Ged,
Augh indeed! It looks like the clamav-0.105.1.tar.gz (and sig file) were the only files not correctly hidden. The -2? variant is available right next to it though. The old one is hidden, now.
As for 0.103.7, the tarball has not changed at all. Only 0.105.1's source tarball was updated, because of bug fixes in Rust vendored dependencies in that tarball.
For 0.103.7, only the installer packages (RPM, DEB, PKG, ZIP, MSI) have been updated. So, there is no need to rebuild the 0.103.7 source tarball unless you also built ClamAV with using static library dependencies. If you're using distro-provided shared libraries in your build, they would be updated separately from ClamAV, and you just want to make sure those are up-to-date with with their latest package revisions.
> FWIW the problem went away when I used autotools instead of CMake:
Oh! Yes, CMake for 0.103 was experimental. Honestly, I had forgotten it even existed for 0.103 until you said something. I am not surprised that there is an issue there. It is much more stable in 0.104 and later.
I'm glad you have everything working again.
Regards,
Micah
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of G.W. Haywood via clamav-users <clamav-users@lists.clamav.net>
Sent: Tuesday, November 1, 2022 4:32 PM
To: Micah Snyder (micasnyd) via clamav-users <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: Re: [clamav-users] [Clamav-announce] New packages for ClamAV 0.103.7, 0.104.4, 0.105.1 to resolve CVE's
Hi Micah,
On Tue, 1 Nov 2022, Micah Snyder (micasnyd) via clamav-users wrote:
> On Tue, 1 Nov 2022, G.W. Haywood via clamav-users wrote:
> > On Mon, 31 Oct 2022, Micah Snyder (micasnyd) wrote:
> >
> > > Today we are publishing updated packages for ClamAV 0.103.7 ...
> >
> > Maybe I've done something stupid...
> >
> > Nov 1 17:16:48 mail6 x3[3078]: 2A1HGPGJ007261: xm_clamav_scan( 2425): [74.121.52.251], [AS19795], Response from ClamAV daemon [ENGINE VERSION MISMATCH: devel-11aaa24dd != 0.103.7. ERROR]
>
> It seems that your libclamav is from a different build than your clamd.
Yeah. :) I don't know how, though.
> The number on the right is the version number for clamd. The
> 0.103.7 version is what I would expect.
Ack.
> The number on the left is the version number for libclamav. The
> short-hash represents this git commit:
> https://github.com/cisco-Talos/clamav/commit/11aaa24dd. This is a
> different version string, and even different commit hash, than I
> would expect.
Agh.
> The release materials for 0.103.7-2 were generated from our
> rel/0.103? branch
> https://github.com/Cisco-Talos/clamav/commits/rel/0.103 so I would
> at least think that hash would be 416cd0b78.
Am I using the right tarball?
$ ls -l clamav-0.103.7.tar.gz
-rw-r--r-- 1 ged ged 16501741 Jul 26 22:54 clamav-0.103.7.tar.gz
$ md5sum clamav-0.103.7.tar.gz
9138e4678fabfb39bbe1844001ff4815 clamav-0.103.7.tar.gz
I grabbed it from the download page. Your mail said the old versions
were hidden, but the date there looks wrong and it doesn't have the
suffix -2. It's still the same on the download page as I write.
> Of course, I would actually expect the version to be 0.103.7 for
> both, and not have the hash.
The code in .../clamd/session.c is
if (strcmp(engine_ver, clamd_ver)) {
mdprintf(desc, "ENGINE VERSION MISMATCH: %s != %s. ERROR%c",
engine_ver, clamd_ver, term);
return;
}
so it's going to die anyway for *any* commit hash for engine_ver. :(
> If I remember correctly, the version string showing a commit hash
> means that clamav was built from within a Git clone directory,
> rather than building from an un-tarred source tarball. By chance
> did you build and install libclamav from a git clone?
No, all from source. I don't remember using git to build ClamAV at
any time. There isn't even a git executable on the machine which is
running this clamd. I think last time I built 0.103.x it was with
autotools. This time I tried CMake which seemed to work and then it
all went pear-shaped at runtime. Maybe that's another problem? Or
maybe the main one?
It's an arm7 box, Raspberry Pi 4B. I did try to build 0.105 on there
a few days earlier. That failed, I posted the error at the time.
When I've got more time I'll dig into this but if you can confirm
that the tarball on the download page is wrong that will be a good
place to start.
--
73,
Ged.
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat