Summary: | app-antivirus/clamav-0.99.2 : configure: error: The installed zlib version may contain a security bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can omit this check with --disable-zlib-vcheck but DO NOT REPORT any stability issues then! | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Toralf Förster <toralf> |
Component: | Current packages | Assignee: | Antivirus Team <antivirus> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | chris, dschridde+gentoobugs, elliot, gentoo-bugs, gentoo, hikavdh, jah, jer, lazy, leonchik1976, net-mail+disabled, zmedico |
Priority: | Normal | Keywords: | InVCS |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
app-antivirus:clamav-0.99.2:20170104-134354.log
config.log emerge-history.txt environment etc.portage.tbz2 |
Description
Toralf Förster
2017-01-04 13:46:28 UTC
Created attachment 458720 [details]
app-antivirus:clamav-0.99.2:20170104-134354.log
Created attachment 458722 [details]
config.log
Created attachment 458724 [details]
emerge-history.txt
Created attachment 458726 [details]
environment
Created attachment 458728 [details]
etc.portage.tbz2
ditto I think I got it pinned down. The configure line that fails the check is this: vuln=`grep "ZLIB_VERSION \"1.2.1" $ZLIB_HOME/include/zlib.h` This returns positive on zlib version 1.2.10 that I currently have in my system. Also all of 1.2.1x, 1.2.1xx, 1.2.1xxx and so on. A rookie mistake. The correct line would be vuln=`grep "ZLIB_VERSION \"1.2.1\"" $ZLIB_HOME/include/zlib.h` (In reply to Mattias Merilai from comment #7) Looks like it was fixed upstream recently: https://github.com/vrtadmin/clamav-devel/blob/f0bcd186190fe6e67b3f0eaaceb7a99aa6a98865/m4/reorganization/libs/libz.m4 Cool. Any idea when we can ship the difference? It's not just our 0.99.2 and 0.99.1 (~arch), but 0.99 (stable) too. I'm getting the same error message trying to upgrade clamav to 0.99.2 on a Raspberry PI 3. I have zlib-1.2.11 As a workaround, you can set EXTRA_ECONF="--disable-zlib-vcheck" in /etc/portage/env/app-antivirus/clamav. I can confirm that setting the --disable-zlib-vcheck works. Just like downgrading zlib to 1.2.8. There is already a >= 1.2.2 dependency for sys-libs/zlib This is fixed in git: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=294f8b57b09196e40ec07bf24b8cc79b1ae24f55 *** Bug 606888 has been marked as a duplicate of this bug. *** Seems only related to the version number calculation, only the first integer of zlib it's considered 1.2.10 == 1.2.1 -> advise: install 1.2.2! (In reply to Zac Medico from comment #13) > This is fixed in git: > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=294f8b57b09196e40ec07bf24b8cc79b1ae24f55 commit bcbbdee31e7cc94d9262a9df057db8fdd31d2f47 Author: Austin English <wizardedit@gentoo.org> Date: Fri Jan 27 13:36:06 2017 -0600 app-antivirus/clamav: use upstream fix for broken zlib check instead of disabling it completely Ack'ed by radhermit Gentoo-Bug: https://bugs.gentoo.org/604650 Package-Manager: Portage-2.3.2, Repoman-2.3.1 So some upstream person thought that the broken by design version check was not broken at all, and then some Gentoo person agreed with it or something and some other Gentoo person dropped the patch in FILESDIR? Just so you know, I have re-added --disable-zlib-vcheck[1] in 0.99.2-r1 again, but left the upstream "fix" in place for people who like to override econf and shoot themselves in the foot with it. [1] As well as the equally important --disable-gcc-vcheck. (In reply to Jeroen Roovers from comment #16) The upstream fix seems legit to me. It shouldn't match 1.2.10 or later because they don't have a double quote immediately following the 1.2.1: $ grep "define ZLIB_VERSION" /usr/include/zlib.h #define ZLIB_VERSION "1.2.11" $ grep "ZLIB_VERSION \"1.2.0\"" /usr/include/zlib.h $ grep "ZLIB_VERSION \"1.2.1\"" /usr/include/zlib.h What's the discussion about. The build-in version check is superfluous as the ebuild takes care of that check. Whether it works or not, it is not needed. So PLEASE leave it disabled, so I do not have to patch the ebuild! (In reply to Zac Medico from comment #17) > The upstream fix seems legit to me. It's only legitimate if you accept the premise that clamav developers are reliable monitors of zlib development. |