action #156733
closed[security][15-SP6] test fails in clamav
100%
Description
All platforms:
- https://openqa.suse.de/tests/13714722
- https://openqa.suse.de/tests/13711118
- https://openqa.suse.de/tests/13711974
- https://openqa.suse.de/tests/13713023
- https://openqa.suse.de/tests/13712754
ERROR: Verification: Can't allocate memory
Giving up on http://openqa.oqa.prg2.suse.org/assets/repo/cvd...
ERROR: Update failed for database: daily
ERROR: Database update process failed: Invalid or corrupted CVD/CLD database
ERROR: Update failed.
Updated by tjyrinki_suse 10 months ago
- Status changed from New to Workable
- Start date deleted (
2024-03-06)
Updated by tjyrinki_suse 10 months ago
- Subject changed from [security][SP6] test fails in clamav to [security][15-SP6] test fails in clamav
Updated by emiler 9 months ago
MD5 is disabled in FIPS, hence the error, which is caused during file verification.
In this case, the Can't allocate memory error is somewhat of a red herring. The true issue is that when FIPS mode is active, non–FIPS-approved hashing algorithms are disabled, and that includes MD5, which ClamAV uses extensively internally.
Updated by emiler 9 months ago · Edited
Possible cause: https://build.suse.de/package/rdiff/SUSE:Factory:Head/clamav?linkrev=base&rev=105
Timestamps are on point. Change happened on 26th, first fail on 28th (first build since).
Updated by emiler 9 months ago · Edited
- Status changed from Workable to Feedback
Bug reported in https://bugzilla.suse.com/show_bug.cgi?id=1221954
Updated by openqa_review 7 months ago
This is an autogenerated message for openQA integration by the openqa_review script:
This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_tool
https://openqa.suse.de/tests/14459784#step/git/1
To prevent further reminder comments one of the following options should be followed:
- The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
- The openQA job group is moved to "Released" or "EOL" (End-of-Life)
- The bugref in the openQA scenario is removed or replaced, e.g.
label:wontfix:boo1234
Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.
Updated by amanzini 4 months ago
- Status changed from Resolved to Blocked
issue is still present; in my opinion we need to either
- exclude clamav from FIPS testing (until clamav will be FIPS compliant again)
or
- since some progress has been made on the upstream, try to experiment with newer clamav hash signatures https://docs.clamav.net/manual/Signatures/HashSignatures.html#sha1-and-sha256-hash-based-signatures
Updated by pstivanin 4 months ago
- % Done changed from 0 to 100
- Estimated time changed from 8.00 h to 1.00 h
since the proposed upstream PR has not been merged and/or backported, I'd prefer we disable clamav for now on 15.6+: https://gitlab.suse.de/qe-security/osd-sle15-security/-/merge_requests/281
Updated by amanzini 13 days ago · Edited
test fails on 15-SP7 as well; https://openqa.suse.de/tests/16175469
In the meantime some progress has been done on upstream https://github.com/Cisco-Talos/clamav/issues/564#issuecomment-2318234501 , new CLAMAV version with FIPS support should be released by the end of the year