dpkg-reconfigure clamav-daemon in infinite loop

Status changed to 'Confirmed' because the bug affects multiple users.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=950296

I had filed https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1861497, but just found this and closed it as a duplicate.

This is critical bug for us as we have `DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true dpkg-reconfigure clamav-daemon` in our provisioning which will hang the machine until it finally crashes.

Upstream bug from Debian has been fixed.

I have reproduced it on Xenial.

$ cat /etc/lsb-release
..
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.6 LTS"

$ uname -rv
4.4.0-170-generic #199-Ubuntu SMP Thu Nov 14 01:45:04 UTC 2019

$ dpkg -l | grep clam
ii clamav 0.102.1+dfsg-0ubuntu0.16.04.2
ii clamav-base 0.102.1+dfsg-0ubuntu0.16.04.2
ii clamav-daemon 0.102.1+dfsg-0ubuntu0.16.04.2
ii clamav-freshclam 0.102.1+dfsg-0ubuntu0.16.04.2
ii clamdscan 0.102.1+dfsg-0ubuntu0.16.04.2
ii libclamav9 0.102.1+dfsg-0ubuntu0.16.04.2

$ sudo DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true dpkg-reconfigure clamav-daemon
(hangs)

$ ps -fe | grep clamav
root 20256 19801 0 07:54 pts/1 00:00:00 sudo DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true dpkg-reconfigure clamav-daemon
root 20257 20256 70 07:54 pts/1 00:00:10 /usr/bin/perl -w /usr/sbin/dpkg-reconfigure clamav-daemon
root 20306 20257 23 07:54 pts/1 00:00:03 /bin/sh /var/lib/dpkg/info/clamav-daemon.config reconfigure 0.102.1+dfsg-0ubuntu0.16.04.2
ubuntu 20647 17343 0 07:54 pts/0 00:00:00 grep --color=none clamav

$ sudo strace -p 20257
...
read(8, "METAGET clamav-daemon/LogFile va"..., 8192) = 36
write(7, "0 /var/log/clamav/clamav.log\n", 29) = 29
read(8, "INPUT low clamav-daemon/LogTime\n", 8192) = 32
write(7, "30 question skipped\n", 20) = 20
read(8, "GO \n", 8192) = 4
write(7, "0 ok\n", 5) = 5
...
^Cread(8, strace: Process 20257 detached
<detached ...>

Impact: production servers are not provisioning

The use of 'DEBCONF_DEBUG='.*'' can be helpful here for debugging purpose.
Simply need to set and export.

And this link:
https://wiki.debian.org/MaintainerScripts

Following the appropriate workflow to understand what it is doing under the hood.

As a debug exercise, one ca also add 'set -xv' in the clamav-daemon maintainer scripts to possibly isolate what is causing the loop in combination with the DEBCONF_DEBUG set.

I actually took a few seconds to reproduce it inside a Xenial container and we can clearly see the loop in action:

......
debconf (db configdb): trying to getfield(clamav-daemon/LogRotate type) ..
debconf (db passwords): cache miss on clamav-daemon/LogRotate
debconf (db configdb): trying to getfield(clamav-daemon/LogRotate template) ..
debconf (db configdb): getfield done by config
debconf (db configdb): trying to getfield(clamav-daemon/LogRotate template) ..
debconf (db configdb): getfield done by config
debconf (db configdb): trying to getfield(clamav-daemon/LogRotate type) ..
debconf (db passwords): cache miss on clamav-daemon/LogRotate
debconf (db configdb): trying to getfield(clamav-daemon/LogRotate template) ..
debconf (db configdb): getfield done by config
debconf (db configdb): trying to getfield(clamav-daemon/LogRotate template) ..
debconf (db configdb): getfield done by config
debconf (developer): --> 30 question skipped
debconf (developer): <-- GO
debconf (db configdb): trying to getfield(clamav-daemon/LogRotate value) ..
debconf (db configdb): getfield done by config
debconf (db configdb): trying to getfield(clamav-daemon/LogRotate value) ..
debconf (db configdb): getfield done by config
debconf (db configdb): trying to setfield(clamav-daemon/LogRotate value true) ..
debconf (db configdb): passing to config ..
debconf (developer): --> 0 ok
debconf (developer): <-- INPUT low clamav-daemon/LogFile
debconf (db configdb): trying to getfield(clamav-daemon/LogFile type) ..
debconf (db passwords): cache miss on clamav-daemon/LogFile
debconf (db configdb): trying to getfield(clamav-daemon/LogFile template) ..
debconf (db configdb): getfield done by config
debconf (db configdb): trying to getfield(clamav-daemon/LogFile template) ..
debconf (db configdb): getfield done by config
debconf (db configdb): trying to getfield(clamav-daemon/LogFile type) ..
debconf (db passwords): cache miss on clamav-daemon/LogFile
debconf (db configdb): trying to getfield(clamav-daemon/LogFile template) ..
debconf (db configdb): getfield done by config
debconf (db configdb): trying to getfield(clamav-daemon/LogFile template) ..
debconf (db configdb): getfield done by config
debconf (developer): --> 30 question skipped
debconf (developer): <-- GO
debconf (db configdb): trying to getfield(clamav-daemon/LogFile value) ..
debconf (db configdb): getfield done by config
debconf (db configdb): trying to getfield(clamav-daemon/LogFile value) ..
debconf (db configdb): getfield done by config
debconf (db configdb): trying to setfield(clamav-daemon/LogFile value /var/log/clamav/clamav.log) ..
debconf (db configdb): passing to config ..
debconf (developer): --> 0 ok
debconf (developer): <-- METAGET clamav-daemon/LogFile value
debconf (db configdb): trying t...

btw, I've been able to reproduce it with focal/20.04LTS which is for now still an active development release.

That doesn't seems to be a resolved issue in later version.

Looking into salsa git report, it seems to have a fix in Debian upstream

$ git show 089b6136
commit 089b6136e95dd34b3ac8a4d0753bffb48c48ebdb (HEAD -> unstable, tag: debian-0.102.1+dfsg-3, origin/unstable, origin/HEAD)
Author: Scott Kitterman <email address hidden>
Date: Fri Jan 31 16:54:06 2020 -0500

    clamav-daemon: Correct error from ScanOnAccess option removal so that setting LogFile options via DebConf works again (Closes: #950296) (LP: #1861497)

diff --git a/debian/changelog b/debian/changelog
index ccf1bf3f..dbdbc2ab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,12 @@
-clamav (0.102.1+dfsg-3) UNRELEASED; urgency=medium
+clamav (0.102.1+dfsg-3) unstable; urgency=medium

   * clamav-daemon: Do not cause an error on start if /run/clamav already
     exists
+ * clamav-daemon: Correct error from ScanOnAccess option removal so that
+ setting LogFile options via DebConf works again (Closes: #950296)
+ (LP: #1861497)

- -- Scott Kitterman <email address hidden> Fri, 03 Jan 2020 17:52:11 -0500
+ -- Scott Kitterman <email address hidden> Fri, 31 Jan 2020 16:49:37 -0500

 clamav (0.102.1+dfsg-2) unstable; urgency=medium

diff --git a/debian/clamav-daemon.config.in b/debian/clamav-daemon.config.in
index 131336ca..37ee4157 100644
--- a/debian/clamav-daemon.config.in
+++ b/debian/clamav-daemon.config.in
@@ -323,10 +323,10 @@ while [ "$STATE" != "End" ]; do
     StateLogFile
     ;;
     "LogTime")
- StateGeneric low clamav-daemon/LogTime LogRotate LogFile
+ StateGeneric low clamav-daemon/LogTime LogRotate
     ;;
     "LogRotate")
- StateGeneric low clamav-daemon/LogRotate LogFile
+ StateGeneric low clamav-daemon/LogRotate SelfCheck
     ;;
     "OnAccessMaxFileSize")
     StateGeneric low clamav-daemon/OnAccessMaxFileSize AllowAllMatchScan

$ git describe --contains 089b6136
debian-0.102.1+dfsg-3

Can't reproduce with version mentioned in comment #10 using Debian sid.

....
debconf (developer): --> 0
debconf (developer): <-- STOP
debconf (db config): saving database
debconf (db passwords): no database changes, not saving
debconf (db templatedb): saving database

I'll backport the fix into Ubuntu.

I have just uploaded the fix in focal for the new package to start building.
Once the package is found in -release, I'll start the SRU to fix the stable release.

Stay tuned.

- Eric

This bug was fixed in the package clamav - 0.102.1+dfsg-2ubuntu2

---------------
clamav (0.102.1+dfsg-2ubuntu2) focal; urgency=medium

  * d/clamav-daemon.config.in: Correct error from ScanOnAccess option
    removal so that setting LogFile options via DebConf works again.
    (Closes: #950296) (LP: #1860217)

 -- Eric Desrochers <email address hidden> Thu, 06 Feb 2020 13:56:53 +0000

Uploaded in E/B/X.

It is now waiting for the SRU team to approve the build in -proposed.

- Eric

The debdiff is basically impossible to review without further context due to the use of magic strings as argument names and no way to tell they're the right magic strings without tracing the code.

I think a regression test for this SRU should include verifying not only that the infinite loop is fixed, but that all of the debconf prompts that are supposed to be there are actually reachable.

vorlon's comment has been answered in the 'Regression Potential' section of the SRU template.

Hello Konrad, or anyone else affected,

Accepted clamav into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/clamav/0.102.1+dfsg-0ubuntu0.19.10.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Konrad, or anyone else affected,

Accepted clamav into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/clamav/0.102.1+dfsg-0ubuntu0.18.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Konrad, or anyone else affected,

Accepted clamav into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/clamav/0.102.1+dfsg-0ubuntu0.16.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted clamav (0.102.1+dfsg-0ubuntu0.19.10.3) for eoan have finished running.
The following regressions have been reported in tests triggered by the package:

pg-snakeoil/1.1-1build1 (arm64, armhf, ppc64el, amd64, i386, s390x)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/eoan/update_excuses.html#clamav

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

[XENIAL VERIFICATION]

No more loop detected.

All of the debconf prompts that are supposed to be there are actually reachable, including the one modified by this SRU "LogTime"[0] and "LogRotate"[1].

[0]- Do you want to log time information with each message?
[1]- Do you want to enable log rotation?

# dpkg -l | grep -i clamav
ii clamav 0.102.1+dfsg-0ubuntu0.16.04.3 amd64 anti-virus utility for Unix - command-line interface
ii clamav-base 0.102.1+dfsg-0ubuntu0.16.04.3 all anti-virus utility for Unix - base package
ii clamav-daemon 0.102.1+dfsg-0ubuntu0.16.04.3 amd64 anti-virus utility for Unix - scanner daemon
ii clamav-freshclam 0.102.1+dfsg-0ubuntu0.16.04.3 amd64 anti-virus utility for Unix - virus database update utility
ii libclamav9 0.102.1+dfsg-0ubuntu0.16.04.3 amd64 anti-virus utility for Unix - library

# egrep "LogRotate|LogTime" /etc/clamav/clamd.conf
LogRotate true
LogTime true

# dpkg-reconfigure clamav-daemon

Replacing config file /etc/clamav/clamd.conf with new version

# egrep "LogRotate|LogTime" /etc/clamav/clamd.conf
LogRotate false
LogTime false

[BIONIC VERIFICATION]

No more loop detected.

All of the debconf prompts that are supposed to be there are actually reachable, including the one modified by this SRU "LogTime"[0] and "LogRotate"[1].

[0]- Do you want to log time information with each message?
[1]- Do you want to enable log rotation?

# dpkg -l | grep -i clamav
ii clamav 0.102.1+dfsg-0ubuntu0.18.04.3 amd64 anti-virus utility for Unix - command-line interface
ii clamav-base 0.102.1+dfsg-0ubuntu0.18.04.3 all anti-virus utility for Unix - base package
ii clamav-daemon 0.102.1+dfsg-0ubuntu0.18.04.3 amd64 anti-virus utility for Unix - scanner daemon
ii clamav-freshclam 0.102.1+dfsg-0ubuntu0.18.04.3 amd64 anti-virus utility for Unix - virus database update utility
ii libclamav9:amd64 0.102.1+dfsg-0ubuntu0.18.04.3 amd64 anti-virus utility for Unix - library

# egrep "LogRotate|LogTime" /etc/clamav/clamd.conf
LogRotate true
LogTime true

# dpkg-reconfigure clamav-daemon

Replacing config file /etc/clamav/clamd.conf with new version

# egrep "LogRotate|LogTime" /etc/clamav/clamd.conf
LogRotate false
LogTime false

[EOAN VERIFICATION]

No more loop detected.

All of the debconf prompts that are supposed to be there are actually reachable, including the one modified by this SRU "LogTime"[0] and "LogRotate"[1].

[0]- Do you want to log time information with each message?
[1]- Do you want to enable log rotation?

# dpkg -l | grep -i clamav
ii clamav 0.102.1+dfsg-0ubuntu0.19.10.3 amd64 anti-virus utility for Unix - command-line interface
ii clamav-base 0.102.1+dfsg-0ubuntu0.19.10.3 all anti-virus utility for Unix - base package
ii clamav-daemon 0.102.1+dfsg-0ubuntu0.19.10.3 amd64 anti-virus utility for Unix - scanner daemon
ii clamav-freshclam 0.102.1+dfsg-0ubuntu0.19.10.3 amd64 anti-virus utility for Unix - virus database update utility
ii libclamav9:amd64 0.102.1+dfsg-0ubuntu0.19.10.3 amd64 anti-virus utility for Unix - library

# egrep "LogRotate|LogTime" /etc/clamav/clamd.conf
LogRotate true
LogTime true

# dpkg-reconfigure clamav-daemon

Replacing config file /etc/clamav/clamd.conf with new version

# egrep "LogRotate|LogTime" /etc/clamav/clamd.conf
LogRotate false
LogTime false

With regards to the "pg_snakeoil" autopkgtest failures in Eoan.
It doesn't fails for any other release than Eoan (nothing reported in F/B/X)

Please note that it's the first time the test are run since the upstream version bump to fix CVE-2019-15961[0] has been introduced.

I don't think the current failures are related to the current SRU, but will try to investigate more in the next couple of days.

- Eric

[0] - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-15961.html

"pg-snakeoil" seems to have been first introduced starting disco, which explain why X and B doesn't get any failures even if at same clamav upstream version (0.102.1)

$ rmadison pg-snakeoil
 pg-snakeoil | 1.1-1 | disco/universe | source
 pg-snakeoil | 1.1-1build0.1 | disco-security/universe | source
 pg-snakeoil | 1.1-1build0.1 | disco-updates/universe | source
 pg-snakeoil | 1.1-1build1 | eoan/universe | source
 pg-snakeoil | 1.3-1 | focal/universe | source

Focal uses postgresql-12:

-------------------------------
/usr/lib/postgresql/12/lib/pgxs/src/makefiles/../../src/test/regress/pg_regress --inputdir=./ --bindir='/usr/lib/postgresql/12/bin' --dbname=contrib_regression pg_snakeoil
(using postmaster on localhost, port 5433)
============== dropping database "contrib_regression" ==============
NOTICE: database "contrib_regression" does not exist, skipping
DROP DATABASE
============== creating database "contrib_regression" ==============
CREATE DATABASE
ALTER DATABASE
============== running regression test queries ==============
test pg_snakeoil ... ok 239 ms
-------------------------------

As oppose to Eoan using postgresql-11:

-------------------------------
/usr/lib/postgresql/11/lib/pgxs/src/makefiles/../../src/test/regress/pg_regress --inputdir=./ --bindir='/usr/lib/postgresql/11/bin' --dbname=contrib_regression pg_snakeoil
(using postmaster on localhost, port 5433)
============== dropping database "contrib_regression" ==============
NOTICE: database "contrib_regression" does not exist, skipping
DROP DATABASE
============== creating database "contrib_regression" ==============
CREATE DATABASE
ALTER DATABASE
============== running regression test queries ==============
test pg_snakeoil ... FAILED
-------------------------------

I was trying to see the various status for the 16.04 fix and clicked released on accident.

A - I can't change it back to committed
B - Why does my user have permission to change it in the first place!

@cash.williams

no worries I revert it back to "Fix Committed"

autopkgtest have been test with both :
The current SRU'd package [clamav/0.102.1+dfsg-0ubuntu0.19.10.3]:
The current SRU'd package -1 [clamav/0.102.1+dfsg-0ubuntu0.19.10.2]:

https://autopkgtest.ubuntu.com/packages/pg-snakeoil/eoan/amd64

The same failures occurs in both, meaning the failure isn't introduce by this particular SRU.

It looks like a test output mismatch against the expected test output.

- Eric

This bug was fixed in the package clamav - 0.102.2+dfsg-0ubuntu0.16.04.1

---------------
clamav (0.102.2+dfsg-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * Updated to 0.102.2 to fix security issue (CVE-2020-3123)
    - debian/patches/*: synced patches with 0.102.2+dfsg-1.
    - debian/libclamav9.symbols: updated for new version.
    - debian/rules: bumped CL_FLEVEL to 113.

 -- Marc Deslauriers <email address hidden> Tue, 11 Feb 2020 08:45:45 -0500

This bug was fixed in the package clamav - 0.102.2+dfsg-0ubuntu0.18.04.1

---------------
clamav (0.102.2+dfsg-0ubuntu0.18.04.1) bionic-security; urgency=medium

  * Updated to 0.102.2 to fix security issue (CVE-2020-3123)
    - debian/patches/*: synced patches with 0.102.2+dfsg-1.
    - debian/libclamav9.symbols: updated for new version.
    - debian/rules: bumped CL_FLEVEL to 113.

 -- Marc Deslauriers <email address hidden> Tue, 11 Feb 2020 08:45:45 -0500

This bug was fixed in the package clamav - 0.102.2+dfsg-0ubuntu0.19.10.1

---------------
clamav (0.102.2+dfsg-0ubuntu0.19.10.1) eoan-security; urgency=medium

  * Updated to 0.102.2 to fix security issue (CVE-2020-3123)
    - debian/patches/*: synced patches with 0.102.2+dfsg-1.
    - debian/libclamav9.symbols: updated for new version.
    - debian/rules: bumped CL_FLEVEL to 113.

 -- Marc Deslauriers <email address hidden> Tue, 11 Feb 2020 08:45:45 -0500