action #156733: [security][15-SP6] test fails in clamav - openQA Tests (public) - openSUSE Project Management Tool

Custom queries

All open Feature tests
openQA Infrastructure Project
openqa-review - Closed tickets last updated by openqa-review, last 30 days
QA roadmap long-term
QA SLE functional
QA SLE Functional - closed in last 14 days
QA SLE Functional - High, need to be refined
QA SLE Functional - over cycle time median
QA SLE u
QA SLE y
QA tools (tag not necessary in openQA and subprojects)
QA tools tag (tag not necessary in openQA and subprojects; excluding tickets in "Ready" version as they are already on the backlog)
QAC - Backlog
QAM
QE tools team - backlog (dev)
QE tools team - backlog (ready issues)
QE tools team - backlog SLA high
QE tools team - backlog SLA immediate
QE tools team - backlog SLA no immediate/urgent in feedback/blocked
QE tools team - backlog SLA normal
QE tools team - backlog SLA urgent
QE tools team - backlog SLO high
QE tools team - backlog SLO normal
QE tools team - backlog SLO urgent
QE tools team - backlog, high-level view (epics and higher)
QE tools team - backlog, non-reactive work, needs parent
QE tools team - backlog, top-level view (all sagas)
QE tools team - closed within last 14 days
QE tools team - closed within last 60 days
QE tools team - closed yesterday
QE Tools Team - Collaborative Session
QE tools team - due date forecast
QE tools team - exceeding due-date
QE tools team - infrastructure backlog
QE tools team - next - sorted by update time
QE tools team - next issues
QE tools team - non-estimated (unblocked) issues (dev)
QE tools team - non-estimated (unblocked) issues (infra)
QE tools team - ready issues - Workable
QE tools team - ready, not assigned/blocked/low
QE tools team - SLO high forecast
QE tools team - update forecast
QE tools team - updated by priority
QE tools team - what members of the team are working on - Feedback (not-low)
QE Tools Team Backlog By Assignee
SLE15 Migration Open Tickets
SLE15 SP1 Migration Open Tickets
SLE15SP3 Migration open ticket
SLE15SP3 Security open ticket
Tools Team Retrospective
Tools Team Retrospective (not estimated or assigned)

Actions

Copy link

action #156733

closed

[security][15-SP6] test fails in clamav

Added by emiler 10 months ago. Updated 14 days ago.

Status:

Resolved

Priority:

Normal

Assignee:

pstivanin

Category:

Bugs in existing tests

Target version:

Start date:

Due date:

% Done:

100%

Estimated time:

1.00 h

Difficulty:

Tags:

fail

Description

All platforms:

https://openqa.suse.de/tests/13714722
https://openqa.suse.de/tests/13711118
https://openqa.suse.de/tests/13711974
https://openqa.suse.de/tests/13713023
https://openqa.suse.de/tests/13712754

ERROR: Verification: Can't allocate memory
Giving up on http://openqa.oqa.prg2.suse.org/assets/repo/cvd...
ERROR: Update failed for database: daily
ERROR: Database update process failed: Invalid or corrupted CVD/CLD database
ERROR: Update failed.

History
Notes
Property changes

Actions

Copy link

Updated by emiler 10 months ago

Description updated (diff)

Actions

Copy link

Updated by emiler 10 months ago

Perhaps running out of disk space?

Actions

Copy link

Updated by tjyrinki_suse 10 months ago

Estimated time set to 8.00 h

Actions

Copy link

Updated by tjyrinki_suse 10 months ago

Status changed from New to Workable
Start date deleted (~~2024-03-06~~)

Actions

Copy link

Updated by tjyrinki_suse 10 months ago

Subject changed from [security][SP6] test fails in clamav to [security][15-SP6] test fails in clamav

Actions

Copy link

Updated by emiler 9 months ago

Assignee set to emiler

Actions

Copy link

Updated by emiler 9 months ago

MD5 is disabled in FIPS, hence the error, which is caused during file verification.

In this case, the Can't allocate memory error is somewhat of a red herring. The true issue is that when FIPS mode is active, non–FIPS-approved hashing algorithms are disabled, and that includes MD5, which ClamAV uses extensively internally.

https://github.com/Cisco-Talos/clamav/issues/564
https://bugzilla.redhat.com/show_bug.cgi?id=1766382
https://build.opensuse.org/projects/home:alveus:main/packages/clamav/files/clamav-fips.patch

Actions

Copy link

Updated by emiler 9 months ago

This started happening in build 59.2. Is it possible we were patching clamav ourselves and stopped patching it for some reason?

Actions

Copy link

Updated by emiler 9 months ago · Edited

Possible cause: https://build.suse.de/package/rdiff/SUSE:Factory:Head/clamav?linkrev=base&rev=105
Timestamps are on point. Change happened on 26th, first fail on 28th (first build since).

Actions

Copy link

#10

Updated by emiler 9 months ago · Edited

Status changed from Workable to Feedback

Bug reported in https://bugzilla.suse.com/show_bug.cgi?id=1221954

Actions

Copy link

#11

Updated by openqa_review 7 months ago

This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: fips_env_mode_tests_crypt_tool
https://openqa.suse.de/tests/14459784#step/git/1

To prevent further reminder comments one of the following options should be followed:

The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
The openQA job group is moved to "Released" or "EOL" (End-of-Life)
The bugref in the openQA scenario is removed or replaced, e.g. label:wontfix:boo1234

Expect the next reminder at the earliest in 28 days if nothing changes in this ticket.

Actions

Copy link

#12

Updated by emiler 5 months ago

Status changed from Feedback to Resolved

ClamAV is not FIPS compliant at the moment. See the bug report for more details.
Closing.

Actions

Copy link

#13

Updated by amanzini 4 months ago

Status changed from Resolved to Blocked

issue is still present; in my opinion we need to either

exclude clamav from FIPS testing (until clamav will be FIPS compliant again)

since some progress has been made on the upstream, try to experiment with newer clamav hash signatures https://docs.clamav.net/manual/Signatures/HashSignatures.html#sha1-and-sha256-hash-based-signatures

Actions

Copy link

#14

Updated by pstivanin 4 months ago

Status changed from Blocked to In Progress
Assignee changed from emiler to pstivanin

Actions

Copy link

#16

Updated by pstivanin 4 months ago

% Done changed from 0 to 100
Estimated time changed from 8.00 h to 1.00 h

since the proposed upstream PR has not been merged and/or backported, I'd prefer we disable clamav for now on 15.6+: https://gitlab.suse.de/qe-security/osd-sle15-security/-/merge_requests/281

Actions

Copy link

#17

Updated by pstivanin 4 months ago

Status changed from In Progress to Resolved

Actions

Copy link

#18

Updated by amanzini 14 days ago · Edited

test fails on 15-SP7 as well; https://openqa.suse.de/tests/16175469

In the meantime some progress has been done on upstream https://github.com/Cisco-Talos/clamav/issues/564#issuecomment-2318234501 , new CLAMAV version with FIPS support should be released by the end of the year

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

QA (public) » openQA Project (public) » openQA Tests (public)

Tags

Custom queries

action #156733

[security][15-SP6] test fails in clamav

Updated by emiler 10 months ago

Updated by emiler 10 months ago

Updated by tjyrinki_suse 10 months ago

Updated by tjyrinki_suse 10 months ago

Updated by tjyrinki_suse 10 months ago

Updated by emiler 9 months ago

Updated by emiler 9 months ago

Updated by emiler 9 months ago

Updated by emiler 9 months ago · Edited

Updated by emiler 9 months ago · Edited

Updated by openqa_review 7 months ago

Updated by emiler 5 months ago

Updated by amanzini 4 months ago

Updated by pstivanin 4 months ago

Updated by pstivanin 4 months ago

Updated by pstivanin 4 months ago

Updated by amanzini 14 days ago · Edited