This issue was fixed 0.104.0 with this commit: https://github.com/Cisco-Talos/clamav/commit/13af789f4ed [https://opengraph.githubassets.com/832a364ece5b84d063f57a0a4f1aec496fb43823732d1d7dfc4c77a76c91ddd2/Cisco-Talos/clamav/commit/13af789f4eda8b7b65d4ddacc2c0b3cd91e4e152]<https://github.com/Cisco-Talos/clamav/commit/13af789f4ed> SigTool: fix insufficient buffer size for --list-sigs · Cisco-Talos/clamav@13af789<https://github.com/Cisco-Talos/clamav/commit/13af789f4ed> SigTool's --list-sigs feature can't handle long LDB signatures because the buffer size was wrong. github.com
Ex: ❯ ./0.103.3/bin/sigtool -l|tail Doc.Malware.Valyria-6923115-0 Xls.Malware.Generic-6923116-0 Doc.Malware.00536d-6923117-0 Doc.Malware.Valyria-6923118-0 Xls.Malware.Sload-6923119-0 Xls.Downloader.Powload-6923120-0 ERROR: listdb: Malformed pattern line 32300 (file /tmp/clamav-eb5a59fe3b37724270fffea9a6c9e791.tmp/main.ldb) ERROR: listdb: Error listing database /tmp/clamav-eb5a59fe3b37724270fffea9a6c9e791.tmp/main.ldb ERROR: listdb: Can't list directory /home/micasnyd/clams/0.103.3/share/clamav/main.cld ERROR: listdb: Error listing database /home/micasnyd/clams/0.103.3/share/clamav/main.cld ❯ ./0.104.1/bin/sigtool -l|tail PUA.Win.Adware.Opencandy-6872345-0 PUA.Win.Adware.Gamevance-6872347-0 PUA.Win.Adware.Opencandy-6872348-0 PUA.Win.Adware.Opencandy-6872350-0 PUA.Win.Adware.Cerbu-6872355-0 PUA.Win.Adware.Ursu-6873464-0 PUA.Win.Trojan.Scriptkd-6876283-0 PUA.Win.Downloader.Firseria-6877068-0 PUA.Win.Adware.Softpulse-6877069-0 PUA.Win.Packed.0040eff-6877419-0 Arnaud, if you have a strong need for this fix in 0.103, we can easily backport it in the next patch version. Else you can use 0.104+'s sigtool. Micah Snyder ClamAV Development Talos Cisco Systems, Inc. ________________________________ From: clamav-users <clamav-users-boun...@lists.clamav.net> on behalf of Maarten Broekman via clamav-users <clamav-users@lists.clamav.net> Sent: Wednesday, November 24, 2021 8:33 AM To: ClamAV users ML <clamav-users@lists.clamav.net> Cc: Maarten Broekman <maarten.broek...@gmail.com> Subject: Re: [clamav-users] [ext] ERROR: listdb: Error listing database /var/lib/clamav/daily.cvd I've opened https://github.com/Cisco-Talos/clamav/issues/389 for this issue. The issue shouldn't be causing problems with scanning (it wasn't causing a problem for me), but if it is please add a comment to the issue to that effect. --Maarten On Wed, Nov 24, 2021 at 11:19 AM Maarten Broekman <maarten.broek...@gmail.com<mailto:maarten.broek...@gmail.com>> wrote: On Wed, Nov 24, 2021 at 10:42 AM Maarten Broekman <maarten.broek...@gmail.com<mailto:maarten.broek...@gmail.com>> wrote: On Wed, Nov 24, 2021 at 10:14 AM Ralf Hildebrandt via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>> wrote: * Arnaud Jacques via clamav-users <clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>>: > Is it just me, or? Same here: # clamdscan -V ClamAV 0.103.4/26363/Wed Nov 24 10:19:30 2021 # sigtool -l|tail Doc.Malware.Valyria-6923115-0 Xls.Malware.Generic-6923116-0 Doc.Malware.00536d-6923117-0 Doc.Malware.Valyria-6923118-0 Xls.Malware.Sload-6923119-0 Xls.Downloader.Powload-6923120-0 ERROR: listdb: Malformed pattern line 32300 (file /tmp/clamav-2aa50bd01844b36b876433804b298d0b.tmp/main.ldb) ERROR: listdb: Error listing database /tmp/clamav-2aa50bd01844b36b876433804b298d0b.tmp/main.ldb ERROR: listdb: Can't list directory /var/lib/clamav/main.cld ERROR: listdb: Error listing database /var/lib/clamav/main.cld I get the same errors, yet clamscan loads things just fine and sigtool is able to decode the signature on line 32300 (Doc.Trojan.Agent-6923124-0) without a problem. It definitely seems like an issue with the list-sigs functionality though, given the disparity in counts between a count of the lines output by sigtool -l and the number of known viruses reported by clamscan (version 0.103.3). $ sigtool -l | wc -l 6640592 $ clamscan test.txt /Users/mbroekman/Security/test/test.txt: OK ----------- SCAN SUMMARY ----------- Known viruses: 8579605 One curious thing is that the Powload signature is exactly 8192 characters in length. From past experience with older versions of ClamAV, I thought 8k was the size limit for signatures, including the EOL for the database line. I wonder if there's still an issue in the list-sigs functionality around that, since clamscan doesn't report database errors. A little more information: There are only 4 signatures in the main.ldb that are over 8k in size. That powload one is the only one that causes problems. I separated them out into a new file: $ wc -l ./test.ldb 4 ./test.ldb $ cat test.ldb | awk -F\; '{ print $1 }' Doc.Dropper.Generic-6922945-0 Win.Adware.Linkury-16152 Win.Adware.Linkury-16148 Xls.Downloader.Powload-6923120-0 When I run "sigtool -l./test.ldb", however, sigtool does something ... odd: Doc.Dropper.Generic-6922945-0 6c652e577269746520223466343735323431376533323266343332643436353234353435376533313266366436393665363737373266366336393632326636373633363332663664363936653637373733333332326633333334333834323339333237653331326533353266363936653633366337353634363532663733373436343631373236373265363830303566356636373665373536333566373636313566366336393733373433613734323833353263333132393364323833303263333233303239303035663639366636323735363633613534373432383331326333313239336437333333333235663730373437323361323833313263333232393364326132383330326333313339323932633330326333333332336235663633366537343361323833303263333332393263333333323263333333323362356636323631373336353361323833313263333232393263333633343263333333323362356636363663363136373361323833303263333332393263333933363263333333323362356636363639366336353361323833303263333332393263333133323338326333333332336235663633363836313732363237353636336132383330326333333239326333313336333032633333333233623566363237353636373336393761336132383330326333333239326333313339333232633333333233623566373436643730363636653631366436353361323833313263333232393263333233323334326333333332336236663730363537323631373436663732336433613361323833313263333332393364323332383331326333313239326332383331326333343239336432363238333132633331323932633238333132633335323933643261323833313263333132393263323833313263333632393364323632383331326333373239336436623238333132633331323932633238333032633336323933623361356635613465333635663639366636323735363636313533343535323462353335663362333234313265336235663566363236313733363535663633373436663732336133613238333132633338323933643233323833313263333132393263323833303263333632393263323833313263333532393263323833313263333632393263323833303263333632393362336135663561346533363566363936663632373536363433333234353532346235333566336233323431326533623566356636333666366437303566363337343666373233613361323833313263333832393361356635613465333635663639366636323735363634333331343535323462353335663362333234313265336235663566363236313733363535663633373436663732336122 Win.Adware.Linkury-16152 00720063006800550072006c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f00720073004e0065007700540061006200550052004c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f0072007300530065006100720063006800550072006c00460046002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c00460046002c0020003a00500072006f0074006500630074006f00720073004e0065007700540061006200550052004c00460046002c0020003a00500072006f0074006500630074006f007200730053006500610072006300680044006f006d00610069006e002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c00490045002c0020003a00500072006f0074006500630074006f0072007300530065006100720063006800550072006c00490045002c0020003a0048006f00730074007300460069006c0065004d006f006e00690074006f0072004c0069006e006b0075007200790044006f006d00610069006e0073002c0020003a00420061007300690063004c0069006e006b0054006f004f00660066006500720073004d0061006e00610067006500720043006c006f007500640053006500720076006900630065002c0020003a00470065007400420075006e0064006c0069006e0067004100700070006c00690063006100740069006f006e00730054006f0049006e007300740061006c006c00460075006e006300740069006f006e002c0020003a0047006500740041007000700072006f0076006500640049006e00730074006c006c006100740069006f006e00460075006e006300740069006f006e002c0020003a005400610073006b006200610072004e006f0074006900660069006500720045007800650050006100740068002c0020003a00440065006600610075006c0074004d00610078004f00720064006500720073002c0020003a00440065006600610075006c00740049006e00740065007200760061006c002c0020003a0043006800650063006b0069006e0067004f006600660065007200730049006e00740065007200760061006c0049006e004d0069006e0075007400650073002c0020003a00500072006900760061007400650049006e007600650073007400690067006100740069006f006e0045006e00640070006f0069006e0074002c0020003a00530068006f007200740049006e00740065007200760061006c0054006f0055007000640061007400650046006c0061006700730049006e004d0069006e0075007400650073002c0020003a004c006f006e00670049006e00740065007200760061006c0054006f0055007000640061007400650046006c0061006700730049006e004d0069006e0075007400650073002c0020003a0052004f00540058006d006c004f007000650072006100740069006f006e007300550072006c002c0020003a0044006c006c0049006e006a0065006300740069006f006e00550072006c002c0020003a005400720061007900570069006e0064006f0077004800650061006400650072004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f0032004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f004e0054004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f00440053004c006100620065006c002c0020003a00540061006b006500440065006600610075006c0074005300650061007200630068002c0020003a00540061006b0065004e00650077005400610062002c0020003a00540061006b00650048006f006d0065005000610067006500 Win.Adware.Linkury-16148 00072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f00720073004e0065007700540061006200550052004c004300680072006f006d0065002c0020003a00500072006f0074006500630074006f0072007300530065006100720063006800550072006c00460046002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c00460046002c0020003a00500072006f0074006500630074006f00720073004e0065007700540061006200550052004c00460046002c0020003a00500072006f0074006500630074006f007200730053006500610072006300680044006f006d00610069006e002c0020003a00500072006f0074006500630074006f007200730048006f006d0065005000610067006500550052004c00490045002c0020003a00500072006f0074006500630074006f0072007300530065006100720063006800550072006c00490045002c0020003a0048006f00730074007300460069006c0065004d006f006e00690074006f0072004c0069006e006b0075007200790044006f006d00610069006e0073002c0020003a00420061007300690063004c0069006e006b0054006f004f00660066006500720073004d0061006e00610067006500720043006c006f007500640053006500720076006900630065002c0020003a00470065007400420075006e0064006c0069006e0067004100700070006c00690063006100740069006f006e00730054006f0049006e007300740061006c006c00460075006e006300740069006f006e002c0020003a0047006500740041007000700072006f0076006500640049006e00730074006c006c006100740069006f006e00460075006e006300740069006f006e002c0020003a005400610073006b006200610072004e006f0074006900660069006500720045007800650050006100740068002c0020003a00440065006600610075006c0074004d00610078004f00720064006500720073002c0020003a00440065006600610075006c00740049006e00740065007200760061006c002c0020003a0043006800650063006b0069006e0067004f006600660065007200730049006e00740065007200760061006c0049006e004d0069006e0075007400650073002c0020003a00500072006900760061007400650049006e007600650073007400690067006100740069006f006e0045006e00640070006f0069006e0074002c0020003a00530068006f007200740049006e00740065007200760061006c0054006f0055007000640061007400650046006c0061006700730049006e004d0069006e0075007400650073002c0020003a004c006f006e00670049006e00740065007200760061006c0054006f0055007000640061007400650046006c0061006700730049006e004d0069006e0075007400650073002c0020003a0052004f00540058006d006c004f007000650072006100740069006f006e007300550072006c002c0020003a0044006c006c0049006e006a0065006300740069006f006e00550072006c002c0020003a005400720061007900570069006e0064006f0077004800650061006400650072004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f0032004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f004e0054004c006100620065006c002c0020003a005400720061007900570069006e0064006f00770049006e0066006f00440053004c006100620065006c002c0020003a00540061006b006500440065006600610075006c0074005300650061007200630068002c0020003a00540061006b0065004e00650077005400610062002c0020003a00540061006b00650048006f006d0065005000610067006500 Xls.Downloader.Powload-6923120-0 ERROR: listdb: Malformed pattern line 8 (file ./test.ldb) This seems to indicate that: * sigtool isn't reading the entire line from the database file, rather it's only reading 8k. * The error is NOT triggering on those other long signatures because there is a semi-colon further in the signature file which allows sigtool to "think" those long strings of numbers are actually the virus names. * The error IS triggering on the powload signature because the very next read (line 1615: 'while (fgets(buffer, CLI_DEFAULT_LSIG_BUFSIZE, fh)) {' ) is hitting a newline. --Maarten Ralf Hildebrandt Charité - Universitätsmedizin Berlin Geschäftsbereich IT | Abteilung Netzwerk Campus Benjamin Franklin (CBF) Haus I | 1. OG | Raum 105 Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 ralf.hildebra...@charite.de<mailto:ralf.hildebra...@charite.de> https://www.charite.de _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net> https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
