[meta-security] Clamav libclammspack.so missing from image

[meta-security] Clamav libclammspack.so missing from image

[yoc.dev]

Hi,

I am adding clamav to my custom image.

I have added the target clamav-libclamav to my image and libclamav.so is 
added, as expected, to /usr/lib but libclammspack.so is not added to 
/usr/lib

How to I make sure that libclammspack.so is include in the image?

I am using the meta-security layer on the dunfell branch.

Many Thanks,

Charlie

Re: [yocto] [meta-security] Clamav libclammspack.so missing from image

[akuster]

[-- Attachment #1: Type: text/plain, Size: 650 bytes --]



On 7/29/20 12:34 PM, yoc wrote:
> Hi,
>
> I am adding clamav to my custom image.
>
> I have added the target clamav-libclamav to my image and libclamav.so
> is added, as expected, to /usr/lib but libclammspack.so is not added
> to /usr/lib
>
> How to I make sure that libclammspack.so is include in the image?

You can check the build directory in the package dir and see if it is
there. Then check the package-split to see if it ended up in a different
package.

I am rebuilding dunfell now to see what is up.

-armin
>
> I am using the meta-security layer on the dunfell branch.
>
> Many Thanks,
>
> Charlie
>
>
> 


[-- Attachment #2: Type: text/html, Size: 1437 bytes --]

Re: [yocto] [meta-security] Clamav libclammspack.so missing from image

[Armin Kuster]

[-- Attachment #1: Type: text/plain, Size: 490 bytes --]



On 7/29/20 12:34 PM, yoc wrote:
> Hi,
>
> I am adding clamav to my custom image.
>
> I have added the target clamav-libclamav to my image and libclamav.so
> is added, as expected, to /usr/lib but libclammspack.so is not added
> to /usr/lib
>
> How to I make sure that libclammspack.so is include in the image?
You can find it in the 'libmspack' package.

-armin

>
> I am using the meta-security layer on the dunfell branch.
>
> Many Thanks,
>
> Charlie
>
>
> 


[-- Attachment #2: Type: text/html, Size: 1252 bytes --]

Re: [meta-security] Clamav libclammspack.so missing from image

[yoc]

[-- Attachment #1: Type: text/plain, Size: 2532 bytes --]

Hi Armin,

So I found libmspack where you said it would be. I have done some more digging and talked to the Clamav developers.

This line in the recipe (--with-system-libmspack=${CLAMAV_USR_DIR}) means that libmspack installed on the system is used and the output produced is libclamav.so* and libmspack.so*

When I built clamav outside of Yocto I didnt specify the --with-system-libmspack option and the output was libclamav.so* and libclammspack.so* i.e. the internal library bundled with Clamav was used.

Having spoken to the Clamav developers I want to use the internal as it gives additional capabilities and security protections:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233763

"Upgrade from libmspack 0.5alpha to libmspack 0.7.1alpha. As a reminder, we support system-installed versions of libmspack. However, at this time the ClamAV-provided version of libmspack provides additional abilities to parse broken or non-standard CAB files beyond what the stock libmspack 0.7.1alpha provides. We are working with the upstream project to incorporate our modifications, and hopefully these changes will appear in a future release of libmspack."

So I went about trying to get the Yocto recipe to compile against the internal libclammspack bundled with Clamav and did not have any success:

tmp/work/aarch64-poky-linux/clamav/0.101.5-r0/recipe-sysroot-native/usr/bin/aarch64-poky-linux/../../libexec/aarch64-poky-linux/gcc/aarch64-poky-linux/9.3.0/ld: warning: libclammspack.so.0, needed by ../libclamav/.libs/libclamav.so, not found (try using -rpath or -rpath-link)

Firstly, would you be able to give me a pointer on how to solve this issue - I think it requires a patch to the Clamav build process? I saw some historic commits mentioning rpath but was unsuccessful with getting anything to build.

Secondly, I would propose the following and am happy to implement the patches if these ideas are agreeable to you:

1) Use the PACKAGECONFIG mechanism to allow a switch between using the system and internal libmspack with the default being to use the internal version
2) Update the version of Clamav to the latest stable version - it was noted by the Clamav developers that the current version in the recipe is outdated
3) Fix the bug on line 92 of the recipe. I believe that this line should be surrounded by the same if statement as lines 75-79. I am behind a company proxy so need the INSTALL_CLAMAV_CVD option switched off

Thank you for your time with this.

Kind Regards,

Charlie

[-- Attachment #2: Type: text/html, Size: 3046 bytes --]

Re: [meta-security] Clamav libclammspack.so missing from image

[yoc]

[-- Attachment #1: Type: text/plain, Size: 1085 bytes --]

After a closer look I realised that there isnt a difference between the stock libmspack and the internal clamav libmspack so 1 can be ignored.

I have submitted a patch for 3.

I have also tested updating the recipe to rel/0.102 the latest release.

There was a couple of problems during configure with curl.

1) The configure script looks for curl-config under /usr/bin but the location under sysroot is /usr/bin/crossscripts/curl-config. I patched the configure script to change the path it looks for and this worked but do not know if this is the best solution?
2) The configure script checks the version of curl due to this feature https://www.clamav.net/documents/on-access-scanning#on-access-scanning Currently on the dunfell branch this check fails due to the curl recipe version not being >= 7.45
I used the suggested work around of adding --disable-clamonacc to EXTRA_OECONF_CLAMAV for now

Once these two issues were sorted everything build and ran as expected.

What are your thoughts on the way forward with the two curl issues?

Kind Regards,

Charlie

[-- Attachment #2: Type: text/html, Size: 1310 bytes --]