Accepting request 569976 from home:vitezslav_cizek:branches:security

- Update to security release 0.99.3 (bsc#1077732)
  * CVE-2017-12376 (ClamAV Buffer Overflow in handle_pdfname Vulnerability)
  * CVE-2017-12377 (ClamAV Mew Packet Heap Overflow Vulnerability)
  * CVE-2017-12379 (ClamAV Buffer Overflow in messageAddArgument Vulnerability)
    - these vulnerabilities could have allowed an unauthenticated,
      remote attacker to cause a denial of service (DoS) condition
      or potentially execute arbitrary code on an affected device.
  * CVE-2017-12374 (ClamAV use-after-free Vulnerabilities)
  * CVE-2017-12375 (ClamAV Buffer Overflow Vulnerability)
  * CVE-2017-12378 (ClamAV Buffer Over Read Vulnerability)
  * CVE-2017-12380 (ClamAV Null Dereference Vulnerability)
    - these vulnerabilities could have allowed an unauthenticated,
      remote attacker to cause a denial of service (DoS) condition on an affected device.
  * CVE-2017-6420 (bsc#1052448)
    - this vulnerability allowed remote attackers to cause a denial of service
      (use-after-free) via a crafted PE file with WWPack compression.
  * CVE-2017-6419 (bsc#1052449)
    - ClamAV allowed remote attackers to cause a denial of service
      (heap-based buffer overflow and application crash) or possibly
      have unspecified other impact via a crafted CHM file.
  * CVE-2017-11423 (bsc#1049423)
    - The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha
      allowed remote attackers to cause a denial of service
      (stack-based buffer over-read and application crash) via a crafted CAB file.
  * CVE-2017-6418 (bsc#1052466)
    - ClamAV 0.99.2 allowed remote attackers to cause a denial
      of service (out-of-bounds read) via a crafted e-mail message.
- drop clamav-0.99.2-openssl-1.1.patch (upstream)

OBS-URL: https://build.opensuse.org/request/show/569976
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=151

clamav-0.99.2-openssl-1.1.patch

@@ -1,33 +0,0 @@
---- clamav-0.99.2/libclamav/crypto.c.omv~	2016-09-18 18:11:34.723085234 +0200
-+++ clamav-0.99.2/libclamav/crypto.c	2016-09-18 18:11:48.296898159 +0200
-@@ -121,7 +121,7 @@ time_t timegm(struct tm *t)
- int cl_initialize_crypto(void)
- {
-     SSL_load_error_strings();
--    SSL_library_init();
-+    OPENSSL_init_ssl(0, NULL);
-     OpenSSL_add_all_digests();
-     OpenSSL_add_all_algorithms();
-     OpenSSL_add_all_ciphers();
---- clamav-0.99.2/m4/reorganization/libs/openssl.m4.omv~	2016-09-18 18:11:11.071411211 +0200
-+++ clamav-0.99.2/m4/reorganization/libs/openssl.m4	2016-09-18 18:11:22.872248566 +0200
-@@ -41,7 +41,7 @@ fi
- have_ssl="no"
- have_crypto="no"
- 
--AC_CHECK_LIB([ssl], [SSL_library_init], [have_ssl="yes"], [AC_MSG_ERROR([Your OpenSSL installation is misconfigured or missing])], [-lcrypto -lz])
-+AC_CHECK_LIB([ssl], [OPENSSL_init_ssl], [have_ssl="yes"], [AC_MSG_ERROR([Your OpenSSL installation is misconfigured or missing])], [-lcrypto -lz])
- 
- AC_CHECK_LIB([crypto], [EVP_EncryptInit], [have_crypto="yes"], [AC_MSG_ERROR([Your OpenSSL installation is misconfigured or missing])], [-lcrypto -lz])
- 
---- clamav-0.99.2/libclamav/crypto.c.omv~	2016-09-18 18:15:48.514588018 +0200
-+++ clamav-0.99.2/libclamav/crypto.c	2016-09-18 18:18:26.332413758 +0200
-@@ -1110,7 +1110,7 @@ X509_CRL *cl_load_crl(const char *file)
-     fclose(fp);
- 
-     if ((x)) {
--        tm = cl_ASN1_GetTimeT(x->crl->nextUpdate);
-+        tm = cl_ASN1_GetTimeT(X509_CRL_get0_nextUpdate(x));
-         if (!(tm)) {
-             X509_CRL_free(x);
-             return NULL;

clamav-0.99.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:167bd6a13e05ece326b968fdb539b05c2ffcfef6018a274a10aeda85c2c0027a
-size 16067497

clamav-0.99.3.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:00fa5292a6e00a3a4035b826267748965d5d2c4943d8ff417d740238263e8e84
+size 16082645

clamav-disable-timestamps.patch

@@ -1,7 +1,7 @@
-Index: clamav-0.99.2/libclamav/tomsfastmath/misc/fp_ident.c
+Index: clamav-0.99.3/libclamav/tomsfastmath/misc/fp_ident.c
 ===================================================================
---- clamav-0.99.2.orig/libclamav/tomsfastmath/misc/fp_ident.c
-+++ clamav-0.99.2/libclamav/tomsfastmath/misc/fp_ident.c
+--- clamav-0.99.3.orig/libclamav/tomsfastmath/misc/fp_ident.c	2018-01-26 16:31:35.516009696 +0100
++++ clamav-0.99.3/libclamav/tomsfastmath/misc/fp_ident.c	2018-01-26 16:31:36.912029598 +0100
 @@ -15,7 +15,11 @@ const char *fp_ident(void)
  
     memset(buf, 0, sizeof(buf));
@@ -27,10 +27,10 @@ Index: clamav-0.99.2/libclamav/tomsfastmath/misc/fp_ident.c
  
     if (sizeof(fp_digit) == sizeof(fp_word)) {
        strncat(buf, "WARNING: sizeof(fp_digit) == sizeof(fp_word), this build is likely to not work properly.\n", 
-Index: clamav-0.99.2/configure
+Index: clamav-0.99.3/configure
 ===================================================================
---- clamav-0.99.2.orig/configure
-+++ clamav-0.99.2/configure
+--- clamav-0.99.3.orig/configure	2018-01-26 16:31:35.532009924 +0100
++++ clamav-0.99.3/configure	2018-01-26 16:32:20.112645407 +0100
 @@ -783,6 +783,7 @@ FGREP
  SED
  LIBTOOL
@@ -47,16 +47,16 @@ Index: clamav-0.99.2/configure
  enable_static
  enable_shared
  with_pic
-@@ -1592,6 +1594,8 @@ Optional Features:
-                           do not reject slow dependency extractors
-   --disable-dependency-tracking
-                           speeds up one-time build
+@@ -1591,6 +1593,8 @@ Optional Features:
+   --disable-dependency-tracking  speeds up one-time build
+   --enable-dependency-tracking   do not reject slow dependency extractors
+   --enable-static[=PKGS]  build static libraries [default=no]
 +  --enable-timestamps     Enable embedding timestamp information in build
 +                          (default is YES)
-   --enable-static[=PKGS]  build static libraries [default=no]
    --enable-shared[=PKGS]  build shared libraries [default=yes]
    --enable-fast-install[=PKGS]
-@@ -5163,6 +5167,26 @@ $as_echo "$ac_cv_safe_to_define___extens
+                           optimize for fast installation [default=yes]
+@@ -4967,6 +4971,26 @@ $as_echo "$ac_cv_safe_to_define___extens
  
    $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h
  
@@ -82,4 +82,4 @@ Index: clamav-0.99.2/configure
 +_ACEOF
  
  
- VERSION="0.99.2"
+ VERSION="0.99.3"

clamav.changes

@@ -1,3 +1,35 @@
+-------------------------------------------------------------------
+Fri Jan 26 15:19:33 UTC 2018 - vcizek@suse.com
+
+- Update to security release 0.99.3 (bsc#1077732)
+  * CVE-2017-12376 (ClamAV Buffer Overflow in handle_pdfname Vulnerability)
+  * CVE-2017-12377 (ClamAV Mew Packet Heap Overflow Vulnerability)
+  * CVE-2017-12379 (ClamAV Buffer Overflow in messageAddArgument Vulnerability)
+    - these vulnerabilities could have allowed an unauthenticated,
+      remote attacker to cause a denial of service (DoS) condition
+      or potentially execute arbitrary code on an affected device.
+  * CVE-2017-12374 (ClamAV use-after-free Vulnerabilities)
+  * CVE-2017-12375 (ClamAV Buffer Overflow Vulnerability)
+  * CVE-2017-12378 (ClamAV Buffer Over Read Vulnerability)
+  * CVE-2017-12380 (ClamAV Null Dereference Vulnerability)
+    - these vulnerabilities could have allowed an unauthenticated,
+      remote attacker to cause a denial of service (DoS) condition on an affected device.
+  * CVE-2017-6420 (bsc#1052448)
+    - this vulnerability allowed remote attackers to cause a denial of service
+      (use-after-free) via a crafted PE file with WWPack compression.
+  * CVE-2017-6419 (bsc#1052449)
+    - ClamAV allowed remote attackers to cause a denial of service
+      (heap-based buffer overflow and application crash) or possibly
+      have unspecified other impact via a crafted CHM file.
+  * CVE-2017-11423 (bsc#1049423)
+    - The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha
+      allowed remote attackers to cause a denial of service
+      (stack-based buffer over-read and application crash) via a crafted CAB file.
+  * CVE-2017-6418 (bsc#1052466)
+    - ClamAV 0.99.2 allowed remote attackers to cause a denial
+      of service (out-of-bounds read) via a crafted e-mail message.
+- drop clamav-0.99.2-openssl-1.1.patch (upstream)
+
 -------------------------------------------------------------------
 Tue Nov 28 08:30:04 UTC 2017 - meissner@suse.com
 

clamav.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package clamav
 #
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -43,7 +43,7 @@ BuildRequires:  python-devel
 Summary:        Antivirus Toolkit
 License:        GPL-2.0
 Group:          Productivity/Security
-Version:        0.99.2
+Version:        0.99.3
 Release:        0
 Url:            http://www.clamav.net
 Obsoletes:      clamav-db < 0.88.3
@@ -62,8 +62,6 @@ Patch1:         clamav-conf.patch
 Patch3:         clamav-gcc47.patch
 Patch4:         clamav-disable-timestamps.patch
 Patch5:         clamav-fix_newer_zlib.patch
-# https://raw.githubusercontent.com/patch-exchange/openssl-1.1-transition/master/clamav/clamav-0.99.2-openssl-1.1.patch
-Patch6:         clamav-0.99.2-openssl-1.1.patch
 BuildRequires:  systemd
 BuildRequires:  systemd-rpm-macros
 %systemd_requires
@@ -104,10 +102,6 @@ that want to make use of libclamav.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
-if pkg-config --atleast-version=1.1.0 libssl; then
-%patch6 -p1
-autoreconf -i -f
-fi
 
 %build
 CFLAGS="-fstack-protector"