604650 – app-antivirus/clamav-0.99.2 : configure: error: The installed zlib version may contain a security bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can omit this check with --disable-zlib-vcheck but DO NOT REPORT any stability issues then!

Bug 604650 - app-antivirus/clamav-0.99.2 : configure: error: The installed zlib version may contain a security bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can omit this check with --disable-zlib-vcheck but DO NOT REPORT any stability issues then!

Summary: app-antivirus/clamav-0.99.2 : configure: error: The installed zlib version ma...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal with 1 vote (vote)
Assignee:	Antivirus Team

URL:
Whiteboard:
Keywords:	InVCS

Duplicates (1):	606888 (view as bug list)
Depends on:
Blocks:

Reported:	2017-01-04 13:46 UTC by Toralf Förster
Modified:	2017-04-23 22:17 UTC (History)
CC List:	12 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
app-antivirus:clamav-0.99.2:20170104-134354.log (app-antivirus:clamav-0.99.2:20170104-134354.log,16.08 KB, text/plain) 2017-01-04 13:46 UTC, Toralf Förster	Details
config.log (config.log,218.48 KB, text/plain) 2017-01-04 13:46 UTC, Toralf Förster	Details
emerge-history.txt (emerge-history.txt,283.32 KB, text/plain) 2017-01-04 13:46 UTC, Toralf Förster	Details
environment (environment,108.83 KB, text/plain) 2017-01-04 13:46 UTC, Toralf Förster	Details
etc.portage.tbz2 (etc.portage.tbz2,18.41 KB, application/x-bzip) 2017-01-04 13:46 UTC, Toralf Förster	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Toralf Förster gentoo-dev

2017-01-04 13:46:28 UTC

checking whether to enable maintainer-specific portions of Makefiles... no
checking for zlib installation... using /usr
configure: error: The installed zlib version may contain a security bug. Please upgrade to 1.2.2 or later: http://www.zlib.net. You can omit this check with --disable-zlib-vcheck but DO NOT REPORT any stability issues then!

!!! Please attach the following file when seeking support:
!!! /var/tmp/portage/app-antivirus/clamav-0.99.2/work/clamav-0.99.2/config.log

  -----------------------------------------------------------------

  This is an unstable amd64 chroot image (named 13.0-no-multilib-libressl-unstable_20161230-143925) at a hardened host acting as a tinderbox.

  -----------------------------------------------------------------
  from make.conf:
USE="  -openssl -gnutls libressl pax_kernel xtpax -cdinstall -oci8 -bindist ssp aqua -avformat cdb contrib corefonts dbus dot eglfs freetds gif -go gstreamer gtk hdf5 help ipv6 kerberos mbox -policykit printsupport pulseaudio qt5 rendering smartcard sql system-harfbuzz udev v4l2 wayland webgl X xkb xml xvfb zenmap"

gcc-config -l:
 [1] x86_64-pc-linux-gnu-5.4.0 *
llvm-config --version:
3.9.1

Available Python interpreters, in order of preference:
  [1]   python3.4
  [2]   python3.5 (fallback)
  [3]   python2.7 (fallback)

java-config:
The following VMs are available for generation-2:
  -----------------------------------------------------------------



$ cat emerge-info.txt
Portage 2.3.3 (python 3.4.5-final-0, default/linux/amd64/13.0/no-multilib, gcc-5.4.0, glibc-2.24, 4.8.15-hardened x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-4.8.15-hardened-x86_64-Intel-R-_Core-TM-_i7-3930K_CPU_@_3.20GHz-with-gentoo-2.3
KiB Mem:    65285560 total,   3349208 free
KiB Swap:   67108860 total,  67084412 free
Timestamp of repository gentoo: Wed, 04 Jan 2017 10:32:42 +0000
sh bash 4.4_p5-r1
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
app-shells/bash:          4.4_p5-r1::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.24.1_rc4::gentoo
dev-lang/python:          2.7.12::gentoo, 3.4.5::gentoo, 3.5.2::gentoo
dev-util/cmake:           3.7.1::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/openrc:          0.23::gentoo
sys-apps/sandbox:         2.10-r3::gentoo
sys-devel/autoconf:       2.69-r2::gentoo
sys-devel/automake:       1.9.6-r4::gentoo, 1.10.3-r2::gentoo, 1.11.6-r2::gentoo, 1.13.4-r1::gentoo, 1.14.1-r1::gentoo, 1.15-r2::gentoo
sys-devel/binutils:       2.25.1-r1::gentoo, 2.27::gentoo
sys-devel/gcc:            5.4.0-r2::gentoo
sys-devel/gcc-config:     1.8-r1::gentoo
sys-devel/libtool:        2.4.6-r2::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.9::gentoo (virtual/os-headers)
sys-libs/glibc:           2.24::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: 1

tinderbox
    location: /tmp/tb/data/portage
    masters: gentoo
    priority: 2

local
    location: /usr/local/portage
    masters: gentoo
    priority: 99

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native -Wall"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/tomoyo/conf /usr/share/config /usr/share/qpsmtpd/plugins"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.6/ext-active/ /etc/php/apache2-php7.1/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cgi-php7.1/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/php/cli-php7.1/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=native"
DISTDIR="/var/tmp/distfiles"
EMERGE_DEFAULT_OPTS="--verbose --verbose-conflicts --color=n --nospinner --tree --quiet-build"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync network-sandbox parallel-fetch preserve-libs protect-owned sandbox sfperms strict test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://ftp.uni-erlangen.de/pub/mirrors/gentoo rsync://mirror.netcologne.de/gentoo/ ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gor.bytemark.co.uk/gentoo/ rsync://ftp.snt.utwente.nl/gentoo"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j1"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X acl amd64 berkdb bzip2 cdb cli contrib corefonts cracklib crypt cxx dbus dot dri eglfs fortran freetds gdbm gif gstreamer gtk hdf5 help iconv ipv6 kerberos libressl mbox mmx mmxext modules ncurses nls nptl openmp pam pax_kernel pcre printsupport pulseaudio qt5 readline rendering seccomp session smartcard sql sse sse2 ssl ssp system-harfbuzz tcpd udev unicode v4l2 wayland webgl xattr xkb xml xtpax xvfb zenmap zlib" ABI_X86="64" ALSA_CARDS="hda-intel" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" CURL_SSL="libressl" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" L10N="ast bo gd nr" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21" USERLAND="GNU" VIDEO_CARDS="intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

Comment 1 Toralf Förster gentoo-dev

2017-01-04 13:46:32 UTC

Created attachment 458720 [details]
app-antivirus:clamav-0.99.2:20170104-134354.log

Comment 2 Toralf Förster gentoo-dev

2017-01-04 13:46:35 UTC

Created attachment 458722 [details]
config.log

Comment 3 Toralf Förster gentoo-dev

2017-01-04 13:46:38 UTC

Created attachment 458724 [details]
emerge-history.txt

Comment 4 Toralf Förster gentoo-dev

2017-01-04 13:46:42 UTC

Created attachment 458726 [details]
environment

Comment 5 Toralf Förster gentoo-dev

2017-01-04 13:46:46 UTC

Created attachment 458728 [details]
etc.portage.tbz2

Comment 6 Mattias Merilai 2017-01-14 03:12:20 UTC

ditto

Comment 7 Mattias Merilai 2017-01-14 17:12:26 UTC

I think I got it pinned down. The configure line that fails the check is this:

vuln=`grep "ZLIB_VERSION \"1.2.1" $ZLIB_HOME/include/zlib.h`

This returns positive on zlib version 1.2.10 that I currently have in my system. Also all of 1.2.1x, 1.2.1xx, 1.2.1xxx and so on. A rookie mistake.

The correct line would be 

vuln=`grep "ZLIB_VERSION \"1.2.1\"" $ZLIB_HOME/include/zlib.h`

Comment 8 Elliot Chandler 2017-01-14 19:36:46 UTC

(In reply to Mattias Merilai from comment #7)

Looks like it was fixed upstream recently: https://github.com/vrtadmin/clamav-devel/blob/f0bcd186190fe6e67b3f0eaaceb7a99aa6a98865/m4/reorganization/libs/libz.m4

Comment 9 Mattias Merilai 2017-01-14 20:16:57 UTC

Cool. Any idea when we can ship the difference? It's not just our 0.99.2 and 0.99.1 (~arch), but 0.99 (stable) too.

Comment 10 Chris Mansfield 2017-01-17 17:17:05 UTC

I'm getting the same error message trying to upgrade clamav to 0.99.2 on a Raspberry PI 3.

I have zlib-1.2.11

Comment 11 Zac Medico gentoo-dev

2017-01-19 21:41:08 UTC

As a workaround, you can set EXTRA_ECONF="--disable-zlib-vcheck" in /etc/portage/env/app-antivirus/clamav.

Comment 12 Hika 2017-01-21 20:51:00 UTC

I can confirm that setting the --disable-zlib-vcheck works. Just like downgrading zlib to 1.2.8. There is already a >= 1.2.2 dependency for sys-libs/zlib

Comment 13 Zac Medico gentoo-dev

2017-01-21 21:10:04 UTC

This is fixed in git:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=294f8b57b09196e40ec07bf24b8cc79b1ae24f55

Comment 14 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-23 09:44:11 UTC

*** Bug 606888 has been marked as a duplicate of this bug. ***

Comment 15 Ivan Dorna 2017-01-30 09:45:28 UTC

Seems only related to the version number calculation, only the first integer of zlib it's considered 1.2.10 == 1.2.1 -> advise: install 1.2.2!

Comment 16 Jeroen Roovers (RETIRED) gentoo-dev

2017-04-23 20:39:10 UTC

(In reply to Zac Medico from comment #13)
> This is fixed in git:
> 
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=294f8b57b09196e40ec07bf24b8cc79b1ae24f55

commit bcbbdee31e7cc94d9262a9df057db8fdd31d2f47
Author: Austin English <wizardedit@gentoo.org>
Date:   Fri Jan 27 13:36:06 2017 -0600

    app-antivirus/clamav: use upstream fix for broken zlib check instead of disabling it completely

    Ack'ed by radhermit

    Gentoo-Bug: https://bugs.gentoo.org/604650

    Package-Manager: Portage-2.3.2, Repoman-2.3.1


So some upstream person thought that the broken by design version check was not broken at all, and then some Gentoo person agreed with it or something and some other Gentoo person dropped the patch in FILESDIR?

Just so you know, I have re-added --disable-zlib-vcheck[1] in 0.99.2-r1 again, but left the upstream "fix" in place for people who like to override econf and shoot themselves in the foot with it.

[1] As well as the equally important --disable-gcc-vcheck.

Comment 17 Zac Medico gentoo-dev

2017-04-23 22:04:11 UTC

(In reply to Jeroen Roovers from comment #16)

The upstream fix seems legit to me. It shouldn't match 1.2.10 or later because they don't have a double quote immediately following the 1.2.1:

$ grep "define ZLIB_VERSION" /usr/include/zlib.h 
#define ZLIB_VERSION "1.2.11"
$ grep "ZLIB_VERSION \"1.2.0\"" /usr/include/zlib.h
$ grep "ZLIB_VERSION \"1.2.1\"" /usr/include/zlib.h

Comment 18 Hika 2017-04-23 22:15:40 UTC

What's the discussion about. The build-in version check is superfluous as the ebuild takes care of that check. Whether it works or not, it is not needed. So PLEASE leave it disabled, so I do not have to patch the ebuild!

Comment 19 Jeroen Roovers (RETIRED) gentoo-dev

2017-04-23 22:17:55 UTC

(In reply to Zac Medico from comment #17)
> The upstream fix seems legit to me.

It's only legitimate if you accept the premise that clamav developers are reliable monitors of zlib development.