Accepting request 569976 from home:vitezslav_cizek:branches:security

- Update to security release 0.99.3 (bsc#1077732) * CVE-2017-12376 (ClamAV Buffer Overflow in handle_pdfname Vulnerability) * CVE-2017-12377 (ClamAV Mew Packet Heap Overflow Vulnerability) * CVE-2017-12379 (ClamAV Buffer Overflow in messageAddArgument Vulnerability) - these vulnerabilities could have allowed an unauthenticated, remote attacker to cause a denial of service (DoS) condition or potentially execute arbitrary code on an affected device. * CVE-2017-12374 (ClamAV use-after-free Vulnerabilities) * CVE-2017-12375 (ClamAV Buffer Overflow Vulnerability) * CVE-2017-12378 (ClamAV Buffer Over Read Vulnerability) * CVE-2017-12380 (ClamAV Null Dereference Vulnerability) - these vulnerabilities could have allowed an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. * CVE-2017-6420 (bsc#1052448) - this vulnerability allowed remote attackers to cause a denial of service (use-after-free) via a crafted PE file with WWPack compression. * CVE-2017-6419 (bsc#1052449) - ClamAV allowed remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted CHM file. * CVE-2017-11423 (bsc#1049423) - The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha allowed remote attackers to cause a denial of service (stack-based buffer over-read and application crash) via a crafted CAB file. * CVE-2017-6418 (bsc#1052466) - ClamAV 0.99.2 allowed remote attackers to cause a denial of service (out-of-bounds read) via a crafted e-mail message. - drop clamav-0.99.2-openssl-1.1.patch (upstream) OBS-URL: https://build.opensuse.org/request/show/569976 OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=151
2018-01-26 16:21:11 +00:00 · 2018-01-26 16:21:11 +00:00 · 06d9b1e3a6
commit 06d9b1e3a6
parent 0ec309c207
6 changed files with 50 additions and 57 deletions
--- a/clamav-0.99.2-openssl-1.1.patch
+++ b/clamav-0.99.2-openssl-1.1.patch
@ -1,33 +0,0 @@
 --- clamav-0.99.2/libclamav/crypto.c.omv~	2016-09-18 18:11:34.723085234 +0200
 +++ clamav-0.99.2/libclamav/crypto.c	2016-09-18 18:11:48.296898159 +0200
@@ -121,7 +121,7 @@ time_t timegm(struct tm *t)
 int cl_initialize_crypto(void)
 {
     SSL_load_error_strings();
 -    SSL_library_init();
 +    OPENSSL_init_ssl(0, NULL);
     OpenSSL_add_all_digests();
     OpenSSL_add_all_algorithms();
     OpenSSL_add_all_ciphers();
 --- clamav-0.99.2/m4/reorganization/libs/openssl.m4.omv~	2016-09-18 18:11:11.071411211 +0200
 +++ clamav-0.99.2/m4/reorganization/libs/openssl.m4	2016-09-18 18:11:22.872248566 +0200
@@ -41,7 +41,7 @@ fi
 have_ssl="no"
 have_crypto="no"
 -AC_CHECK_LIB([ssl], [SSL_library_init], [have_ssl="yes"], [AC_MSG_ERROR([Your OpenSSL installation is misconfigured or missing])], [-lcrypto -lz])
 +AC_CHECK_LIB([ssl], [OPENSSL_init_ssl], [have_ssl="yes"], [AC_MSG_ERROR([Your OpenSSL installation is misconfigured or missing])], [-lcrypto -lz])
 AC_CHECK_LIB([crypto], [EVP_EncryptInit], [have_crypto="yes"], [AC_MSG_ERROR([Your OpenSSL installation is misconfigured or missing])], [-lcrypto -lz])
 --- clamav-0.99.2/libclamav/crypto.c.omv~	2016-09-18 18:15:48.514588018 +0200
 +++ clamav-0.99.2/libclamav/crypto.c	2016-09-18 18:18:26.332413758 +0200
@@ -1110,7 +1110,7 @@ X509_CRL *cl_load_crl(const char *file)
     fclose(fp);
     if ((x)) {
 -        tm = cl_ASN1_GetTimeT(x->crl->nextUpdate);
 +        tm = cl_ASN1_GetTimeT(X509_CRL_get0_nextUpdate(x));
         if (!(tm)) {
             X509_CRL_free(x);
             return NULL;
--- a/clamav-0.99.2.tar.gz
+++ b/clamav-0.99.2.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:167bd6a13e05ece326b968fdb539b05c2ffcfef6018a274a10aeda85c2c0027a
 size 16067497
--- a/clamav-0.99.3.tar.gz
+++ b/clamav-0.99.3.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:00fa5292a6e00a3a4035b826267748965d5d2c4943d8ff417d740238263e8e84
 size 16082645
--- a/clamav-disable-timestamps.patch
+++ b/clamav-disable-timestamps.patch
@ -1,7 +1,7 @@
-Index: clamav-0.99.2/libclamav/tomsfastmath/misc/fp_ident.c
+Index: clamav-0.99.3/libclamav/tomsfastmath/misc/fp_ident.c
 ===================================================================
--- clamav-0.99.2.orig/libclamav/tomsfastmath/misc/fp_ident.c
+--- clamav-0.99.3.orig/libclamav/tomsfastmath/misc/fp_ident.c	2018-01-26 16:31:35.516009696 +0100
-+++ clamav-0.99.2/libclamav/tomsfastmath/misc/fp_ident.c
+++ clamav-0.99.3/libclamav/tomsfastmath/misc/fp_ident.c	2018-01-26 16:31:36.912029598 +0100
@@ -15,7 +15,11 @@ const char *fp_ident(void)
    memset(buf, 0, sizeof(buf));
@ -27,10 +27,10 @@ Index: clamav-0.99.2/libclamav/tomsfastmath/misc/fp_ident.c
    if (sizeof(fp_digit) == sizeof(fp_word)) {
       strncat(buf, "WARNING: sizeof(fp_digit) == sizeof(fp_word), this build is likely to not work properly.\n", 
-Index: clamav-0.99.2/configure
+Index: clamav-0.99.3/configure
 ===================================================================
--- clamav-0.99.2.orig/configure
+--- clamav-0.99.3.orig/configure	2018-01-26 16:31:35.532009924 +0100
-+++ clamav-0.99.2/configure
+++ clamav-0.99.3/configure	2018-01-26 16:32:20.112645407 +0100
@@ -783,6 +783,7 @@ FGREP
 SED
 LIBTOOL
@ -47,16 +47,16 @@ Index: clamav-0.99.2/configure
 enable_static
 enable_shared
 with_pic
-@@ -1592,6 +1594,8 @@ Optional Features:
+@@ -1591,6 +1593,8 @@ Optional Features:
-                           do not reject slow dependency extractors
+   --disable-dependency-tracking  speeds up one-time build
-   --disable-dependency-tracking
+   --enable-dependency-tracking   do not reject slow dependency extractors
-                           speeds up one-time build
+   --enable-static[=PKGS]  build static libraries [default=no]
 +  --enable-timestamps     Enable embedding timestamp information in build
 +                          (default is YES)
   --enable-static[=PKGS]  build static libraries [default=no]
   --enable-shared[=PKGS]  build shared libraries [default=yes]
   --enable-fast-install[=PKGS]
-@@ -5163,6 +5167,26 @@ $as_echo "$ac_cv_safe_to_define___extens
+                           optimize for fast installation [default=yes]
@@ -4967,6 +4971,26 @@ $as_echo "$ac_cv_safe_to_define___extens
   $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h
@ -82,4 +82,4 @@ Index: clamav-0.99.2/configure
 +_ACEOF
- VERSION="0.99.2"
+ VERSION="0.99.3"
--- a/clamav.changes
+++ b/clamav.changes
@ -1,3 +1,35 @@
 -------------------------------------------------------------------
 Fri Jan 26 15:19:33 UTC 2018 - vcizek@suse.com
 - Update to security release 0.99.3 (bsc#1077732)
  * CVE-2017-12376 (ClamAV Buffer Overflow in handle_pdfname Vulnerability)
  * CVE-2017-12377 (ClamAV Mew Packet Heap Overflow Vulnerability)
  * CVE-2017-12379 (ClamAV Buffer Overflow in messageAddArgument Vulnerability)
    - these vulnerabilities could have allowed an unauthenticated,
      remote attacker to cause a denial of service (DoS) condition
      or potentially execute arbitrary code on an affected device.
  * CVE-2017-12374 (ClamAV use-after-free Vulnerabilities)
  * CVE-2017-12375 (ClamAV Buffer Overflow Vulnerability)
  * CVE-2017-12378 (ClamAV Buffer Over Read Vulnerability)
  * CVE-2017-12380 (ClamAV Null Dereference Vulnerability)
    - these vulnerabilities could have allowed an unauthenticated,
      remote attacker to cause a denial of service (DoS) condition on an affected device.
  * CVE-2017-6420 (bsc#1052448)
    - this vulnerability allowed remote attackers to cause a denial of service
      (use-after-free) via a crafted PE file with WWPack compression.
  * CVE-2017-6419 (bsc#1052449)
    - ClamAV allowed remote attackers to cause a denial of service
      (heap-based buffer overflow and application crash) or possibly
      have unspecified other impact via a crafted CHM file.
  * CVE-2017-11423 (bsc#1049423)
    - The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha
      allowed remote attackers to cause a denial of service
      (stack-based buffer over-read and application crash) via a crafted CAB file.
  * CVE-2017-6418 (bsc#1052466)
    - ClamAV 0.99.2 allowed remote attackers to cause a denial
      of service (out-of-bounds read) via a crafted e-mail message.
 - drop clamav-0.99.2-openssl-1.1.patch (upstream)
 -------------------------------------------------------------------
 Tue Nov 28 08:30:04 UTC 2017 - meissner@suse.com
--- a/clamav.spec
+++ b/clamav.spec
@ -1,7 +1,7 @@
 #
 # spec file for package clamav
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -43,7 +43,7 @@ BuildRequires:  python-devel
 Summary:        Antivirus Toolkit
 License:        GPL-2.0
 Group:          Productivity/Security
-Version:        0.99.2
+Version:        0.99.3
 Release:        0
 Url:            http://www.clamav.net
 Obsoletes:      clamav-db < 0.88.3
@ -62,8 +62,6 @@ Patch1:         clamav-conf.patch
 Patch3:         clamav-gcc47.patch
 Patch4:         clamav-disable-timestamps.patch
 Patch5:         clamav-fix_newer_zlib.patch
 # https://raw.githubusercontent.com/patch-exchange/openssl-1.1-transition/master/clamav/clamav-0.99.2-openssl-1.1.patch
 Patch6:         clamav-0.99.2-openssl-1.1.patch
 BuildRequires:  systemd
 BuildRequires:  systemd-rpm-macros
 %systemd_requires
@ -104,10 +102,6 @@ that want to make use of libclamav.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 if pkg-config --atleast-version=1.1.0 libssl; then
 %patch6 -p1
 autoreconf -i -f
 fi
 %build
 CFLAGS="-fstack-protector"