Accepting request 23409 from security

Copy from security/clamav based on submit request 23409 from user rmax OBS-URL: https://build.opensuse.org/request/show/23409 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/clamav?expand=0&rev=25
2009-10-30 15:51:31 +00:00 · 2009-10-30 15:51:31 +00:00 · 04aa83f446
commit 04aa83f446
parent 4628dea47d
5 changed files with 20 additions and 365 deletions
--- a/clamav-0.95.2.tar.bz2
+++ b/clamav-0.95.2.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0466f1f65a4a477dba387bdc64736a00167ebcc64f87f5901c9c62959707c90e
-size 24979140
--- a/clamav-0.95.3.tar.bz2
+++ b/clamav-0.95.3.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2c089f2ea6debb74cc6eefca1e96c77ba23f94e5f3e7ad6b7940ede3fc17e489
+size 26756338
--- a/clamav-valgrind.patch
+++ b/clamav-valgrind.patch
@ -1,15 +0,0 @@
--- unit_tests/valgrind.supp
-+++ unit_tests/valgrind.supp
-@@ -335,6 +335,12 @@
-     Helgrind:Race
-     fun:recvloop_th
- }
-+{
-+   glibc-iconv_open
-+   Memcheck:Addr4
-+   obj:/lib*/ld-2.8.90.so
-+}
-+
- #{
- #	helgrind-glibc27-dbg18
- #	Helgrind:Race
--- a/clamav.changes
+++ b/clamav.changes
@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Thu Oct 29 11:32:57 CET 2009 - max@suse.de
+
+- Bugfix release 0.95.3 (bnc#550929)
+- Changes include:
+  * Fix various error path leaks.
+  * Drop hardcoded offset limits for embedded objects.
+  * Fix matching of logical sigs.
+  * Fix handling of broken .ldb sigs.
+  * Improve handling of PDF files.
+  * Work around possible race condition during db updates.
+  * Fix detection of encrypted zip files embedded into other files.
+  * Properly handle clamd disconnection in clamav-milter.
+
 -------------------------------------------------------------------
 Wed Jun 17 12:27:48 CEST 2009 - max@suse.de

--- a/clamav.spec
+++ b/clamav.spec
@ -1,5 +1,5 @@
 #
-# spec file for package clamav (Version 0.95.2)
+# spec file for package clamav (Version 0.95.3)
 #
 # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@ -30,7 +30,7 @@ BuildRequires:  check-devel pwdutils
 %define clamav_check --disable-check
 %endif
 Summary:        Antivirus Toolkit
-Version:        0.95.2
+Version:        0.95.3
 Release:        1
 License:        GPL v2 only
 Group:          Productivity/Security
@ -48,7 +48,6 @@ Source4:        clamav-rpmlintrc
 Source5:        clamav-rcmilter
 Patch1:         clamav-conf.patch
 Patch2:         clamav-sles9.patch
-Patch3:         clamav-valgrind.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -97,7 +96,7 @@ Authors:
    Nigel Horne

 %package db
-License:        BSD 3-Clause; GPL v2 or later; LGPL v2.1 or later; Public Domain, Freeware; X11/MIT
+License:        BSD 3-clause (or similar) ; GPL v2 or later ; LGPL v2.1 or later ;  Public Domain, Freeware ; MIT License (or similar)
 Group:          Productivity/Security
 Summary:        Virus Database for ClamAV
 PreReq:         clamav sed /bin/cp /usr/bin/awk /bin/rm
@ -121,7 +120,6 @@ Authors:
 # SLES9's libmilter doesn't have smfi_insheader()
 %patch2
 %endif
-%patch3

 %build
 %if 0%{?suse_version} >= 1010
@ -294,345 +292,3 @@ for f in main daily; do
 done

 %changelog
-* Wed Jun 17 2009 max@suse.de
- clamav-sles9.patch: smfi_insheader() doesn't exist in libmilter
-  on SLES9, so we revert a recent change that introduced its
-  usage to improve the handling of DomainKeys Identified Mail.
-* Mon Jun 15 2009 max@suse.de
- Security release: 0.95.2 (bnc#511963).
-* Tue Apr 14 2009 max@suse.de
- Security release: 0.95.1 (bnc#493562)
-* Mon Apr 06 2009 max@suse.de
- Version 0.95 also fixes two security issues:
-  bnc#491935 and bnc#491938.
- Removed unneeded tcpd build dependency.
- Removed obsolete configure switches.
- ncurses-devel is needed for building clamtop.
- Patched clamav-milter up to the latest upstream version to fix
-  the non-detection of virus code outside of attachments.
-  (bnc#445137)
- Improved rcclamd to print a more instructive message when the
-  virus database files are missing.
-* Tue Mar 24 2009 max@suse.de
- New version 0.95 (bnc#488317):
-  * clamav-milter got rewritten. Standalone mode got dropped and
-  using multiple instances of clamd in parallel got added for
-  load sharing and fail-safety. The command lin
-  * Changes to the libclamav API will make future changes less
-  likely, but require adjustment of applications linking to
-  libclamav.
-  * Numerous other bug fixes and improvements.
-  * libGMP is no longer needed.
- Drop support for versions older than 9.1/SLES9.
- Improve init script of clamav-milter (bnc#445137).
-* Mon Dec 01 2008 max@suse.de
- New version 0.94.2 fixes recursion limits in JPEG scanning code
-  (bnc#450207).
-* Tue Nov 11 2008 max@suse.de
- Version 0.94.1 also fixes bnc#443311.
- Disabled valgrind tests again, as they show false positives with
-  current glibc.
-* Fri Nov 07 2008 max@suse.de
- New bugfix release: 0.94.1:
-  * daily.ign was overwriting local.ign
-  * vba_extract.c: get_unicode_name off-by-one
-  * Don't execute special events twice in interactive mode
-  * Fix leak on rare error path in clamd/scanner.c.
-  * Fix URL parsing in phishing checks.
-  * Improve the javascript scanner.
-  * Fixes to bzip2 uncompression.
-  * Properly close descriptors before forking in clamav-milter.
-  * enable ScanPDF by default
-  * Testsuite improvements
-  * Many more minor bug fixes.
- Fix pid file format of clamav-milter.
- Improve clamav-milter configuration and init script (bnc#347684).
- Suppressing valgrind error on iconv_open.
-* Mon Sep 29 2008 max@suse.de
- Limit valgrind to i586 and x86_64.
-* Wed Sep 03 2008 max@suse.de
- Added check-devel and valgrind to BuildRequires for 10.3 and
-  newer to support the new unit testing feature. This does not
-  add new runtime dependencies.
- New version: 0.94:
-  * fix out-of-memory null dereferenc (bb#1141)
-  * fix possible invalid memory access (bb#1089)
-  * fix error path memleaks and fd leaks (bb#1141)
-  * Logical Signatures: The logical signature technology uses
-  operators such as AND, OR and NOT to allow the combination
-  of more than one signature into one entry in the signature
-  database resulting in more detailed and flexible pattern
-  matching.
-  * Anti-phishing Technology: Users can now change the priority
-  and reporting of ClamAV's heuristic anti-phishing scanner
-  within the detection engine process.
-  * Disassembly Engine: The initial version of the disassembly
-  engine improves ClamAV's detection abilities.
-  * PUA Detection: Users can now decide which PUA signatures
-  should be loaded
-  * Data Loss Prevention (DLP): This version includes a new
-  module that, when enabled, scans data for the inclusion of
-  US formated Social Security Numbers and credit card numbers.
-  * IPv6 Support: Freshclam now supports IPv6
-  * Improved Scanning of Scripts: The normalization of scripts
-  now covers JavaScript
-  * Improved QA and Unit Testing: The improved QA process now
-  includes API testing and new library of test files in
-  various formats that are tested on a wide variety of systems.
-* Tue Jul 08 2008 max@suse.de
- New version 0.93.3 (bnc#406994):
-  * make sigtool compatible with the new OLE2 scan scheme (bb#1086)
-  * add missing checks for recv() failures (bb#1079)
-  * add missing check for file open failure (bb #1083).
-  * fix handling of nodes which also match single bytes (bb#1054)
-  * libclamav: faster loading of uncompressed .cld files, also
-  fixes bb#1064
-  * freshclam/manager.c: add missing closesocket on error path
-  (bb #1073).
-* Mon Jun 16 2008 max@suse.de
- Security update 0.93.1 (bnc#399302, CVE-2008-2713)
- Improved clamav-milter configuration and init script (bnc#382907)
-* Fri Apr 18 2008 max@suse.de
- Convert the database to the new format instead of running
-  freshclam to re-fetch it (bnc#380787).
- Added main.cld and daily.cld as %%ghost
- Refined the logic in %%post of clamav-db as to when the dist
-  files need to get copied over.
-* Tue Apr 15 2008 max@suse.de
- Security update 0.93 (bnc#350987, bnc#368963).
- CVE-2007-6595: symlink attack on temporary files
- CVE-2007-6596: recognize Base64 UUEncoded archives
- CVE-2008-1100: Buffer overflow in the cli_scanpe function.
- Remove bogus dependencies from libclamav.pc (bnc#196236)
- Run freshclam on update before restarting clamd to convert the
-  database into the new format.
-* Wed Feb 13 2008 max@suse.de
- Security update 0.92.1: (bnc#361374)
-  * CVE-2008-0318: libclamav PE File Integer Overflow Vulnerability
-  * CVE-2008-0728: heap corruption
-* Tue Jan 15 2008 aj@suse.de
- Fix open call to build again.
-* Fri Dec 14 2007 max@suse.de
- Security update 0.92 (#343277):
-  * CVE-2007-6335 - MEW PE File Integer Overflow
-  * CVE-2007-6336 - Off-by-one error in LZX_READ_HUFFSYM()
-  * CVE-2007-6337 - bzlib issue
- Make clamd error out if /dev/null can't be opened (#300019).
-* Mon Nov 05 2007 max@suse.de
- Added sendmail and sendmail-devel to BuildRequires.
- Enabled clamav-milter and added an init script for it.
-  (fate#302362)
-* Tue Aug 21 2007 max@suse.de
- Bugfix update 0.91.2.
- Fixes some NULL dereferences and variable initialisation problems
- Fix some rpmlint warnings in init scripts.
-* Thu Aug 09 2007 max@suse.de
- Inform the user that to use Clamuko, clamd needs to run as root,
-  so that it can read the files it needs to scan (#201730).
-* Tue Jul 17 2007 max@suse.de
- Stability and bugfix update: 0.91.1 (#292297)
- Run ldconfig on (un)installation.
- Make %%check conditional to fix building on SLES8.
-* Sun Jul 15 2007 lrupp@suse.de
- add zlib-devel to build requires
- suppress some false positives from rpmlint
- added %%check section and remove unneeded INSTALL file from %%doc
-* Wed Jul 11 2007 max@suse.de
- Update to version 0.91 (#289830)
- improved handling of .mdb files (fixes long startup times)
- Adds anti-phishing support
- unpacker for NSIS (Nullsoft Scriptable Install System)
-  self-extracting archives
- unpacker for ASPack 2.12
- new implementation of the Aho-Corasick pattern matcher providing
-  better detection for wildcard enabled signatures
- support for nibble matching and floating offsets
- extraction of PE files embedded into other executables
- better handling of PE & UPX
- removed dependency on libcurl (improves stability)
- many other improvements and bugfixes
-* Thu May 31 2007 max@suse.de
- Security update: 0.90.3 (#279536)
- libclamav/unsp.c: fix end of buffer calculation (bb#464)
- libclamav/others.c: use strict permissions (0600) for temporary files
-  created in cli_gentempstream() (bb#517).
- libclamav/unrar/unrar.c: heap corruption causing DoS with corrupted
-  rar archive, better handle truncated files
- libclamav/phishcheck.c: isURL() regex execution hangs on Solaris
- libclamav/ole2_extract.c: detect block list loop (bb#466)
-* Fri Apr 13 2007 max@suse.de
- Security update: 0.90.2 (#264189)
- CVE-2007-1997: CAB File Unstore Buffer Overflow Vulnerability
- CVE-2007-1745: file descriptor leak in CHM handler
- File descriptor leaks in libclamav/pdf.c and libclamav/lockdb.c
-* Mon Mar 05 2007 max@suse.de
- Extended the database presence check in rcclamd to accept the
-  main.inc directory in addition to the main.cvd file, because
-  freshclam can delete the file during a scripted update.
-* Fri Mar 02 2007 max@suse.de
- Update to version 0.90.1 (#250566)
- Some bug fixes and code improvements
- Bumps the version of libclamav's soname, which should have been
-  done in 0.90 already.
-* Tue Feb 20 2007 max@suse.de
- Update to version 0.90 (#246214) to fix two Vulnerabilities:
-  - CAB File Denial of Service (CVE-2007-0897)
-  - MIME Parsing Directory Traversal (CVE-2007-0898)
- Other changes of 0.90 include:
-  - Changed config file syntax (automatic conversion is done by the
-  RPM on update)
-  - New unpacker for RAR3, RAR2 and RAR1
-  - Rewritten unpackers for Zip and CAB files
-  - Support for RAR-SFX, Zip-SFX and CAB-SFX archives
-  - New PE parsing model
-  - Support for PE32+ (64-bit) executables
-  - Support for MD5 signatures based on PE sections (.mdb)
-  - ELF file parser
-  - Support for Sensory Networks' NodalCore hardware acceleration
-  technology
-  - Algorithmic detection can be controlled with CL_SCAN_ALGORITHMIC
-  - Support for new obfuscators: SUE, Y0da Cryptor, CryptFF
-  - Support for new packers: NsPack, wwpack32, MEW, Upack
-  - Support for SIS files (SymbianOS packages)
-  - Support for PDF and RTF files
-  - TCP and local sockets can be operated simultaneously
-  - New command: MULTISCAN (scan directory with multiple threads)
- There where also some API/ABI changes which might affect packages
-  that link against libclamav. Affected functions are: cl_loaddb,
-  cl_loaddir and cl_scanbuff.
- Cleaned up daemonizing of clamd and freshclam.
-* Tue Dec 12 2006 max@suse.de
- Security update: 0.88.7 (#227827, CVE-2006-5874)
-  - handle consecutive errors in base64 decoding
-  - honour recursion limit when scanning email messages
-  - clamscan: new option --mail-max-recursion
-  - libclamav/untar.c: honour archive limits
-* Tue Nov 07 2006 max@suse.de
- Add homedir of user vscan to the package (FATE300731).
-* Mon Nov 06 2006 max@suse.de
- Bugfix release: 0.88.6 (#218313)
- freshclam: apply timeout patch from Everton da Silva Marques
-  (new options: ConnectTimeout and ReceiveTimeout)
- clamd: change stack size at the right place (closes bug#103)
- libclamav/petite.c: sanity check the number of rebuilt sections
-  (speeds up handling of malformed files)
-* Tue Oct 17 2006 max@suse.de
- Bugfix release 0.88.5 fixes two serious security issues.
-  [#212898], CVE-2006-4182, CVE-2006-5295
-* Tue Aug 08 2006 lnussel@suse.de
- New version 0.88.4 fixes heap overflow in UPX decoder
-* Thu Jul 06 2006 max@suse.de
- Bugfix release 0.88.3:
-  - fix possible false matches of alternatives
-  - Large binhex files were not being handled gracefully.
-  - fix zero allocation warning
- Added bc and pkgconfig to BuildRequires to fix curl version
-  detection.
- Prevent a file conflict on the database files when main and db
-  packages of different versions are installed.
- Renamed clamav.conf to clamd.conf for SLES9.
- Added the db subpackage to SLES9.
- Bugzilla: 190647
-* Tue May 02 2006 max@suse.de
- New version: 0.88.2
- Fixes a buffer overflow in freshclam's get_database function
-  (CVE-2006-1989, Bug #171496).
-* Mon Apr 10 2006 meissner@suse.de
- Fixed several implicit warnings which lead to failures
-  on 64bit platforms.
-* Wed Apr 05 2006 max@suse.de
- New version: 0.88.1, fixes several security issues:
-  CVE-2006-1614, CVE-2006-1615, CVE-2006-1630, bug #164039.
-* Thu Feb 09 2006 max@suse.de
- Removed unneeded dependencies from the init script to break a
-  dependency loop.
-* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
-* Sat Jan 14 2006 kukuk@suse.de
- Add gmp-devel to nfb
-* Thu Jan 12 2006 max@suse.de
- Added gcc-4.1 stack protection (-fstack-protector).
-* Mon Jan 09 2006 max@suse.de
- New version: 0.88 (Bug #142298).
-* Mon Nov 07 2005 lnussel@suse.de
- Security update: version 0.87.1 (#132305, CVE-2005-3239,
-  CVE-2005-3303)
-* Mon Sep 19 2005 max@suse.de
- New version: 0.87 (bug #117648).
-* Mon Jul 25 2005 max@suse.de
- New version: 0.86.2
-* Thu Jul 14 2005 max@suse.de
- New version: 0.86.1
-* Tue Jun 21 2005 max@suse.de
- New version: 0.86
-* Tue May 17 2005 max@suse.de
- New version: 0.85.1 (Bug #81264).
-* Wed May 11 2005 max@suse.de
- New version: 0.85 (Bug #81264).
-* Tue May 03 2005 max@suse.de
- New version: 0.84 (Bug #81264).
- Added and special-cased the patch that is needed for 9.1/SLES9.
-* Fri Mar 11 2005 max@suse.de
- Fixed %%doc file list (wildcards matched too much).
-* Mon Feb 28 2005 max@suse.de
- New version: 0.83
-* Mon Feb 07 2005 max@suse.de
- New version: 0.82
-* Thu Jan 27 2005 max@suse.de
- New version: 0.81
-* Thu Nov 11 2004 max@suse.de
- pkgconfig files go to libdir rather than /usr/lib.
-* Thu Nov 11 2004 coolo@suse.de
- fixing file list for debug packages
-* Wed Nov 03 2004 max@suse.de
- Fixed path to freshclam in init script, and rcfreshclam link.
-* Mon Oct 18 2004 max@suse.de
- Updated to the final 0.80 release.
- Added a runlevel script for freshclam.
-* Mon Oct 11 2004 max@suse.de
- Updated to 0.80rc4.
-* Wed Sep 29 2004 max@suse.de
- Updated to 0.80rc3. The README says:
-  "This release candidate eliminates possible false positive alerts
-  in UPX/FSG compressed files and clarifies behaviour of default
-  actions in clamd and freshclam."
- This also eliminates the need to patch configure.in in order to
-  recognize resolv.
-* Thu Sep 23 2004 max@suse.de
- Updated to 0.80rc2 which fixes a critical bug in the handling of
-  empty lines in text/plain emails.
- Build with curl support.
- Fixed building of shared libraries instead of static.
- Removed unneeded %%run_ldconfig calls.
- Fixed file lists.
- Check for main.cvd instead of daily.cvd on daemon startup.
-* Mon Sep 20 2004 max@suse.de
- Updated to version 0.80rc which adds support for more file
-  formats, and HTML parsing. See the README file for details.
- Added a warning to the init script if no virus database is
-  installed.
-* Thu Aug 05 2004 max@suse.de
- New version: 0.75.1
- Moved the virus database files into a subpackage, as they are
-  large and not needed if the database is kept up to date with
-  freshclam.
-* Fri Jul 23 2004 max@suse.de
- New version: 0.75
-* Thu Jul 08 2004 max@suse.de
- Added -fno-strict-aliasing to CFLAGS.
-* Mon Jul 05 2004 max@suse.de
- New version: 0.74
-* Tue Jun 15 2004 max@suse.de
- New version: 0.73
-* Mon Apr 26 2004 max@suse.de
- New version: 0.70
- Changes the format of the virus definition file.
-* Mon Feb 16 2004 max@suse.de
- New version: 0.67
- Added support for tcpd (/etc/hosts.{allow,deny}).
- Obsoletes clamav-manager.patch.
-* Fri Feb 13 2004 max@suse.de
- New version: 0.66
- Fixes a remote DoS vulnerability (Bug #34412).
-* Tue Jan 27 2004 max@suse.de
- New package: ClamAV Anti-Virus Toolkit