert with  --alert-broken-media
        2. the clam.exe file that will alert normally.
        The idea is that since the malformed file is first, the heuristic alert will be encountered first.
    
        In this test the heuristic alert must not alert because neither allmatch is specified, nor --heuristic-scan-precedence
        '''
        self.step_name('Test that a clam heuristic not alert because regular sig alerts first.')
    
        testfile = TC.heuristics_testfile
    
        command = '{valgrind} {valgrind_args} {clamscan} -d {clam_exe_db} {testfiles} --alert-broken-media'.format(
            valgrind=TC.valgrind, valgrind_args=TC.valgrind_args, clamscan=TC.clamscan,
            clam_exe_db=TC.path_tmp / 'clam.ndb',
            testfiles=testfile,
        )
        output = self.execute_command(command)
    
>       assert output.ec == 1  # virus
E       AssertionError: assert -7 == 1
E        +  where -7 = CmdResult(ec=-7, out='', err='LibClamAV Warning: PNG: Unexpected early end-of-file.\n').ec

/var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5/unit_tests/clamscan/heuristics_test.py:70: AssertionError
------------------------------------------------------------ Captured stdout call -------------------------------------------------------------

[INFO]: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[INFO]:  Test that a clam heuristic not alert because regular sig alerts first. 
[INFO]: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[DEBUG]: Run command:   /var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5_build/clamscan/clamscan -d /var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5_build/unit_tests/TC-zmxnc9aw/clam.ndb /var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5_build/unit_tests/TC-zmxnc9aw/heuristics-test.zip --alert-broken-media 
[DEBUG]: Exit code: -7
[DEBUG]: stdout: 
[DEBUG]: stderr: LibClamAV Warning: PNG: Unexpected early end-of-file.


______________________________________________________________ TC.test_only_heur ______________________________________________________________

self = <heuristics_test.TC testMethod=test_only_heur>

    def test_only_heur(self):
        '''
        This test uses a ZIP that has two things:
        1. malformed file that will alert with  --alert-broken-media
        2. the clam.exe file that will alert normally.
        The idea is that since the malformed file is first, the heuristic alert will be encountered first.
    
        In this test the heuristic alert must alert because we don't use the sig for the other file.
        '''
        self.step_name('Test that a clam heuristic will alert, because it is the only detection.')
    
        testfile = TC.heuristics_testfile
    
        # Add an empty NDB file, because we need to pass in some sort of database.
        (TC.path_tmp / 'empty.ndb').write_text(
            "# Just a comment\n"
        )
    
        command = '{valgrind} {valgrind_args} {clamscan} -d {clam_exe_db} {testfiles} --alert-broken-media'.format(
            valgrind=TC.valgrind, valgrind_args=TC.valgrind_args, clamscan=TC.clamscan,
            clam_exe_db=TC.path_tmp / 'empty.ndb',
            testfiles=testfile,
        )
        output = self.execute_command(command)
    
>       assert output.ec == 1  # virus
E       AssertionError: assert -7 == 1
E        +  where -7 = CmdResult(ec=-7, out='', err='LibClamAV Warning: PNG: Unexpected early end-of-file.\n').ec

/var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5/unit_tests/clamscan/heuristics_test.py:101: AssertionError
------------------------------------------------------------ Captured stdout call -------------------------------------------------------------

[INFO]: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[INFO]: Test that a clam heuristic will alert, because it is the only detection.
[INFO]: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[DEBUG]: Run command:   /var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5_build/clamscan/clamscan -d /var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5_build/unit_tests/TC-zmxnc9aw/empty.ndb /var/tmp/portage/app-antivirus/clamav-1.0.5/work/clamav-clamav-1.0.5_build/unit_tests/TC-zmxnc9aw/heuristics-test.zip --alert-broken-media 
[DEBUG]: Exit code: -7
[DEBUG]: stdout: 
[DEBUG]: stderr: LibClamAV Warning: PNG: Unexpected early end-of-file.


=========================================================== short test summary info ===========================================================
FAILED clamscan/heuristics_test.py::TC::test_allmatch - AssertionError: assert -7 == 1
FAILED clamscan/heuristics_test.py::TC::test_allmatch_precedence - AssertionError: assert -7 == 1
FAILED clamscan/heuristics_test.py::TC::test_hidden_by_strong_indicator - AssertionError: assert -7 == 1
FAILED clamscan/heuristics_test.py::TC::test_only_heur - AssertionError: assert -7 == 1
======================================================== 4 failed, 45 passed in 16.47s ========================================================
<end of output>
Test time =  23.50 sec
----------------------------------------------------------
Test Failed.
"clamscan" end time: Mar 20 05:17 UTC
"clamscan" time elapsed: 00:00:23
----------------------------------------------------------

Related or do you need me to file a new issue?

@micahsnyder
Copy link
Contributor

micahsnyder commented Mar 22, 2024
edited

@Kangie it seems related but different.

The message may occur on truncated (but functional and non-malicious) PNG files. As a result, it seems to be a nuisance to users.

But it could be there is a bug in our PNG parser causing this error and a crash on some arm systems? Is this 32bit arm (not arm64?). I see your note that "error -7 -> E2BIG so this could be a 32-bit data type size issue."

@micahsnyder micahsnyder mentioned this issue Mar 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Kangie @micahsnyder @panewt