Clamav 0.97.5 CL_EFORMAT: Bad format or broken data ERROR

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

I've seen a few entries similar to the one below in the logs after updating to 0.97.5 the other day:

Code:

/var/spool/qscan/tmp/hostname.tld134010592679830512/image001.png: CL_EFORMAT: Bad format or broken data ERROR

Google shows a couple of recent posts on the subject in some clamav mailing lists but no actual info on the cause or what do so about it - if anything.

I don't suppose anyone here has any suggestions?

scott · **Posted:** Tue Jun 19, 2012 9:08 am

Have you tried turning it off and on again?!

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

Is it meant to be plugged in when I do that? And what's with the drinks tray on this thing? Why do I need one on a server?

On the off-chance that you meant restart clamd...makes no difference.

Looking in more detail the log entries are all being triggered by a particular (legit) email containing this particular PNG. It isn't PNGs in general as I've tried sending tests with PNG attachments and all is well with those.

mikeshinn · **Posted:** Tue Jun 19, 2012 1:54 pm

Does scanning the png from the filesystem generate this error? If so, can you send an strace (you may need to install the debug symbols btw)?

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

That might be hard. It will be in a mime-encoded part of an incoming email which is being rejected by qmail-scanner.

I seem to remember someone telling me that a copy is stored somewhere even though I had thought they would not be. Can someone point me in the right direction please?

mikeshinn · **Posted:** Tue Jun 19, 2012 7:10 pm

You could extract it from the email if you still have it, mimedecode or one of the other command line tools will do it.

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

Well unfortunately I don't have the email - I can't see a way of obtaining it either :-(

I'm hoping that the other people also seeing this issue will have a bit more luck in being able to provide better debug data.

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

One of the threads about this says that the following test file also triggers the same issue:

/usr/src/clamav-0.97.5/test/.split/split.clam_IScab_int.exeaa

mikeshinn · **Posted:** Wed Jun 20, 2012 10:43 am

Its a bug in clamav. Being worked on, should have an update soon.

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

Interesting. Thanks for the update.

EDIT: Here's the link is anybody else is interested:
https://bugzilla.clamav.net/show_bug.cgi?id=5252

scott · **Posted:** Thu Jun 21, 2012 10:53 am

Backported into 0.95.5-7, try that out to see if it fixes it for you.

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

In progress....thanks.....

faris · **Joined:** Thu Dec 09, 2004 11:19 am **Posts:** 1846

Looking good. No error in almost an hour, which indicates all is well, I think. Thank you!

Clamav 0.97.5 CL_EFORMAT: Bad format or broken data ERROR

Who is online