First Last Prev Next    This bug is not in your last search results.
Bug 202043 - MD5 libclamav library name collision with openssl
MD5 libclamav library name collision with openssl
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: clamav (Show other bugs)
5
All Linux
medium Severity high
: ---
: ---
Assigned To: Enrico Scholz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-10 11:18 EDT by jmp
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: 0.88.7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-04 06:19:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description jmp 2006-08-10 11:18:44 EDT 
There is a procedure name collision between libclamav and openssl
both use name as
MD5_Init, MD5_Update, MD5_Final as public subroutine.
(fact is both include a module named md5.c)

If an application (clement in my case) use libclamav AND start a TLS connection,
openssl can/may use
MD5 library from libclamav instead of libcrypto.
this will generate a rather ugly crash (stack fully overwrite)

How reproducible:

Rather difficult, first noticed on a RH7.3 using openssl 0.9.6 and
clamav 0.88.3. seems to depend the order crypto and clamav are
found within the dynamic lbrary cache on the running system.
 
clamav changed its md5.c module between 088.2 and 0.88.3 (previously
procedure were named MD5Init instead of MD5_init).


  
Actual results:
Big Huge Crash (traces wiped-out within core dump)



Expected results:
Point was proved, while changing the MD5 subrouting name within clamav
and reinstalling clamav, everything equal otherwise, the clement
application didn't crash.



Additional info:

My guess, clamav should either depend on openssl/crypto (first option) or rename
its MD5 routine name (second option).

just checked with current extras (clamav-0.88.4) and FC6 (openssl-0.9.8b),
library name still colide.
Comment 1 Enrico Scholz 2006-08-11 02:20:46 EDT 
Can you check whether

  http://cvs.fedora.redhat.com/viewcvs/rpms/clamav/FC-5/clamav-0.88.4-visibility.patch?root=extras&rev=1.1&view=auto

solves your problem (FC-5 CVS branch), please?
Comment 2 jmp 2006-08-17 22:32:23 EDT 
I do confirm , patch is doing the trick...
Done it on plain legacy RH7.3.
With a standard clamav.0.88.4 application crash (as previously), once
the patch apply and RPM Delta installed (0.88.4-X), no crash anymore (everything
else equal).

From my stand point its a "go".  Many thanks....
(Do you know if Clamav team will take the patch inside their own release?)
Comment 3 Enrico Scholz 2007-02-04 06:19:05 EST 
ok; closing bug...
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.