It appears that in 0.91.1 and 0.91.2 PhishingScanURLs is on by
default even in non-experimental builds. If the line
H:nationwide.co.uk
is present in daily.pdb (indeed, if it is the _only_ line in
daily.pdb, and that is the only pattern file in use) then the
attached piece of mail hangs 0.91.1 and 0.91.2 on Solaris 10 Sparc
unless --no-phishing-scan-urls or its clamd.conf equivalent is set.
My workaround is to put
PhishingScanURLs no
into clamd.conf, because I'm not confident that the nationwide.co.uk
is anything other than one manifestation of a more general problem.
dmzsrv-6.ftel.co.uk# uname -a
SunOS dmzsrv-6.ftel.co.uk 5.10 Generic_118833-36 sun4u sparc SUNW,Sun-
Fire-V210
dmzsrv-6.ftel.co.uk# ls
daily.pdb
dmzsrv-6.ftel.co.uk# cat daily.pdb
H:nationwide.co.uk
dmzsrv-6.ftel.co.uk# clamscan --database=. /var/tmp/testmessage
[[ hangs ]]
^Cdmzsrv-6.ftel.co.uk# clamscan --no-phishing-scan-urls --database=. /
var/tmp/testmessage
/var/tmp/testmessage: OK
----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.91.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Time: 0.014 sec (0 m 0 s)
dmzsrv-6.ftel.co.uk# echo H:zzz.co.uk > daily.pdb
dmzsrv-6.ftel.co.uk# clamscan --database=. /var/tmp/testmessage
/var/tmp/testmessage: OK
----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.91.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Time: 0.020 sec (0 m 0 s)
dmzsrv-6.ftel.co.uk#
It doesn't appear to cause a problem on my desktop OSX machine:
dhcp-172-16-44-202:~ igb$ uname -a
Darwin dhcp-172-16-44-202.ftel.co.uk 8.10.0 Darwin Kernel Version
8.10.0: Wed May 23 16:50:59 PDT 2007; root:xnu-792.21.3~1/RELEASE_PPC
Power Macintosh powerpc
dhcp-172-16-44-202:~ igb$ ls /tmp/db
daily.pdb
dhcp-172-16-44-202:~ igb$ cat /tmp/db/daily.pdb
H:nationwide.co.uk
dhcp-172-16-44-202:~ igb$ clamav-0.91.1/clamscan/clamscan --database=/
tmp/db ./testcase
./testcase: Phishing.Heuristics.Email.SpoofedDomain FOUND
----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.91.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Time: 0.280 sec (0 m 0 s)
dhcp-172-16-44-202:~ igb$
Back on the Solaris machine, looking at the coredump generated with
Control-Backslash shows that it's recursing infinitely:
(gdb) bt
#0 0xff050a80 in memcpy () from /platform/SUNW,Sun-Fire-V210/lib/
libc_psr.so.1
#1 0xff0fb2ec in match_re_C () from /lib/libc.so.1
#2 0xff0fb33c in match_re_C () from /lib/libc.so.1
#3 0xff0fc69c in match_re_C () from /lib/libc.so.1
#4 0xff0fb780 in match_re_C () from /lib/libc.so.1
#5 0xff0fb33c in match_re_C () from /lib/libc.so.1
#6 0xff0fb33c in match_re_C () from /lib/libc.so.1
#7 0xff0fc69c in match_re_C () from /lib/libc.so.1
#8 0xff0fb780 in match_re_C () from /lib/libc.so.1
#9 0xff0fb33c in match_re_C () from /lib/libc.so.1
#10 0xff0fb33c in match_re_C () from /lib/libc.so.1
#11 0xff0fc69c in match_re_C () from /lib/libc.so.1
#12 0xff0fb780 in match_re_C () from /lib/libc.so.1
#13 0xff0fb33c in match_re_C () from /lib/libc.so.1
The bottom of the stack looks like this:
#467 0xff0fb33c in match_re_C () from /lib/libc.so.1
#468 0xff0fb780 in match_re_C () from /lib/libc.so.1
#469 0xff0fb33c in match_re_C () from /lib/libc.so.1
#470 0xff0fcad4 in match_re_C () from /lib/libc.so.1
#471 0xff0faa0c in __regexec_C () from /lib/libc.so.1
#472 0xff2eb9d0 in isURL (pchk=0xffbfaa00,
URL=0x426d0 "http://allnations.nu/design/base/olb2.nationet/
olb2.nationet.com/update?
3441_3769473_414_1662_480_0_722_1148_2726403610&Idx=2&YY=1123&inc=25&ord
er=down&sort=date&pos2_1148_2726403610&Idx=2&YY=1123&inc"...) at
phishcheck.c:977
#473 0xff2ec628 in phishingScan (m=0x2e418, dir=0x3ca88 "/var/tmp//
clamav-a40c39784d010e5305fb4f99f288021e", ctx=0xffbfd540,
hrefs=0xffbfae48) at phishcheck.c:1207
#474 0xff2a4e30 in checkURLs (mainMessage=0x3a240, mctx=0xffbfccb8,
rc=0xffbfaf44, is_html=1) at mbox.c:3903
#475 0xff2a6aa4 in parseEmailBody (messageIn=0x3a240, textIn=0x0,
mctx=0xffbfccb8, recursion_level=0) at mbox.c:2037
#476 0xff2a88dc in cli_mbox (dir=0x3ca88 "/var/tmp//clamav-
a40c39784d010e5305fb4f99f288021e", desc=0, ctx=0xffbfd540) at mbox.c:
1400
#477 0xff29fc98 in cli_scanmail (desc=3, ctx=0xffbfd540) at
scanners.c:1644
#478 0xff29d8e4 in cli_magic_scandesc (desc=3, ctx=0xffbfd540) at
scanners.c:1973
#479 0xff2a1248 in cl_scandesc (desc=3, virname=0xffbfd5dc,
scanned=0x2cbf8, engine=0x2d9d0, limits=0xffbffca0, options=26167) at
scanners.c:2114
#480 0x00015e18 in checkfile (filename=0x3c250 "/var/tmp/
testmessage", engine=0x2d9d0, limits=0xffbffca0, options=26167,
printclean=1) at manager.c:640
#481 0x00016300 in scanfile (filename=0x3c250 "/var/tmp/testmessage",
engine=0x2d9d0, user=0x0, opt=0x2cf70, limits=0xffbffca0,
options=26167) at manager.c:1082
#482 0x000176c8 in scanmanager (opt=0x2cf70) at manager.c:363
#483 0x000150d8 in main (argc=3, argv=0x2cf70) at clamscan.c:213
(gdb)
(gdb)
URL doesn't contain `nationwide.co.uk':
$2 = 0x426d0 "http://allnations.nu/design/base/olb2.nationet/
olb2.nationet.com/update?
3441_3769473_414_1662_480_0_722_1148_2726403610&Idx=2&YY=1123&inc=25&ord
er=down&sort=date&pos2_1148_2726403610&Idx=2&YY=1123&inc=25&order=down&s
"
phishcheck.c:977 is just a call to regexec:
static int isURL(const struct phishcheck* pchk,const char* URL)
{
return URL ? !regexec(&pchk->preg,URL,0,NULL,0) : 0; /*
this is line 977 */
}
So my money says that the problem is a difference between Sun's
regexec and whatever platform clamav is developed on (presumably
Linux). I've run the bogus message through tr 'a-z' 'b-za' in order
to avoid causing people pain (and I've checked that sanitised form
doesn't hang things). convert it back with tr 'b-za' 'a-z'.
ian

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
