Accepting request 728340 from home:AndreasStieger:branches:security

- update to 0.101.4: * CVE-2019-12900: An out of bounds write in the NSIS bzip2 (boo#1149458) * CVE-2019-12625: Introduce a configurable time limit to mitigate zip bomb vulnerability completely. Default is 2 minutes, configurable useing the clamscan --max-scantime and for clamd using the MaxScanTime` config option (boo#1144504) OBS-URL: https://build.opensuse.org/request/show/728340 OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=189
2019-09-09 12:39:48 +00:00 · 2019-09-09 12:39:48 +00:00 · 2f65992cdb
commit 2f65992cdb
parent ce9e01186a
7 changed files with 40 additions and 25 deletions
--- a/clamav-0.101.3.tar.gz
+++ b/clamav-0.101.3.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:68d42aac4a9cbde293288533a9a3c3d55863de38f2b8707c1ef2d987b1260338
-size 21389753
--- a/clamav-0.101.3.tar.gz.sig
+++ b/clamav-0.101.3.tar.gz.sig
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIcBAABAgAGBQJdRIRbAAoJEPE/nha8pb+tXEMP/Ry/gsL64Ih9W8I3z8k8ob88
-5tJDE2+9nasPMtoWuQlkAvdc6TV+bWc0WahjAJw7Y8Nq4fxu663WBh1V2I86V9NN
-qS197FtWNnBL9Z1VCvcoT98Hhoiwr/iUPTH/9bEn9cElFj5fMlHhA33hg0ZCPh/z
-BG9kLKy1Wy+68ThDfpdcPjkhdBZRkXTFCIblMzcYnIXcMSsiuS9xVflOk+tgzoVK
-BAQp96+t6G2vtwOgioZ9Fl9sEeGBXoAlTKZ9Co65a7BRnHJiMpmxvUjs7nPjrVcP
-+NDGBZ4fig9kJGyIjRkIdXeZs3HzJfHjrJ0Qpw9Jv5lGDS6UdgqemW9DIt84xDKw
-aCR/Z2yHEe1xai2GeGKqVKorQ6grVAPtfaAd3DnEC7Fjmm/KiyQDSyyDpWEouAbL
-cT8TMlWEVrXzqgFIbVBiEVoc5fXqrfU7ichVdLBsToYCWHrWIoikKaFmFh3QrUhj
-nbtWzHas++lMhXU39E18/vo088qyFD0MRyOtgzq5uGS8Oi81Ft/pz2ryv1DlBpt9
-kGsvoo4jjMXfwANRcS5HwGvlZuIj0WtEYrK34WzGlTu6hmCnnK3gHCXbY0HwyEgU
-BZy18RHV1R6iEgRJxORqe8BW3oSAK4ZtjJEj0oju7UME7hepuBfzoOZYuAXHNAUS
-PTYn72bl18ztZOtEZPoJ
-=gcl/
-----END PGP SIGNATURE-----
--- a/clamav-0.101.4.tar.gz
+++ b/clamav-0.101.4.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0bf094f0919d158a578421d66bc2569c8c8181233ba162bb51722f98c802bccd
+size 21408145
--- a/clamav-0.101.4.tar.gz.sig
+++ b/clamav-0.101.4.tar.gz.sig
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABAgAGBQJdXCszAAoJEPE/nha8pb+tAjsP/RsKRXprSsubOacVYYaz5ItZ
+psOcDrqf+u7K+fWKx9lQzIEfyeD6BcH75WRU+juPvuWCkEVrKBaU0Xm3FtZKr589
+mUzT7GpALdkIQor5gc2dqYmM2d3ajcoYFBVwvkMmUuaaz1UBdT7DcL+m56I5gqZr
+IDs7072Ve58drkTm6wGBuawVSgO99w4EKjBDDk+GS9c52BYGUyDp2n65VjMrN+wj
+sSPx19nzRXCNFHQUrPa4Xnz1sE2POuY5HaOEQDHQHOYQp2mFVtmxZjAJqSxwUdY8
+hJgryjQBV+hbgA+1ffNK9EKLzkZLZiSzaA3kkMW3ILzCGc2Wq8iHsKgO/y/DJVE3
+Vb3tEcnToss9wFNm710Ykn15+xvYn+5FcNE5MgUk8pmYqwWkSF3qv4pycnTLGW1e
+lK6+o37tsDsC8ZBTRtrkePmpw1VG+21peaBEWFZ5BMmN7Lg/HkilAzoq5+Q8ECnJ
+tg43n7Mc+w8LwfDfUtcPxQ395kOyMt5vqJ92XJiGoKW2I12YUetYiYkUKACxEVN8
+wTi4P13iIDPxGGmdpEAONI+ow4vKRk8zFLHuP54fqUYGR+mRV8uz5X6i8j0mWWXa
+ZiD2Mmgk5kkDJ87bWxEjAtLKw/3yHxYt4YjhVXz/7a2rog8f5L65RRazKDiduGa/
+g6v2vqvhQ2r1gnkOfbW4
+=teQA
+-----END PGP SIGNATURE-----
--- a/clamav-disable-timestamps.patch
+++ b/clamav-disable-timestamps.patch
@ -1,3 +1,5 @@
+Index: libclamav/tomsfastmath/misc/fp_ident.c
+===================================================================
 --- libclamav/tomsfastmath/misc/fp_ident.c.orig
 +++ libclamav/tomsfastmath/misc/fp_ident.c
@@ -15,7 +15,11 @@ const char *fp_ident(void)
@ -25,9 +27,11 @@
 
    if (sizeof(fp_digit) == sizeof(fp_word)) {
       strncat(buf, "WARNING: sizeof(fp_digit) == sizeof(fp_word), this build is likely to not work properly.\n", 
+Index: configure
+===================================================================
 --- configure.orig
 +++ configure
-@@ -812,6 +812,7 @@ FGREP
+@@ -814,6 +814,7 @@ FGREP
 SED
 LIBTOOL
 LIBCLAMAV_VERSION
@ -35,7 +39,7 @@
 EGREP
 GREP
 CPP
-@@ -922,6 +923,7 @@ ac_user_opts='
+@@ -924,6 +925,7 @@ ac_user_opts='
 enable_option_checking
 enable_dependency_tracking
 enable_silent_rules
@ -43,7 +47,7 @@
 enable_static
 enable_shared
 with_pic
-@@ -1641,6 +1643,8 @@ Optional Features:
+@@ -1644,6 +1646,8 @@ Optional Features:
   --enable-silent-rules   less verbose build output (undo: "make V=1")
   --disable-silent-rules  verbose build output (undo: "make V=0")
   --enable-static[=PKGS]  build static libraries [default=no]
@ -52,7 +56,7 @@
   --enable-shared[=PKGS]  build shared libraries [default=yes]
   --enable-fast-install[=PKGS]
                           optimize for fast installation [default=yes]
-@@ -5923,6 +5927,26 @@ $as_echo "$ac_cv_safe_to_define___extens
+@@ -5927,6 +5931,26 @@ $as_echo "$ac_cv_safe_to_define___extens
 
   $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h
 
@ -78,4 +82,4 @@
 +_ACEOF
 
 
- VERSION="0.101.3"
+ VERSION="0.101.4"
--- a/clamav.changes
+++ b/clamav.changes
@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Sep  4 19:12:01 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- update to 0.101.4:
+  * CVE-2019-12900: An out of bounds write in the NSIS bzip2
+    (boo#1149458)
+  * CVE-2019-12625: Introduce a configurable time limit to mitigate
+    zip bomb vulnerability completely. Default is 2 minutes,
+    configurable useing the clamscan --max-scantime and for clamd
+    using the MaxScanTime config option (boo#1144504)
+
 -------------------------------------------------------------------
 Tue Aug  6 15:34:08 UTC 2019 - Reinhard Max <max@suse.com>

--- a/clamav.spec
+++ b/clamav.spec
@ -20,7 +20,7 @@

 %define clamav_check --enable-check
 Name:           clamav
-Version:        0.101.3
+Version:        0.101.4
 Release:        0
 Summary:        Antivirus Toolkit
 License:        GPL-2.0-only