Accepting request 1066149 from security

- Update to 0.103.8 * CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. Issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. (bsc#1208363) * CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. Issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. (bsc#1208365) * Update vendored libmspack library to version 0.11alpha. - Package huge .html documentation in a separate subpackage. OBS-URL: https://build.opensuse.org/request/show/1066149 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/clamav?expand=0&rev=120
2023-02-16 15:57:09 +00:00
parent 412e335eb2 8dcf736f6a
commit 229d0e65c5
7 changed files with 50 additions and 24 deletions
--- a/clamav-0.103.7.tar.gz
+++ b/clamav-0.103.7.tar.gz
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1e34c31f600cb3b5bd1bf76690590cdeebe9409b330959b1c0f77d421bb17e50
-size 16501741
--- a/clamav-0.103.7.tar.gz.sig
+++ b/clamav-0.103.7.tar.gz.sig
@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE4025WzdLMVcEls0/YJsCTys+3QcFAmLfo64ACgkQYJsCTys+
-3QdmFhAAnLbJecipQ8Dgn/rxnUGHyGRP9s82ygtJ4dedHLTeVJvdVHfK2LtlMsXA
-i6SWStFh7yZUDTto6V83FSIhNE9wL5bxZsyqrx1qPfvKNssongS1u3zojen8bNje
-0AYlphO4onpvMoaoV7II5GuMTWQ9GNN9vH78qDl9gGqiZx1UywGNeHJNhoNk4kiK
-FmmN9PdrFfOXzKAq5wgnUORW2JFZbqo+573CFjv4t/V+QHAsLhqgFGsDW8o3EfZH
-2/Kgm/1c9/xsG0RZlVat6V7klhuzdfn8Q4rqiH0/V8P7gu5Td9uigkISWNBrkNPw
-XYQAMvD5dT8Wh8g6resrV2qn7KCOaMQG7pRdcmkYOQ5Qln8rik8lHuMiQng9l0xF
-LKXa9B6gSqyNFwU70XF2PwPete+6zQtCfkwD0RmRwZcOxgD4BPzkUqN5IUFM1+lt
-QSoEmGij86dfaU3oFlEn1TrUSKeBEKOsd1jLeRmNRKttdNgvoOqa3E7JqiMq0gOL
-DX2DIBgDgYZk2+wSzyCCgKXZbUMDUw9q2zTN6IRfc3cArJtuQdm/itb6El81O0n2
-cYtFLCL7UimB+rlKKm8i3dpkYCCOVGHYnjqkaB9YZ4MQqBfzwbP7NICW4bTQDcvW
-0uiaMsNrM3i0yWyXT/zFJuNaBtmETjUitZUzSY1BPgfF4mniMEo=
-=9/sD
-----END PGP SIGNATURE-----
--- a/clamav-0.103.8.tar.gz
+++ b/clamav-0.103.8.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6f49da6ee927936de13d359e559d3944248e3a257d40b80b6c99ebe6fe8c8c3f
+size 16524716
--- a/clamav-0.103.8.tar.gz.sig
+++ b/clamav-0.103.8.tar.gz.sig
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABAgAGBQJj6kjVAAoJEGCbAk8rPt0HoSYP/1xl4m+Gn9KamEiSGW0D4S5T
+CrNAL+TFEoqAPXdHbLDnePIpSDE6oqS9dPzFcZmdiUaEvq+anY5ZZVrLvmXepgst
+5o49feMWs5HxSpYGYe3MkCfDnJLJSF+aiPnJQuU011M0ZTszzeSAjCwTeu3Hc14h
+iumavdj5n3qYjJZnct7R/M1TJN91P8obB1os1CqbSPlsZGjgvccNrbkTg+Sira0M
+pt1gZ8fwQ1t3AejKfR+3fqafcXArWk77jBrKGS7he6QCwe4cYz/I3U0jLXwTU87o
+HHdz/Exa9ed6JPe6Qlr19GMCXsQDIVs6xMfmQlpNENT1GtFVlTlRg4N6Ofy9Ejo2
+G2pUYIaDvqd6qxNXG9wW1rwWjNFAXYrYZ2NgQ4AcpMmjEuoxi5g+etA6ogyGfCNy
+eZldAerq4TwyQCya9rv0JjnAOQC+cvlwxCysGAW1DC3gyVkkojlBLL4EqDlrHrTx
+hRVS4scgRV397YHZJ/AT+tu7Rds8syTMU5Z0q8sOsZUQjtUXWye+lpNXlA2V0JyI
+3590whZ31GSecc+rmlLnJ4IIAlW/ze4nsbw5IMmCvv4NLeW/YnbGWAq0M6+3oXLi
+MH9OAplxvPtBRie+kvwghJUHCnDpr02o4MOWFNZTdoqgxuvgI9zt/eLgJ2NW7u2b
+M4yqmhNqOSwDywRv40qU
+=hkkT
+-----END PGP SIGNATURE-----
--- a/4
+++ b/4
@@ -1,4 +1,4 @@
-addFilter("non-standard-uid.*")
-addFilter("devel-file-in-non-devel-package.*")
 addFilter("obsolete-not-provided")
 addFilter("systemd-service-without-service_.* freshclam.service")
+addFilter("missing-call-to-setgroups-before-setuid /usr/bin/clamscan")
+addFilter("files-duplicated-waste")
--- a/clamav.changes
+++ b/clamav.changes
@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Wed Feb 15 17:26:43 UTC 2023 - Arjen de Korte <suse+build@de-korte.org>
+
+- Update to 0.103.8
+  * CVE-2023-20032: Fixed a possible remote code execution vulnerability
+    in the HFS+ file parser. Issue affects versions 1.0.0 and earlier,
+    0.105.1 and earlier, and 0.103.7 and earlier. (bsc#1208363)
+  * CVE-2023-20052: Fixed a possible remote information leak
+    vulnerability in the DMG file parser. Issue affects versions 1.0.0
+    and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.
+    (bsc#1208365)
+  * Update vendored libmspack library to version 0.11alpha.
+- Package huge .html documentation in a separate subpackage.
+
 -------------------------------------------------------------------
 Fri Aug  5 06:42:21 UTC 2022 - ecsos <ecsos@opensuse.org>

--- a/clamav.spec
+++ b/clamav.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package clamav
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -19,7 +19,7 @@
 %bcond_with	clammspack
 %bcond_with	valgrind
 Name:           clamav
-Version:        0.103.7
+Version:        0.103.8
 Release:        0
 Summary:        Antivirus Toolkit
 License:        GPL-2.0-only
@@ -90,6 +90,15 @@ provides numerous file format detection mechanisms, file unpacking
 support, archive support, and multiple signature languages for
 detecting threats.

+%package docs-html
+Summary:        Documentation for ClamAV in HTML format
+Group:          Productivity/Security
+Requires:       %{name} = %{version}
+BuildArch:      noarch
+
+%description docs-html
+Optional HTML documentation for ClamAV antivirus engine
+
 %package milter
 Summary:        ClamAV Milter compatible mail scanner
 Group:          Productivity/Security
@@ -148,6 +157,7 @@ that want to make use of libclamav.
 %patch6
 %patch12
 %patch14 -p1
+chmod -x docs/html/images/flamegraph.svg

 %build
 %if 0%{?suse_version} <= 1500
@@ -272,7 +282,6 @@ fi

 %files
 %license COPYING*
-%doc docs/html/*
 %config(noreplace) %{_sysconfdir}/clamd.conf
 %config(noreplace) %{_sysconfdir}/freshclam.conf
 %{_bindir}/clamav-config
@@ -311,6 +320,9 @@ fi
 %endif
 %ghost %attr(755,vscan,vscan) /run/clamav

+%files docs-html
+%doc docs/html/*
+
 %files milter
 %config(noreplace) %{_sysconfdir}/clamav-milter.conf
 %{_unitdir}/clamav-milter.service