[clamav-users] Max Open File Descriptors issue found this morning

Joel Esler (jesler) jesler at cisco.com
Fri Jan 26 15:38:56 UTC 2018

There are a bunch of threads going on, so I am going to try and address most of them with this email, sorry if I leave anything out.

There are reports of exploits against 0.99.2 in the wild. Heise reports
on that (in german, can't find an english source right now):

No that I  have seen.  Maybe I'm wrong and maybe one of my coworkers here at Cisco knows something that I don't, but all of the referenced CVE's in my blog post here: http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html were disclosed to us responsibly by the folks from Offensive Research at Salesforce.com<http://Salesforce.com>.  We appreciate their work, and it helps tremendously.

Reading through the
thread, it doesn't appear that ClamAV has fixed the signatures yet (as of
24257), or am I wrong?

We are currently reviewing the issue to see if we can isolate the cause and work out a fix.  This is a "All Hands on Deck" situation (https://en.oxforddictionaries.com/definition/all_hands_on_deck) here.  We apologize for any issues, and we'll do a post mortem analysis once we fix it to figure out what went wrong and what we can do to remedy this in the future.

ClamAV QA team: In future, please run new signatures against a clamd
process a few thousand times to check for possible resource leakage.

Thank you for your suggestion.  We have had some transition in personnel in the last several months on the ClamAV team, as well as further augmenting our QA resources.  I'm not making excuses, I'm just trying to let you all know the reality we've faced.  We want to change the model of ClamAV to be even more open source and develop more in a "Bazaar" method.  More on this over time.

Re: Mail loops

which f**g idiot is responsible for that?

Unfortunately Reindl, from what you reported, and your eloquent description, I'm not sure what the issue is.  I'm not seeing that issue on my side.

Am 26.01.2018 um 15:40 schrieb Joel Esler (jesler):
As previously mentioned, if you downloaded the beta version of ClamAV 0.99.3, you will need to completely uninstall it and do a fresh install with the production version of 0.99.3 as there are significant code differences

when i read something like this in 2018 my brain ends with a bluescreen

This is something we debated for a couple weeks here internally and we found this to be the best solution.  We were stuck between a rock in and a hard place.  Trust me, this is not the user experience I want for our users either, but we were faced with a tough choice, and replacing the 0.99.3 beta with a completely different codebase was the one we found to be the best path forward without upsetting even more people.

Joel Esler | Talos: Manager | jesler at cisco.com<mailto:jesler at cisco.com>

More information about the clamav-users mailing list