action #156733
closed[security][15-SP6] test fails in clamav
100%
Description
All platforms:
- https://openqa.suse.de/tests/13714722
- https://openqa.suse.de/tests/13711118
- https://openqa.suse.de/tests/13711974
- https://openqa.suse.de/tests/13713023
- https://openqa.suse.de/tests/13712754
ERROR: Verification: Can't allocate memory
Giving up on http://openqa.oqa.prg2.suse.org/assets/repo/cvd...
ERROR: Update failed for database: daily
ERROR: Database update process failed: Invalid or corrupted CVD/CLD database
ERROR: Update failed.
Updated by tjyrinki_suse 11 months ago
- Status changed from New to Workable
- Start date deleted (
2024-03-06)
Updated by tjyrinki_suse 11 months ago
- Subject changed from [security][SP6] test fails in clamav to [security][15-SP6] test fails in clamav
Updated by emiler 11 months ago
MD5 is disabled in FIPS, hence the error, which is caused during file verification.
In this case, the Can't allocate memory error is somewhat of a red herring. The true issue is that when FIPS mode is active, non–FIPS-approved hashing algorithms are disabled, and that includes MD5, which ClamAV uses extensively internally.
Updated by emiler 11 months ago · Edited
Possible cause: https://build.suse.de/package/rdiff/SUSE:Factory:Head/clamav?linkrev=base&rev=105
Timestamps are on point. Change happened on 26th, first fail on 28th (first build since).
Updated by emiler 11 months ago · Edited
- Status changed from Workable to Feedback
Bug reported in https://bugzilla.suse.com/show_bug.cgi?id=1221954
Updated by openqa_review 8 months ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_tool
https://openqa.suse.de/tests/14459784#step/git/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by amanzini 5 months ago
- Status changed from Resolved to Blocked
issue is still present; in my opinion we need to either
- exclude clamav from FIPS testing (until clamav will be FIPS compliant again)
or
- since some progress has been made on the upstream, try to experiment with newer clamav hash signatures https://docs.clamav.net/manual/Signatures/HashSignatures.html#sha1-and-sha256-hash-based-signatures
Updated by pstivanin 5 months ago
- % Done changed from 0 to 100
- Estimated time changed from 8.00 h to 1.00 h
since the proposed upstream PR has not been merged and/or backported, I'd prefer we disable clamav for now on 15.6+: https://gitlab.suse.de/qe-security/osd-sle15-security/-/merge_requests/281
Updated by amanzini about 2 months ago · Edited
test fails on 15-SP7 as well; https://openqa.suse.de/tests/16175469
In the meantime some progress has been done on upstream https://github.com/Cisco-Talos/clamav/issues/564#issuecomment-2318234501 , new CLAMAV version with FIPS support should be released by the end of the year