Accepting request 770381 from home:adkorte:branches:security

- update to 0.102.2
  * CVE-2020-3123: A denial-of-service (DoS) condition may occur when
    using the optional credit card data-loss-prevention (DLP) feature.
    Improper bounds checking of an unsigned variable resulted in an
    out-of-bounds read, which causes a crash.
  * Significantly improved the scan speed of PDF files on Windows.
  * Re-applied a fix to alleviate file access issues when scanning RAR
    files in downstream projects that use libclamav where the scanning
    engine is operating in a low-privilege process. This bug was originally
    fixed in 0.101.2 and the fix was mistakenly omitted from 0.102.0.
  * Fixed an issue where freshclam failed to update if the database version
    downloaded is one version older than advertised. This situation may
    occur after a new database version is published. The issue affected
    users downloading the whole CVD database file.
  * Changed the default freshclam ReceiveTimeout setting to 0 (infinite).
    The ReceiveTimeout had caused needless database update failures for
    users with slower internet connections.
  * Correctly display the number of kilobytes (KiB) in progress bar and
    reduced the size of the progress bar to accommodate 80-character width
    terminals.
  * Fixed an issue where running freshclam manually causes a daemonized
    freshclam process to fail when it updates because the manual instance
    deletes the temporary download directory. The freshclam temporary files
    will now download to a unique directory created at the time of an update
    instead of using a hardcoded directory created/destroyed at the program
    start/exit.
  * Fix for freshclam's OnOutdatedExecute config option.
  * Fixes a memory leak in the error condition handling for the email
    parser.
  * Improved bound checking and error handling in ARJ archive parser.
  * Improved error handling in PDF parser.
  * Fix for memory leak in byte-compare signature handler.

OBS-URL: https://build.opensuse.org/request/show/770381
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=201

clamav-0.102.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0dbda8d0d990d068732966f13049d112a26dce62145d234383467c1d877dedd6
-size 13215586

clamav-0.102.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:89fcdcc0eba329ca84d270df09d2bb89ae55f5024b0c3bddb817512fb2c907d3
+size 13227538

clamav-0.102.2.tar.gz.sig

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABAgAGBQJeOZwdAAoJEPE/nha8pb+tyTUP/A2vRvLI6+2QycpNvK8ByvMF
+sh8w0f96FP4eYVezTtLI/YcciApKyexVJpopkG55K/dG6spC12WUDVSj+Vd/N3n6
+qTEKSCarUYxA3/Dh5wa+OJdf+EhrB2BPWyNQ7aY+IbbkXhjHep7zMg9XXtmSAans
+VDLpqXwAIO5cn3Xft2gb8v21VtWjDGbAIG9FSHennp++1jF3xHo8k4tmWIWGRQxn
+Bmx2q1D2tCGii/HTMSVFLl6MzKzPtQfNDNMptWyNqyMzh5L7GtqKYlF0I6lc33e8
+uHi0NnFRV+6jcWsztYpkugDunx+MHgz1kIpz6Bb63yNyHiS+g4guprTcW1OigNQ5
+8SdXrdbBrSjreNBzG0KBasQ63eLVjAuqLNDcuFJUKqInp9Xen6iVG4dRluZdqRBy
+efhptqHLuQcIeb3bPMOeSgs5cD6jkNCSw++A8tNHeCGFhsbTN2UXCbBHIExPyRG5
+QQX3mBasYG+6ME0lYFZmMD3Z8v76jM0xikZf+Zj8MZtCAZfafsYLMEWdU0Oagw5d
+djO/Ry3+LO+8lXGobbDTEjAr9Aim9HkTWwQRbr32HqydAbky19bI408QZbkd6SwC
+qYKMMdya1Ng1lxUbkgndwFRaRmlQh7G95RO/vKFRvu9N3f/Lmz8VkKSxul0YlRna
+JjZl7wJaWleprydQfqfa
+=p9cv
+-----END PGP SIGNATURE-----

clamav-disable-timestamps.patch

@@ -37,8 +37,8 @@ Index: configure
  LIBCLAMAV_VERSION
 +ENABLE_TIMESTAMPS
  PACKAGE_VERSION_NUM
- EGREP
+ ac_ct_AR
- GREP
+ AR
 @@ -924,6 +925,7 @@ ac_user_opts='
  enable_mmap_for_cross_compiling
  enable_dependency_tracking
@@ -58,8 +58,8 @@ Index: configure
                            optimize for fast installation [default=yes]
 @@ -5927,6 +5931,26 @@ $as_echo "$ac_cv_safe_to_define___extens
  
-   $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h
  
+ $as_echo "#define PACKAGE PACKAGE_NAME" >>confdefs.h
 +# Check whether --enable-timestamps was given.
 +if test "${enable_timestamps+set}" = set; then :
 +  enableval=$enable_timestamps;
@@ -82,4 +82,4 @@ Index: configure
 +_ACEOF
  
  
- VERSION="0.102.1"
+ VERSION="0.102.2"

clamav.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Wed Feb  5 18:31:17 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 0.102.2
+  * CVE-2020-3123: A denial-of-service (DoS) condition may occur when
+    using the optional credit card data-loss-prevention (DLP) feature.
+    Improper bounds checking of an unsigned variable resulted in an
+    out-of-bounds read, which causes a crash.
+  * Significantly improved the scan speed of PDF files on Windows.
+  * Re-applied a fix to alleviate file access issues when scanning RAR
+    files in downstream projects that use libclamav where the scanning
+    engine is operating in a low-privilege process. This bug was originally
+    fixed in 0.101.2 and the fix was mistakenly omitted from 0.102.0.
+  * Fixed an issue where freshclam failed to update if the database version
+    downloaded is one version older than advertised. This situation may
+    occur after a new database version is published. The issue affected
+    users downloading the whole CVD database file.
+  * Changed the default freshclam ReceiveTimeout setting to 0 (infinite).
+    The ReceiveTimeout had caused needless database update failures for
+    users with slower internet connections.
+  * Correctly display the number of kilobytes (KiB) in progress bar and
+    reduced the size of the progress bar to accommodate 80-character width
+    terminals.
+  * Fixed an issue where running freshclam manually causes a daemonized
+    freshclam process to fail when it updates because the manual instance
+    deletes the temporary download directory. The freshclam temporary files
+    will now download to a unique directory created at the time of an update
+    instead of using a hardcoded directory created/destroyed at the program
+    start/exit.
+  * Fix for freshclam's OnOutdatedExecute config option.
+  * Fixes a memory leak in the error condition handling for the email
+    parser.
+  * Improved bound checking and error handling in ARJ archive parser.
+  * Improved error handling in PDF parser.
+  * Fix for memory leak in byte-compare signature handler.
+
 -------------------------------------------------------------------
 Tue Dec 24 10:49:25 UTC 2019 - Arjen de Korte <suse+build@de-korte.org>
 

clamav.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package clamav
 #
-# Copyright (c) 2019 SUSE LLC
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
 
 %define clamav_check --enable-check
 Name:           clamav
-Version:        0.102.1
+Version:        0.102.2
 Release:        0
 Summary:        Antivirus Toolkit
 License:        GPL-2.0-only
@@ -60,9 +60,9 @@ BuildRequires:  pwdutils
 BuildRequires:  python-devel
 BuildRequires:  sed
 BuildRequires:  sendmail-devel
-BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  zlib-devel
+BuildRequires:  pkgconfig(libsystemd)
 Requires(pre):  %_bindir/awk
 Requires(pre):  %_sbindir/groupadd
 Requires(pre):  %_sbindir/useradd