When scanning certain files clamav >= 0.90 fails with Zip module failure. This seems to be OS related as the clamav devs seem unable to reproduce. Reproducible: Always Steps to Reproduce: Actual Results: atlantis ~ # clamscan 1HQgg6-0005mO-7i-00000.pdf 1HQgg6-0005mO-7i-00000.pdf: Zip module failure ----------- SCAN SUMMARY ----------- Known viruses: 104270 Engine version: 0.90.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.64 MB Time: 5.573 sec (0 m 5 s) atlantis ~ # Portage 2.1.2.2 (default-linux/x86/2006.1, gcc-4.1.1, glibc-2.5-r0, 2.6.20 i686) ================================================================= System uname: 2.6.20 i686 AMD Sempron(tm) Processor 3000+ Gentoo Base System release 1.12.9 Timestamp of tree: Mon, 19 Mar 2007 04:50:01 +0000 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -march=pentium4 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildpkg distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://tauri.local.uls.co.za/gentoo-portage" USE="apache2 bash-completion berkdb bitmap-fonts bzip2 cli cracklib crypt diskio dri elf exiscan-acl fam gpm gzip iconv isdnlog libg++ lm_sensors logrotate midi mysql ncurses no-old-linux nptl nptlonly pam pcre png ppds pppd readline reflection session spl ssl truetype-fonts type1-fonts x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark ati chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mga neomagic nsc nv rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY I mostly use clamav for scanning email. Exim is configured to defer email that it fails to scan ... a workaround would be to accept these emails that may potentially leave my users open for exploit.
Created attachment 114909 [details] pdf file that breaks
Created attachment 114910 [details] pdf file that breaks
I can reproduce this too. From clamscan -v --debug: Scanning 1HQgg6-0005mO-7i-00000.pdf LibClamAV debug: Recognized PDF document file LibClamAV debug: in cli_pdf(/tmp/clamav-662f39c4a71d1bca45556a875f9df3e8) LibClamAV debug: cli_pdf: scanning 669309 bytes LibClamAV debug: cli_pdf: Incorrect Length field in file attempting to recover LibClamAV debug: length 6, calculated_streamlen 1393 isFlate 1 isASCII85 0 LibClamAV debug: cli_pdf: flatedecode 6 bytes LibClamAV debug: pdf: after writing 0 bytes, got error -5 inflating PDF attachment LibClamAV debug: cli_pdf: flatedecode 1393 bytes LibClamAV debug: pdf: after writing 0 bytes, got error -5 inflating PDF attachment LibClamAV debug: cli_pdf: extracted to /tmp/clamav-662f39c4a71d1bca45556a875f9df3e8/pdfAZPQlB LibClamAV debug: cli_pdf: returning -104 1HQgg6-0005mO-7i-00000.pdf: Zip module failure ----------- SCAN SUMMARY ----------- Known viruses: 102145 Engine version: 0.90.1 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.64 MB Time: 6.567 sec (0 m 6 s)
You can build your own clamav by unpacking the tarball somewhere and running: ./configure --prefix=${HOME}/myclamav make make install This will install all files which ebuild installs under /usr into ${HOME}/myclamav.
I can reproduce this with hand-compiled 0.90.1, but I can't reproduce it with hand-compiled snapshot from April 1st, so it seems like they have fixed it sometimes in between.
I can confirm that. Their svn is down atm, but the oldest snapshot (20070312) that I could download works now. As soon as I can grab svn I can locate the patch that fixes the issue - I assume that this will be worth a backport as I'm pretty sure I'm not the only person affected with this issue.
This should be fixed in 0.90.2, fresh in the tree and soon to be stable for security reasons.
