Friday, December 21, 2018

Libclamav missing headers issue; Upcoming ClamAV 0.101.1 patch

Earlier this month we wrote to the ClamAV users and developers mailing lists to disclose an issue with ClamAV 0.101.0. To reach a larger audience, we are re-posting those details here.

Shortly after the 0.101.0 release was published, we discovered an issue in ClamAV 0.101.0 impacting software developers and software package maintainers that integrate libclamav into other products on Unix/Linux systems. This issue causes an error when a user attempts to compile against a system-installed libclamav. 

We have a fix staged and nearly ready to be published. The fix will be published shortly after the start of 2019 in the ClamAV 0.101.1 patch release. This delay is necessary in order to fully test the fix and complete the due diligence required when creating a new build, accounting for delays that the holiday season brings. We apologize for the inconvenience.

Here are some additional details about this patch:
  • ClamAV uses a lot of mixed integer variable types internally. The preferred types are standard int types (eg int8_t, uint64_t, size_t, ptrdiff_t, etc).
  • As an ongoing effort to make variable types more consistent throughout the code base, we made the mistake of including the `cltypes.h` header file in `clamav.h`, which is not only used internally, but defines the public libclamav API. Because neither the `cltypes.h` header, nor the supporting `clamav-config.h` header are provided when installing libclamav to a system, applications built with a system-installed libclamav from version 0.101.0 will fail to compile.
  • To resolve the issue, we will be replacing `cltypes.h` with a new `clamav-types.h` file that is generated when the user runs `./configure.` This will be installed alongside `clamav.h` when the user runs `make install.` This will ensure that `clamav.h` has access to the necessary integer types on all operating systems and architectures.
  • To mitigate similar issues in the future, we have added a test to our build-acceptance suite to test building an application against a system-installed libclamav library.