Bug 916147

Comment 1 Michael Orlitzky 2023-10-23 16:53:46 UTC

No, it shouldn't. That's a security vulnerability, and one that clamav upstream already spent a lot of time fixing. Here's my reply to the change announcement:

  https://marc.info/?l=clamav-users&m=169117576515342&w=2

In your opinion it is therefore normal to have a different pidfile in the init script and in the configuration.
Ok, that's your view, but many will have problems with it.

Comment 3 Sam James 2023-10-23 16:59:48 UTC

Can you give an actual reason you want something different here? It's not about preference.

And mjo has already asked upstream to fix the "default config files" you reference.

Comment 4 Michael Orlitzky 2023-10-23 17:07:31 UTC

Ok, there is a real problem here, just not the one in the summary.

The 1.2.0 ebuild runs,

  sed -e "s/^#\(PidFile .*\)/\1/"

on the config file to uncomment that line. While it used to be OK, now it is not. But the config file should be changed because the upstream commented location is now secure. The init script has it right.

Comment 5 Michael Orlitzky 2023-10-23 17:08:33 UTC

(In reply to Michael Orlitzky from comment #4)
> now secure

now INsecure

# genlop -n clamav | tail -n1
     Fri Oct 27 05:41:19 2023 >>> app-antivirus/clamav-1.2.1
# grep PidFile /etc/clamav/*.sample
clamav-milter.conf.sample:#PidFile /run/clamav/clamav-milter.pid
clamd.conf.sample:#PidFile /run/clamav/clamd.pid
freshclam.conf.sample:#PidFile /run/clamav/freshclam.pid

# grep pidfile= $(qlist clamav | grep init )
/etc/init.d/clamav-milter:pidfile="/run/${RC_SVCNAME}.pid"
/etc/init.d/clamd:pidfile="/run/${RC_SVCNAME}.pid"
/etc/init.d/freshclam:pidfile="/run/${RC_SVCNAME}.pid"

Comment 7 Michael Orlitzky 2023-10-27 12:18:22 UTC

I had forgotten about this and it doesn't look like anyone acted on my mailing list message, so I opened

  https://github.com/Cisco-Talos/clamav/issues/1076

as a reminder.