From 1ca8804a221474f575c754cb08a17bcaa71435c5c7523603019fa60c25e0e8e2 Mon Sep 17 00:00:00 2001 From: Andreas Stieger Date: Tue, 17 Jul 2018 21:41:32 +0000 Subject: [PATCH] Accepting request 622505 from home:EGDFree:branches:security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Update to version 0.100.1 * CVE-2017-16932: Vulnerability in libxml2 dependency (affects ClamAV on Windows only). * CVE-2018-0360: HWP integer overflow, infinite loop vulnerability. Reported by Secunia Research at Flexera. * CVE-2018-0361: ClamAV PDF object length check, unreasonably long time to parse relatively small file. Reported by aCaB. * Buffer over-read in unRAR code due to missing max value checks in table initialization. Reported by Rui Reis. * Libmspack heap buffer over-read in CHM parser. Reported by Hanno Böck. * Buffer length checks when reading integers from non-NULL terminated strings. * Buffer length tracking when reading strings from dictionary objects. * HTTPS support for clamsubmit. * Fix for DNS resolution for users on IPv4-only machines where IPv6 is not available or is link-local only. Patch provided by Guilherme Benkenstein. OBS-URL: https://build.opensuse.org/request/show/622505 OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=168 --- clamav-0.100.0.tar.gz | 3 --- clamav-0.100.0.tar.gz.sig | 16 ---------------- clamav-0.100.1.tar.gz | 3 +++ clamav-0.100.1.tar.gz.sig | 16 ++++++++++++++++ clamav-disable-timestamps.patch | 2 +- clamav.changes | 23 +++++++++++++++++++++++ clamav.spec | 2 +- 7 files changed, 44 insertions(+), 21 deletions(-) delete mode 100644 clamav-0.100.0.tar.gz delete mode 100644 clamav-0.100.0.tar.gz.sig create mode 100644 clamav-0.100.1.tar.gz create mode 100644 clamav-0.100.1.tar.gz.sig diff --git a/clamav-0.100.0.tar.gz b/clamav-0.100.0.tar.gz deleted file mode 100644 index be974fe..0000000 --- a/clamav-0.100.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c5c5edaf75a3c53ac0f271148fd6447310bce53f448ec7e6205124a25918f65c -size 16036757 diff --git a/clamav-0.100.0.tar.gz.sig b/clamav-0.100.0.tar.gz.sig deleted file mode 100644 index d1c309f..0000000 --- a/clamav-0.100.0.tar.gz.sig +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIcBAABAgAGBQJay4N+AAoJEPE/nha8pb+tUiEP/isw/OZ5t183XjjPVV3wtIH1 -xbPkCG5/842Ui8Dd2G14VUEW+abUDueBU1Fn4hPixGVOmXiEmltwlM2R6+qjutVO -al18jCkJXMq9sfqO0pMom8NDf3mNu9sy3oqARekrnLO1JZI0w5HKAAJg3VaCBBEZ -YD7XxtuO8R1R9BBSAwx4E1NG9skQ+WAJVlT7ckWCuqW6SafIsqnM2f9KV1lYitod -7mXl72nPQA3xkiqri1XLZrkiViZyzX5q3LRYdADlHk79MmDZuaaVIfza42SEYjQm -TYTh5vvi1yUz6qhALFfbqOdOTQLri0gZp00xlmH+5MhVcnHZVAfzA3R57VcleD+o -LpC9WUAEUL3D15KQlLhrV7Y0D82M79jJDXExRM2TozjUnA3WrQRZZqlJg5iEBHcu -VP/O7hLNslm8SFRd1SHQ7C4D7X9odW3D64QySEpx9TyUWSesQg/hSO3F9Xj6eBRy -JWYc90iu8DFedR+QrkwnMIbgbTeYxVjnPwKfI1E8vGrojYFKI3nFATQERRAcnrSz -FjaffXxkMPULKCi8JqcvomlZkj+W1LvZ9OEdtD92nz4mX/C6tHaPy6A2alByHElp -CMXYc8IIT3WWFV73O17xBdLhpyJRnmuHQ3IpJMKXh89lgX+t/ABAkWlmQsLy9PpH -SlfPF6qoRTu2fSlQmEJu -=KvcM ------END PGP SIGNATURE----- diff --git a/clamav-0.100.1.tar.gz b/clamav-0.100.1.tar.gz new file mode 100644 index 0000000..64ffae6 --- /dev/null +++ b/clamav-0.100.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:84e026655152247de7237184ee13003701c40be030dd68e0316111049f58a59f +size 16154415 diff --git a/clamav-0.100.1.tar.gz.sig b/clamav-0.100.1.tar.gz.sig new file mode 100644 index 0000000..c0a7516 --- /dev/null +++ b/clamav-0.100.1.tar.gz.sig @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABAgAGBQJbO66OAAoJEPE/nha8pb+t2SkP/0i9fOLm2FCBs/kRGiGgd4zn +RxLwsW0Wskf0C/5dLhNHP/aeHSqeWZQdasmIgUzxxGhksp/gxwmH66h5y6qjACU2 +LnDytMr5DuM0rPAfNtOmnCQcpKVXvRA5utboCP7BWBLsfdfi1tF/Sw/JknDzDu5a +AExBpiclix4EEHa4VkG+pMYpLLYUfxMZgKuq9b3ytWgNbCz0riSugr3hkoL72uRy +xfrN2S0YkHy1Kw/7zohcHJa1qfPXZ/V6S1iSBCSfk3OTeExJhQIDxlLNTkcBr8L0 +H9Fo6RnQ2ttYtdphKU1suN4spFxBJD94zkOB+0cLfk6sCeYb4BXrqX6t19N+9Z9+ +m2fx2zay12skW/eABFtG82ToWTojCfHhKrRRDZRE8iXh2KUKMUkx7kSjhDRNR9eE +WIpfAom4vdgDwDOgHwziUqr65l8Dr3NFC1LJl8F0uaFGshbjbtMufD88S0TQCvw6 +pJAZ8ZiTXqtmT9Uyw9aObffA2ekKWOY4k/6Z7ved76GkXC+e922Z+LpRE8wE05Cz +sqwkzIQMLwwBo3468vB0RFxS14AVyLFVogmYxkhLcZC39yFBZVJF4++efsrlt+vq ++OoJl7JF1NYp8KSGGAIuNY5dyJGtiu709n7ppU6JAY2uhAzEjHYeqM0caDjPDjT2 +/LK7EO0s7O30HEld5gDC +=xbrK +-----END PGP SIGNATURE----- diff --git a/clamav-disable-timestamps.patch b/clamav-disable-timestamps.patch index 677c0f8..d636fd8 100644 --- a/clamav-disable-timestamps.patch +++ b/clamav-disable-timestamps.patch @@ -78,4 +78,4 @@ +_ACEOF - VERSION="0.100.0" + VERSION="0.100.1" diff --git a/clamav.changes b/clamav.changes index eda9cd4..0679320 100644 --- a/clamav.changes +++ b/clamav.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Tue Jul 10 08:06:33 UTC 2018 - egdfree@opensuse.org + +- Update to version 0.100.1 + * CVE-2017-16932: Vulnerability in libxml2 dependency (affects + ClamAV on Windows only). + * CVE-2018-0360: HWP integer overflow, infinite loop + vulnerability. Reported by Secunia Research at Flexera. + * CVE-2018-0361: ClamAV PDF object length check, unreasonably + long time to parse relatively small file. Reported by aCaB. + * Buffer over-read in unRAR code due to missing max value checks + in table initialization. Reported by Rui Reis. + * Libmspack heap buffer over-read in CHM parser. Reported by + Hanno Böck. + * Buffer length checks when reading integers from non-NULL + terminated strings. + * Buffer length tracking when reading strings from dictionary + objects. + * HTTPS support for clamsubmit. + * Fix for DNS resolution for users on IPv4-only machines where + IPv6 is not available or is link-local only. Patch provided by + Guilherme Benkenstein. + ------------------------------------------------------------------- Thu Apr 26 15:35:15 UTC 2018 - max@suse.com diff --git a/clamav.spec b/clamav.spec index 4609659..12bf9c4 100644 --- a/clamav.spec +++ b/clamav.spec @@ -38,7 +38,7 @@ BuildRequires: zlib-devel Summary: Antivirus Toolkit License: GPL-2.0-only Group: Productivity/Security -Version: 0.100.0 +Version: 0.100.1 Release: 0 Url: http://www.clamav.net Obsoletes: clamav-db < 0.88.3