Bug 1766382

Summary:	Freshclam and clamscan: ERROR: Verification: Can't allocate memory in FIPS mode
Product:	[Fedora] Fedora EPEL	Reporter:	Simon Mijolovic <simon>
Component:	clamav	Assignee:	Orion Poplawski <orion>
Status:	NEW ---	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	epel8	CC:	anon.amish, bennie.joubert, cshirsat, janfrode, jonathan, j, matthew.w.lesko, ondrejj, orion, redhat-bugzilla, rh-bugzilla, simon, steve
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Simon Mijolovic 2019-10-28 21:36:21 UTC

Description of problem:
In RHEL8/CentOS8, freshclam and clamscan do not run as expected in FIPS mode

Version-Release number of selected component (if applicable):
0.101.4


How reproducible:
Always


Steps to Reproduce:
1. Minimal build
2. Add EPEL8 repo, and dnf install clamav clamav-update
3. Enable FIPS: fips-mode-setup --enable
4. Run freshclam -v

Actual results:
[root@localhost clamav]# freshclam -v
Current working dir is /var/lib/clamav
ClamAV update process started at Mon Oct 28 21:28:05 2019
Using IPv6 aware code
Max retries == 3
Querying current.cvd.clamav.net
TTL: 5
Software version from DNS: 0.102.0
Retrieving http://database.clamav.net/main.cvd
Trying to download http://database.clamav.net/main.cvd (IP: 104.16.219.84)
Downloading main.cvd [100%]
ERROR: Verification: Can't allocate memory
Querying main.0.105.0.0.6810DB54.ping.clamav.net
Can't query main.0.105.0.0.6810DB54.ping.clamav.net
Trying again in 5 secs...
Querying current.cvd.clamav.net
TTL: 5
Software version from DNS: 0.102.0
Retrieving http://database.clamav.net/main.cvd
Trying to download http://database.clamav.net/main.cvd (IP: 104.16.219.84)
Downloading main.cvd [100%]
ERROR: Verification: Can't allocate memory
Querying main.0.105.0.0.6810DB54.ping.clamav.net
Can't query main.0.105.0.0.6810DB54.ping.clamav.net
Trying again in 5 secs...
Querying current.cvd.clamav.net
TTL: 5
Software version from DNS: 0.102.0
Retrieving http://database.clamav.net/main.cvd
Trying to download http://database.clamav.net/main.cvd (IP: 104.16.218.84)
Downloading main.cvd [100%]
ERROR: Verification: Can't allocate memory
Querying main.0.105.0.0.6810DA54.ping.clamav.net
Can't query main.0.105.0.0.6810DA54.ping.clamav.net
Giving up on database.clamav.net...
Update failed. Your network may be down or none of the mirrors listed in /etc/freshclam.conf is working. Check https://www.clamav.net/documents/official-mirror-faq for possible reasons.

No cvd files are found in /var/lib/clamav

Expected results:

[root@localhost clamav]# freshclam -v
Current working dir is /var/lib/clamav
ClamAV update process started at Mon Oct 28 21:32:40 2019
Using IPv6 aware code
Max retries == 3
Querying current.cvd.clamav.net
TTL: 5
Software version from DNS: 0.102.0
Retrieving http://database.clamav.net/main.cvd
Trying to download http://database.clamav.net/main.cvd (IP: 104.16.218.84)
Downloading main.cvd [100%]
Loading signatures from main.cvd
Properly loaded 4566249 signatures from new main.cvd
main.cvd updated (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Querying main.58.105.1.0.6810DA54.ping.clamav.net
Can't query main.58.105.1.0.6810DA54.ping.clamav.net
Retrieving http://database.clamav.net/daily.cvd
Trying to download http://database.clamav.net/daily.cvd (IP: 104.16.218.84)
Downloading daily.cvd [100%]
Loading signatures from daily.cvd
Properly loaded 1960147 signatures from new daily.cvd
daily.cvd updated (version: 25616, sigs: 1960147, f-level: 63, builder: raynman)
Querying daily.25616.105.1.0.6810DA54.ping.clamav.net
Can't query daily.25616.105.1.0.6810DA54.ping.clamav.net
Retrieving http://database.clamav.net/bytecode.cvd
Trying to download http://database.clamav.net/bytecode.cvd (IP: 104.16.218.84)
Downloading bytecode.cvd [100%]
Loading signatures from bytecode.cvd
Properly loaded 94 signatures from new bytecode.cvd
bytecode.cvd updated (version: 331, sigs: 94, f-level: 63, builder: anvilleg)
Querying bytecode.331.105.1.0.6810DA54.ping.clamav.net
Can't query bytecode.331.105.1.0.6810DA54.ping.clamav.net
Database updated (6526490 signatures) from database.clamav.net (IP: 104.16.218.84)

main, daily, and bytecode cvds are found in /var/lib/clamav

Additional info:
Run fips-mode-setup --disable
Reboot

Expected results are observed.

Comment 1 Sergio Basto 2019-10-29 01:26:20 UTC

what is FIPS mode ?

Comment 2 Simon Mijolovic 2019-10-29 01:41:09 UTC

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

Comment 3 Orion Poplawski 2019-10-29 03:47:51 UTC

Actually, I would argue it is running as expected in FIPS mode :).  MD5 is not an allowed hash algorithm by FIPS, but since it is what clamav uses to verify the cvd files it fails.  This is going to need to be addressed upstream.  Please file a bug there: https://bugzilla.clamav.net/

Comment 4 Orion Poplawski 2019-10-29 03:48:57 UTC

Specifically:

cl_hash_init (alg=0x7ffff7b4e9cb "md5") at crypto.c:1154
1154    {
(gdb) 
1158        md = EVP_get_digestbyname(alg);
(gdb) 
1159        if (!(md))
(gdb) 
1174            return NULL;

So EVP_get_digestbyname("md5") returns NULL.

Comment 5 Simon Mijolovic 2019-10-29 15:30:48 UTC

Orion - agree with the fact that FIPS is doing what it's supposed to do. Thank you for the code snippet.

For future proofing, sha256 is recommended.

Filed the upstream bug:
https://bugzilla.clamav.net/show_bug.cgi?id=12424

Marked security restricted - asked for it to be public.

Comment 6 Sergio Basto 2019-10-29 17:23:22 UTC

 I'm not authorized to access bug #12424. 

if you are the owner , you may make the bug public IIRC .

Comment 7 Simon Mijolovic 2019-10-29 18:19:22 UTC

Not when flagged with security, and for good reason.

If someone discloses to security what could potentially could become a zero-day, you don't go blasting that out public. Smart move there, so the security team will remove the private flag.

Comment 9 Sergio Basto 2023-03-04 12:01:03 UTC

For refence 

https://build.opensuse.org/package/view_file/home:alveus:main/clamav/clamav-fips.patch?expand=1


--- libclamav/crypto.c.orig
+++ libclamav/crypto.c
@@ -145,6 +145,9 @@ int cl_initialize_crypto(void)
     ERR_load_crypto_strings();
 #endif
 
+    /* avoid fips issues */
+    EVP_add_digest(EVP_md5());
+
     return 0;
 }

Comment 10 Fedora Admin user for bugzilla script actions 2025-06-21 03:40:53 UTC

This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.

Comment 11 Jonathan Dieter 2025-10-14 09:24:55 UTC

It looks like clamav 1.5.0 fixes this problem (see https://blog.clamav.net/2025/10/clamav-150-released.html).