Bug 202043 - MD5 libclamav library name collision with openssl
Summary: MD5 libclamav library name collision with openssl
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: clamav
Version: 5
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Enrico Scholz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-08-10 15:18 UTC by jmp
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: 0.88.7
Clone Of:
Environment:
Last Closed: 2007-02-04 11:19:05 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description jmp 2006-08-10 15:18:44 UTC
There is a procedure name collision between libclamav and openssl
both use name as
MD5_Init, MD5_Update, MD5_Final as public subroutine.
(fact is both include a module named md5.c)

If an application (clement in my case) use libclamav AND start a TLS connection,
openssl can/may use
MD5 library from libclamav instead of libcrypto.
this will generate a rather ugly crash (stack fully overwrite)

How reproducible:

Rather difficult, first noticed on a RH7.3 using openssl 0.9.6 and
clamav 0.88.3. seems to depend the order crypto and clamav are
found within the dynamic lbrary cache on the running system.
 
clamav changed its md5.c module between 088.2 and 0.88.3 (previously
procedure were named MD5Init instead of MD5_init).


  
Actual results:
Big Huge Crash (traces wiped-out within core dump)



Expected results:
Point was proved, while changing the MD5 subrouting name within clamav
and reinstalling clamav, everything equal otherwise, the clement
application didn't crash.



Additional info:

My guess, clamav should either depend on openssl/crypto (first option) or rename
its MD5 routine name (second option).

just checked with current extras (clamav-0.88.4) and FC6 (openssl-0.9.8b),
library name still colide.

Comment 1 Enrico Scholz 2006-08-11 06:20:46 UTC
Can you check whether

  http://cvs.fedora.redhat.com/viewcvs/rpms/clamav/FC-5/clamav-0.88.4-visibility.patch?root=extras&rev=1.1&view=auto

solves your problem (FC-5 CVS branch), please?

Comment 2 jmp 2006-08-18 02:32:23 UTC
I do confirm , patch is doing the trick...
Done it on plain legacy RH7.3.
With a standard clamav.0.88.4 application crash (as previously), once
the patch apply and RPM Delta installed (0.88.4-X), no crash anymore (everything
else equal).

From my stand point its a "go".  Many thanks....
(Do you know if Clamav team will take the patch inside their own release?)

Comment 3 Enrico Scholz 2007-02-04 11:19:05 UTC
ok; closing bug...


Note You need to log in before you can comment on or make changes to this bug.