[sanesecurity] x86_64 users: possible malformed database problems

  • From: Steve Basford <steveb_clamav@xxxxxxxxxxxxxxxx>
  • To: sanesecurity@xxxxxxxxxxxxx, sanesecurity_announce@xxxxxxxxxxxxx
  • Date: Sun, 25 Oct 2009 17:10:05 +0000

Hi All,

Some users (mainly x86_64 so far) noticed database errors (malformed database) when loading signatures.

As signature integrity is checked before upload to the mirrors and the download scripts check integrity before use, this issue should not arise.

With help from various people on the Sanesecurity list, the problem was narrowed down to users on x86_64 os versions eg: CentOS 5.4 on x86_64, who were using nearly all the available Third Party databases.
The typical errors were:

LibClamAV Error: mpool_malloc(): Attempt to allocate 2097152 bytes.
Please report to http://bugs.clamav.net
LibClamAV Error: cli_ac_addpatt: Can't realloc ac_pattable
LibClamAV Error: cli_parse_add():

Thanks to the ClamAV team, the bug was fixed in the clamav-devel version:


+Sat Oct 24 15:06:50 CEST 2009 (acab)
+ * libclamav/mpool.c: increase max pool to 8M to allow loading huge custom dbs

I realise that people may not be able to move to the devel version in production environments, so the only work-around is to try and limit the number of databases that you are using....

for example:

Largest size signature databases:

25/10/2009  15:53         2,526,656 jurlbl.ndb
24/10/2009  16:53         3,082,316 junk.ndb
25/10/2009  15:38         3,327,576 INetMsg-SpamDomains-2w.ndb
25/10/2009  15:29         3,886,074 scamnailer.ndb
25/10/2009  15:53         6,967,926 jurlbla.ndb
28/08/2009  12:10         9,393,566 securiteinfo.hdb
25/10/2009  15:47        12,645,831 INetMsg-SpamDomains-2m.ndb

As a reminder if you are using InetMsg signatures, you need to select:

*either* INetMsg-SpamDomains-2w.ndb *or* INetMsg-SpamDomains-2m.ndb *not* both to save a bit of memory.

Hopefully once the devel version bugfix makes it's way into the stable version, this problem should go away.

Sorry for any problems this has caused.



Other related posts: