[Pkg-clamav-devel] Bug#588599: /usr/bin/freshclam: freshclam tries to mmap() with READ/WRITE/EXECUTE access

Russell Coker russell at coker.com.au
Sat Jul 10 04:49:28 UTC 2010 

Package: clamav-freshclam
Version: 0.96.1+dfsg-1~volatile1
Severity: normal
File: /usr/bin/freshclam

type=AVC msg=audit(1278729355.797:22750): avc:  denied  { execmem } for  
pid=2649 comm="freshclam" scontext=system_u:system_r:freshclam_t:s0 
tcontext=system_u:system_r:freshclam_t:s0 tclass=process
type=SYSCALL msg=audit(1278729355.797:22750): arch=c000003e syscall=9 
success=no exit=-13 a0=0 a1=1000 a2=7 a3=22 items=0 ppid=1 pid=2649 
auid=4294967295 uid=104 gid=108 euid=104 suid=104 fsuid=104 egid=108 sgid=108 
fsgid=108 tty=(none) ses=4294967295 comm="freshclam" exe="/usr/bin/freshclam" 
subj=system_u:system_r:freshclam_t:s0 key=(null)

The above messages are logged when running this on a SE Linux system.  It
appears to work correctly anyway so it seems that the code has some fallback
option for if execmem is denied.

I can't think of a good reason for a program to have write/execute access to
memory when all it does is download data from the network.  Allowing such
access makes it easier for an attacker to gain control of the process and we
don't want to allow it if we can avoid it.


-- Package-specific info:
--- configuration ---
Checking configuration files in /etc/clamav

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamav/clamav.log"
LogFileUnlock disabled
LogFileMaxSize disabled
LogTime = "yes"
LogClean disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
PidFile = "/var/run/clamav/clamd.pid"
TemporaryDirectory disabled
DatabaseDirectory = "/var/lib/clamav"
OfficialDatabaseOnly disabled
LocalSocket = "/var/run/clamav/clamd.ctl"
LocalSocketGroup = "clamav"
LocalSocketMode = "666"
FixStaleSocket = "yes"
TCPSocket disabled
TCPAddr disabled
MaxConnectionQueueLength = "15"
StreamMaxLength = "10485760"
StreamMinPort = "1024"
StreamMaxPort = "2048"
MaxThreads = "12"
ReadTimeout = "180"
CommandReadTimeout = "5"
SendBufTimeout = "200"
MaxQueue = "100"
IdleTimeout = "30"
ExcludePath disabled
MaxDirectoryRecursion = "15"
FollowDirectorySymlinks disabled
FollowFileSymlinks disabled
CrossFilesystems = "yes"
SelfCheck = "3600"
VirusEvent disabled
ExitOnOOM disabled
Foreground disabled
Debug disabled
LeaveTemporaryFiles disabled
User = "clamav"
AllowSupplementaryGroups = "yes"
Bytecode = "yes"
BytecodeSecurity = "TrustSigned"
BytecodeTimeout = "60000"
DetectPUA disabled
ExcludePUA disabled
IncludePUA disabled
AlgorithmicDetection = "yes"
ScanPE = "yes"
ScanELF = "yes"
DetectBrokenExecutables disabled
ScanMail = "yes"
ScanPartialMessages disabled
PhishingSignatures = "yes"
PhishingScanURLs = "yes"
PhishingAlwaysBlockCloak disabled
PhishingAlwaysBlockSSLMismatch disabled
HeuristicScanPrecedence disabled
StructuredDataDetection disabled
StructuredMinCreditCardCount = "3"
StructuredMinSSNCount = "3"
StructuredSSNFormatNormal = "yes"
StructuredSSNFormatStripped disabled
ScanHTML = "yes"
ScanOLE2 = "yes"
ScanPDF = "yes"
ScanArchive = "yes"
ArchiveBlockEncrypted disabled
MaxScanSize = "104857600"
MaxFileSize = "26214400"
MaxRecursion = "16"
MaxFiles = "10000"
ClamukoScanOnAccess disabled
ClamukoScannerCount = "3"
ClamukoScanOnOpen disabled
ClamukoScanOnClose disabled
ClamukoScanOnExec disabled
ClamukoIncludePath disabled
ClamukoExcludePath disabled
ClamukoMaxFileSize = "5242880"
DevACOnly disabled
DevACDepth disabled

Config file: freshclam.conf
---------------------------
LogFileMaxSize disabled
LogTime disabled
LogSyslog disabled
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
PidFile = "/var/run/clamav/freshclam.pid"
DatabaseDirectory = "/var/lib/clamav/"
Foreground disabled
Debug disabled
AllowSupplementaryGroups disabled
UpdateLogFile = "/var/log/clamav/freshclam.log"
DatabaseOwner = "clamav"
Checks = "24"
DNSDatabaseInfo = "current.cvd.clamav.net"
DatabaseMirror = "db.local.clamav.net", "database.clamav.net"
MaxAttempts = "5"
ScriptedUpdates = "yes"
TestDatabases = "yes"
CompressLocalDatabase disabled
ExtraDatabase disabled
HTTPProxyServer disabled
HTTPProxyPort disabled
HTTPProxyUsername disabled
HTTPProxyPassword disabled
HTTPUserAgent disabled
NotifyClamd = "/etc/clamav/clamd.conf"
OnUpdateExecute disabled
OnErrorExecute disabled
OnOutdatedExecute disabled
LocalIPAddress disabled
ConnectTimeout = "30"
ReceiveTimeout = "30"
SubmitDetectionStats disabled
DetectionStatsCountry disabled
DetectionStatsHostID disabled
SafeBrowsing disabled
Bytecode = "yes"

Config file: clamav-milter.conf
-------------------------------
LogFile = "/var/log/clamav/clamav-milter.log"
LogFileUnlock disabled
LogFileMaxSize disabled
LogTime = "yes"
LogSyslog = "yes"
LogFacility = "LOG_LOCAL6"
LogVerbose disabled
PidFile = "/var/run/clamav/clamav-milter.pid"
TemporaryDirectory = "/tmp"
FixStaleSocket = "yes"
MaxThreads = "10"
ReadTimeout = "180"
Foreground disabled
User = "clamav"
AllowSupplementaryGroups = "yes"
MaxFileSize = "26214400"
ClamdSocket = "unix:/var/run/clamav/clamd.ctl"
MilterSocket = "/var/run/clamav/milter.ctl"
MilterSocketGroup = "clamav"
MilterSocketMode = "666"
LocalNet disabled
OnClean = "Accept"
OnInfected = "Reject"
OnFail = "Defer"
RejectMsg disabled
AddHeader = "Replace"
ReportHostname disabled
VirusAction disabled
Chroot disabled
Whitelist disabled
SkipAuthenticated disabled
LogInfected = "Off"

Software settings
-----------------
Version: devel-debian/0.95+dfsg-1-6274-g18d94d0
WARNING: Version mismatch: libclamav=devel-debian/0.95+dfsg-1-6274-g18d94d0, 
clamconf=0.96.1
Optional features supported: MEMPOOL IPv6 FRESHCLAM_DNS_FIX AUTOIT_EA06 BZIP2 
JIT
Database directory: /var/lib/clamav/
WARNING: freshclam.conf and clamd.conf point to different database directories
main.cld: version 52, sigs: 704727, built on Mon Feb 15 14:54:51 2010
daily.cld: version 11347, sigs: 102318, built on Sat Jul 10 01:48:10 2010
bytecode.cld: version 31, sigs: 7, built on Thu Jul  8 16:46:51 2010

Platform information
--------------------
uname: Linux 2.6.18-194.3.1.el5xen #1 SMP Thu May 13 13:49:53 EDT 2010 x86_64
OS: linux-gnu, ARCH: x86_64, CPU: x86_64
zlib version: 1.2.3.3 (1.2.3.3), compile flags: a9

Build information
-----------------
GNU C: 4.3.2 (4.3.2)
GNU C++: 4.3.2 (4.3.2)
CPPFLAGS: 
CFLAGS: -Wall -g -O2
CXXFLAGS: -Wall -g -O2
LDFLAGS: 
Configure: '--build=x86_64-linux-gnu' '--prefix=/usr' '--
mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-clamav' '--with-
dbdir=/var/lib/clamav/' '--sysconfdir=/etc/clamav' '--enable-milter' '--
disable-clamuko' '--with-gnu-ld' '--enable-dns-fix' '--disable-unrar' '--
libdir=/usr/lib' '--with-system-tommath' '--with-ltdl-include=/usr/include' 
'--with-ltdl-lib=/usr/lib' '--config-cache' 'build_alias=x86_64-linux-gnu' 
'CFLAGS=-Wall -g -O2' 'LDFLAGS=' 'CPPFLAGS='

--- data dir ---
total 61592
-rw-r--r-- 1 clamav clamav    73728 Jul  8 17:35 bytecode.cld
-rw-r--r-- 1 clamav clamav  6222848 Jul 10 02:35 daily.cld
-rw-r--r-- 1 clamav clamav 56671744 Feb 15 17:27 main.cld
-rw------- 1 clamav clamav     2756 Jul 10 04:35 mirrors.dat

-- System Information:
Debian Release: squeeze/sid
  APT prefers lenny-backports
  APT policy: (500, 'lenny-backports'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.18-194.3.1.el5xen (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages clamav-freshclam depends on:
ii  clamav-base      0.96.1+dfsg-1~volatile1 anti-virus utility for Unix - 
base
ii  debconf [debconf 1.5.24                  Debian configuration management 
sy
ii  libc6            2.7-18lenny4            GNU C Library: Shared libraries
ii  libclamav6       0.96.1+dfsg-1~volatile1 anti-virus utility for Unix - 
libr
ii  logrotate        3.7.1-5                 Log rotation utility
ii  lsb-base         3.2-20                  Linux Standard Base 3.2 init 
scrip
ii  ucf              3.0016                  Update Configuration File: 
preserv
ii  zlib1g           1:1.2.3.3.dfsg-12       compression library - runtime

clamav-freshclam recommends no packages.

Versions of packages clamav-freshclam suggests:
pn  clamav-docs                   <none>     (no description available)

-- debconf information:
  clamav-freshclam/http_proxy:
  clamav-freshclam/autoupdate_freshclam: daemon
  clamav-freshclam/proxy_user:
  clamav-freshclam/update_interval: 24
  clamav-freshclam/NotifyClamd: false
  clamav-freshclam/local_mirror: db.local.clamav.net
  clamav-freshclam/internet_interface:

More information about the Pkg-clamav-devel mailing list