Accepting request 1231926 from security

- fix factory submission (clam.tcl, clamscan.log) (forwarded request 1231922 from AndreasStieger)

OBS-URL: https://build.opensuse.org/request/show/1231926
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/clamav?expand=0&rev=127

clamav-1.3.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:12a3035bf26f55f71e3106a51a5fa8d7b744572df98a63920a9cff876a7dcce4
-size 54554712

clamav-1.3.1.tar.gz.sig

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIcBAABAgAGBQJmH9VrAAoJEMzg39Iewam/XfwP/ic9ZUe5KxhdFroBzjm4arRp
-+/oMZ68d5sa5TVyDvCDOa1b+ttcV7KtUw6/h3itPKAJ4DHt9gq1qtFK9C5GSjIgI
-jGCzwOzD0tPM56hPQQ5fo6md9fb5np1UQAG+tKmd02v1Yq80eQTimdpQr6TuHcI7
-PBg7ku7c3lfqmXgGbb+AsBQr/x+MJTN8QH2VUP3L6iUkl96iSaYN9FTr0VkjeU13
-Ir77fXd4jfcgpBdSJtLjBuCBpjyCSvw2x0Vp3TIjKi4FRGp5x0YkAdoQ/UDMh4+Y
-u1gICsROL967/9gEr4d7zwBv5UNPDWO4HNUC5+uBurUfF1WCoF0WAqtuzNpdAYGE
-2sMQc7HnRJKo6KchtU5kLZeAqgqL+k70VBTBjgqdi4YzvsX62SatJPHdRvkaf00H
-LojUD7f0CpPFtkfftZ16SPAb65x3mtdFfYSXaIVKhWsTJoCFy/HnuXNWnW4W/HwX
-RSQTFE3rUad/MEhJzfo8debwVWPAHf4RrNmkOkQ/co/NswUB+3rsZLpcj3ULEcqL
-WDx8/lPDZsyvaosB4JIZLJaECq8TTUZswHsV/K7vdO/S994Ndc+QhXPF75lg33hu
-eCIUF/6ZxMfKyeJre3KWeUmBKRMZZ4WJ6MEmSomL2BSYLSeRkvHY21v9InOK0w1f
-VUaK04HxPJTun12AFAZk
-=9gDC
------END PGP SIGNATURE-----

clamav-1.4.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a318e780ac39a6b3d6c46971382f96edde97ce48b8e361eb80e63415ed416ad8
+size 50078871

clamav-1.4.1.tar.gz.sig

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABAgAGBQJm12IWAAoJEMzg39Iewam/rIQQAKv+zANPKfIta+VJRKkD0Wxa
+LJGDBKKifqyM1HiR+YxGMUuElgmpRvozfZ7ifBGvz/IxjPmUag/BNfOl4JVsSAnL
+WsOhUMSEYxLtpJUywFakI58O/yDSvYlpzfcks0nAIjfeQkhTz0vqqYlyEXR7aDCe
+G/5yOGJtuwAiKclgLCTwqlevZ15ff+3z/UIJ9yAfqM9WPXPQA/lJk1Mp1FmIwVfw
+T/0p8kJJj4Z8aH+jXqOXrKnw9L4Acig3axSneN8QcL5tNosMAQOxhkQuYc6g4V+h
+vDX7N3G5UdPo6jpGoF8NmLu2VFGfWEymBzftMqYZ84Jli9t9RGN8UBEueGERjMsh
+9/3NSAdxeDlR5ELB565a+x/pIOOjovERZdXs9UW8U8NXPeDnIuTTFnqip3e21OGY
+WP3ioP85ixzLFDfZVTaLN97ym2+STiPt+KN7QBEUW0cP/wJFlEcXgRHyY3uQ/iET
+grCTApBuNdOzzgm9lSka653AexhaFTAXtp4NJ5xXThQcFzJ+urDAc6LfPzyknHDx
++lfI5bMeW9I6E7CbkFOELqInzAk6uMZFxbp4Qte8so3GFdCTPtFVTbS4v+Ctx3oi
+r6oIEFLzhbbNz8lX4JrmXTO1WLiy8uoS4xCEEpITAG9iDvPZ2N7iaTiBgI1B4jNN
+W/t/iIUkO7udL0eyZBzF
+=6wKd
+-----END PGP SIGNATURE-----

clamav-conf.patch

@@ -123,7 +123,7 @@
  
  # Stop daemon when libclamav reports out of memory condition.
  #ExitOnOOM yes
-@@ -708,7 +704,7 @@ Example
+@@ -727,7 +723,7 @@ Example
  # multiple OnAccessIncludePath directives but each directory must be added
  # in a separate line.
  # Default: disabled
@@ -132,7 +132,7 @@
  #OnAccessIncludePath /students
  
  # Set the exclude paths. All subdirectories are also excluded.
-@@ -778,7 +774,7 @@ Example
+@@ -797,7 +793,7 @@ Example
  # It has the same potential race condition limitations of the
  # OnAccessExcludeUID option.
  # Default: disabled
@@ -156,8 +156,8 @@
 -
  # Path to the database directory.
  # WARNING: It must match clamd.conf's directive!
- # Default: hardcoded (depends on installation options)
-@@ -52,12 +48,12 @@ Example
+ # WARNING: It must already exist, be an absolute path, be writeable by
+@@ -54,12 +50,12 @@ Example
  # It is recommended that the directory where this file is stored is
  # also owned by root to keep other users from tampering with it.
  # Default: disabled
@@ -172,7 +172,7 @@
  
  # Use DNS to verify virus database version. FreshClam uses DNS TXT records
  # to verify database and software versions. With this directive you can change
-@@ -148,7 +144,7 @@ DatabaseMirror database.clamav.net
+@@ -150,7 +146,7 @@ DatabaseMirror database.clamav.net
  
  # Send the RELOAD command to clamd.
  # Default: no

clamav-format.patch

@@ -64,7 +64,7 @@
      }
 --- libclamav/pe.c.orig
 +++ libclamav/pe.c
-@@ -5185,12 +5185,12 @@ cl_error_t cli_peheader(fmap_t *map, str
+@@ -5117,12 +5117,12 @@ cl_error_t cli_peheader(fmap_t *map, str
  
                  /* If a section is truncated, adjust its size value */
                  if (!CLI_ISCONTAINED_0_TO(fsize, section->raw, section->rsz)) {
@@ -81,7 +81,7 @@
              }
 --- libfreshclam/libfreshclam_internal.c.orig
 +++ libfreshclam/libfreshclam_internal.c
-@@ -226,7 +226,7 @@ fc_error_t load_freshclam_dat(void)
+@@ -229,7 +229,7 @@ fc_error_t load_freshclam_dat(void)
              if (-1 == lseek(handle, strlen(MIRRORS_DAT_MAGIC), SEEK_SET)) {
                  char error_message[260];
                  cli_strerror(errno, error_message, 260);
@@ -92,7 +92,7 @@
  
 --- unit_tests/check_clamav.c.orig
 +++ unit_tests/check_clamav.c
-@@ -1939,7 +1939,7 @@ void diff_file_mem(int fd, const char *r
+@@ -1925,7 +1925,7 @@ void diff_file_mem(int fd, const char *r
  
      ck_assert_msg(!!buf, "unable to malloc buffer: %zu", len);
      p = read(fd, buf, len);
@@ -101,7 +101,7 @@
      p = 0;
      while (len > 0) {
          c1 = ref[p];
-@@ -1950,10 +1950,10 @@ void diff_file_mem(int fd, const char *r
+@@ -1936,10 +1936,10 @@ void diff_file_mem(int fd, const char *r
          len--;
      }
      if (len > 0)
@@ -114,7 +114,7 @@
      close(fd);
  }
  
-@@ -1969,7 +1969,7 @@ void diff_files(int fd, int ref_fd)
+@@ -1955,7 +1955,7 @@ void diff_files(int fd, int ref_fd)
  
      ck_assert_msg(lseek(ref_fd, 0, SEEK_SET) == 0, "lseek failed");
      nread = read(ref_fd, ref, siz);
@@ -154,7 +154,7 @@
      rc = memcmp(p, expect, expect_len);
 --- libclamav/others_common.c.orig
 +++ libclamav/others_common.c
-@@ -312,7 +312,7 @@ char *cli_strdup(const char *s)
+@@ -362,7 +362,7 @@ char *cli_safer_strdup(const char *s)
      }
  
      alloc = strdup(s);
@@ -162,4 +162,4 @@
 +    
      if (!alloc) {
          perror("strdup_problem");
-         cli_errmsg("cli_strdup(): Can't allocate memory (%u bytes).\n", (unsigned int)strlen(s));
+         cli_errmsg("cli_safer_strdup(): Can't allocate memory (%u bytes).\n", (unsigned int)strlen(s));

clamav-obsolete-config.patch

@@ -1,6 +1,6 @@
 --- common/optparser.c.orig
 +++ common/optparser.c
-@@ -598,6 +598,13 @@ const struct clam_option __clam_options[
+@@ -602,6 +602,13 @@ const struct clam_option __clam_options[
      {"MailFollowURLs", "mail-follow-urls", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "", ""},
      {"AllowSupplementaryGroups", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER | OPT_DEPRECATED, "Initialize a supplementary group access (the process must be started by root).", "no"},
      {"ScanOnAccess", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", ""},

clamav.changes

@@ -1,3 +1,51 @@
+-------------------------------------------------------------------
+Wed Dec 18 16:00:45 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- fix factory submission (clam.tcl, clamscan.log)
+
+-------------------------------------------------------------------
+Tue Sep 10 13:05:08 UTC 2024 - Reinhard Max <max@suse.com>
+
+- New version 1.4.1:
+  * [CVE-2024-20506, bsc#1230162]: Changed the logging module to
+    disable following symlinks on Linux and Unix systems so as to
+    prevent an attacker with existing access to the 'clamd' or
+    'freshclam' services from using a symlink to corrupt system
+    files.
+  * [CVE-2024-20505, bsc#1230161]: Fixed a possible out-of-bounds
+    read bug in the PDF file parser that could cause a
+    denial-of-service (DoS) condition.
+  * https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html
+
+- New version 1.4.0:
+  * Added support for extracting ALZ archives.
+  * Added support for extracting LHA/LZH archives.
+  * Added the ability to disable image fuzzy hashing, if needed.
+    For context, image fuzzy hashing is a detection mechanism
+    useful for identifying malware by matching images included with
+    the malware or phishing email/document.
+  * https://blog.clamav.net/2024/08/clamav-140-feature-release-and-clamav.html
+
+-------------------------------------------------------------------
+Wed Sep  4 19:29:48 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
+
+- New version 1.3.2:
+  * CVE-2024-20506: Changed the logging module to disable following
+    symlinks on Linux and Unix systems so as to prevent an attacker
+    with existing access to the 'clamd' or 'freshclam' services from
+    using a symlink to corrupt system files.
+  * CVE-2024-20505: Fixed a possible out-of-bounds read bug in the PDF
+    file parser that could cause a denial-of-service condition.
+  * Removed unused Python modules from freshclam tests including
+    deprecated 'cgi' module that is expected to cause test failures in
+    Python 3.13.
+  * Fix unit test caused by expiring signing certificate.
+  * Fixed a build issue on Windows with newer versions of Rust. Also
+    upgraded GitHub Actions imports to fix CI failures.
+  * Fixed an unaligned pointer dereference issue on select architectures.
+  * Fixes to Jenkins CI pipeline.
+- Remove upstreamed 1305.patch
+  
 -------------------------------------------------------------------
 Mon Jul 29 07:03:44 UTC 2024 - Bernhard Wiedemann <bwiedemann@suse.com>
 

clamav.spec

@@ -2,6 +2,7 @@
 # spec file for package clamav
 #
 # Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,14 +26,14 @@
 %if 0%{?suse_version} <= 1500
 %define vgcc 13
 %if 0%{?sle_version} < 150400
-%define vrust 1.69
+%define vrust 1.78
 %define vcmake 3
 %endif
 %endif
 %global confdir %_prefix%_sysconfdir
 
 Name:           clamav
-Version:        1.3.1
+Version:        1.4.1
 Release:        0
 Summary:        Antivirus Toolkit
 License:        GPL-2.0-only
@@ -55,15 +56,12 @@ Patch5:         clamav-obsolete-config.patch
 Patch12:        clamav-fips.patch
 Patch14:        clamav-document-maxsize.patch
 Patch15:        clamav-format.patch
-Patch16:        https://github.com/Cisco-Talos/clamav/pull/1305.patch
 ExcludeArch:    %{arml}
 
 BuildRequires:  cargo%{?vrust}
 BuildRequires:  cmake%{?vcmake}
 BuildRequires:  gcc%{?vgcc}
 BuildRequires:  gcc%{?vgcc}-c++
-# temp for Patch16
-BuildRequires:  git-core
 BuildRequires:  libbz2-devel
 BuildRequires:  libjson-c-devel
 BuildRequires:  libopenssl-devel >= 1.0.2
@@ -187,7 +185,6 @@ that want to make use of libclamav.
 %patch -P 12
 %patch -P 14
 %patch -P 15
-git apply %{PATCH16}
 chmod -x docs/html/images/flamegraph.svg
 
 %build
@@ -209,6 +206,7 @@ chmod -x docs/html/images/flamegraph.svg
     -DENABLE_CLAMONACC=ON \
     -DENABLE_MILTER=ON \
     -DSYSTEMD_UNIT_DIR=%{_unitdir} \
+    -DPCRE2_LIBRARY=%{_libdir}/libpcre2-8.so \
 %if %{without clammspack}
     -DENABLE_EXTERNAL_MSPACK=ON
 %endif