Win.Downloader.LNKAgent-10001628-0 causing clamd to crash #923
Comments
|
Hi @LinuxMagicSupportTeam thanks for the report. We also received reports of this through the clamav-users mailing list. The signature has been dropped and an out-of-band build of a new daily.cvd with the signature removed was triggered. We can keep this ticket open to track down the cause of the crash and fix the actual bug. |
|
@micahsnyder thank you for your work. Any info on when the new daily.cvd should be alive? |
|
I don't have a specific ETA. I've asked and will update if I find out before it goes live. I know it is being built right now and will be published immediately when it is ready. |
|
It should be up in about 1 hour. I'll keep an eye out for it and say something when I see it. |
|
Looks like it was a little faster than expected. daily-26909 is available now. |
|
Anyone else seeing this after updating to daily-26909? |
|
The |
|
Thanks @micahsnyder, great work on resolving this quickly |
|
Hi, I have the same problem, how do I install a daily version? only from source? Thanks |
|
Hi @EmBitz just run freshclam to update to a newer version of the database. |
|
Hi, just checking to see if there is any update for the original issue with freshclaim and clamav's crashing on that Win.Downloader signature..? Thanks! |
|
@LinuxMagicSupportTeam Not yet. I'm hoping that I or a teammate will work on a fix next week. It seems like the bad signature is partially loaded causing a failing during a scan later. The cause of the crash is indexing a Because the crash depends on a bad signature being loaded, and because it's a 1 byte out of bounds read, we're not going to consider it a security issue. We'll fix it sooner than later, but won't rush out a security patch release. I do intend to backport the fix for 0.103, 1.0, and 1.1 though, just to try to prevent this kind of incident from happening again. |
|
Hello again, I am just following up on this ticket to see if there has been any update... Thanks! |
If a signature has a pattern that is too short will fail to load the siganture but does not cause the entire load process to abort. This is bad for two reasons: 1) It is not immediately apparent that the signature is bad, and so it could be published accidentally. 2) The signature is partially loaded by the time the bad pattern is observed and that may cause a crash later. Because of #1, it is not worth it to try to unload the first part of the signature. Instead, we should just abort the signature load. Fixes: Cisco-Talos#923
If a signature has a pattern that is too short will fail to load the siganture but does not cause the entire load process to abort. This is bad for two reasons: 1) It is not immediately apparent that the signature is bad, and so it could be published accidentally. 2) The signature is partially loaded by the time the bad pattern is observed and that may cause a crash later. Because of (1), it is not worth it to try to unload the first part of the signature. Instead, we should just abort the signature load. Fixes: Cisco-Talos#923
If a signature has a pattern that is too short will fail to load the signature but does not cause the entire load process to abort. This is bad for two reasons: 1) It is not immediately apparent that the signature is bad, and so it could be published accidentally. 2) The signature is partially loaded by the time the bad pattern is observed and that may cause a crash later. Because of (1), it is not worth it to try to unload the first part of the signature. Instead, we should just abort the signature load. Fixes: #923 We should also abort loading if the filter pattern for the boyer-moore matcher is shorter than 2 bytes. Also, do not print the final "Loading" progress bar if an error occurred.
If a signature has a pattern that is too short will fail to load the signature but does not cause the entire load process to abort. This is bad for two reasons: 1) It is not immediately apparent that the signature is bad, and so it could be published accidentally. 2) The signature is partially loaded by the time the bad pattern is observed and that may cause a crash later. Because of (1), it is not worth it to try to unload the first part of the signature. Instead, we should just abort the signature load. Fixes: Cisco-Talos#923 We should also abort loading if the filter pattern for the boyer-moore matcher is shorter than 2 bytes. Also, do not print the final "Loading" progress bar if an error occurred.
If a signature has a pattern that is too short will fail to load the signature but does not cause the entire load process to abort. This is bad for two reasons: 1) It is not immediately apparent that the signature is bad, and so it could be published accidentally. 2) The signature is partially loaded by the time the bad pattern is observed and that may cause a crash later. Because of (1), it is not worth it to try to unload the first part of the signature. Instead, we should just abort the signature load. Fixes: #923 We should also abort loading if the filter pattern for the boyer-moore matcher is shorter than 2 bytes. Also, do not print the final "Loading" progress bar if an error occurred.
It looks like the fix only made it into 1.0.2, but not 0.103.9? Do you still intend to backport it to 0.103? |
|
@rma-x the signature was removed from the database so the crash is mitigated for all versions. We backported the fix for the 1.0.2 LTS version to make sure new signatures are tested with a version that will reject bad signatures to prevent the incident from happening again. So no plans to backport the fix to 0.103.x. |
Describe the bug
The new siganture Win.Downloader.LNKAgent-10001628-0 is causing clamd to crash even a database test being passed by freshclam.
It's been broght up on other online forums as well.
How to reproduce the problem
Logs:
freshclam[720]: Tue May 16 01:00:20 2023 -> Received signal: wake up
freshclam[720]: Tue May 16 01:00:20 2023 -> ClamAV update process started at Tue May 16 01:00:20 2023
freshclam[720]: Tue May 16 01:00:20 2023 -> daily database available for update (local version: 26907, remote version: 26908)
freshclam[720]: Tue May 16 01:00:21 2023 -> Testing database: '/var/lib/clamav/tmp.05d7654ad9/clamav-815c289ec8e7bb456a352c9aadb35fcb.tmp-daily.cld' ...
freshclam[1170615]: Tue May 16 01:00:24 2023 -> ~[LibClamAV] Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0
freshclam[1170615]: Tue May 16 01:00:24 2023 -> ~[LibClamAV] cli_ac_addpatt: cannot use filter for trie
freshclam[720]: Tue May 16 01:00:24 2023 -> Database test passed.
freshclam[720]: Tue May 16 01:00:24 2023 -> daily.cld updated (version: 26908, sigs: 2034816, f-level: 90, builder: raynman)
freshclam[720]: Tue May 16 01:00:25 2023 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
freshclam[720]: Tue May 16 01:00:25 2023 -> bytecode.cvd database is up-to-date (version: 334, sigs: 91, f-level: 90, builder: anvilleg)
freshclam[720]: Tue May 16 01:00:25 2023 -> Clamd successfully notified about the update.
clamd[768]: Tue May 16 01:00:25 2023 -> Reading databases from /var/lib/clamav
clamd[768]: LibClamAV Warning: Don't know how to create filter for: Win.Downloader.LNKAgent-10001628-0
clamd[768]: LibClamAV Warning: cli_ac_addpatt: cannot use filter for trie <---- clamd dies
The text was updated successfully, but these errors were encountered: