From 2f65992cdbd2da2addd93378840281c26d12bd804767f291c6490b186560ddd9 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 9 Sep 2019 12:39:48 +0000 Subject: [PATCH] Accepting request 728340 from home:AndreasStieger:branches:security - update to 0.101.4: * CVE-2019-12900: An out of bounds write in the NSIS bzip2 (boo#1149458) * CVE-2019-12625: Introduce a configurable time limit to mitigate zip bomb vulnerability completely. Default is 2 minutes, configurable useing the clamscan --max-scantime and for clamd using the MaxScanTime` config option (boo#1144504) OBS-URL: https://build.opensuse.org/request/show/728340 OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=189 --- clamav-0.101.3.tar.gz | 3 --- clamav-0.101.3.tar.gz.sig | 16 ---------------- clamav-0.101.4.tar.gz | 3 +++ clamav-0.101.4.tar.gz.sig | 16 ++++++++++++++++ clamav-disable-timestamps.patch | 14 +++++++++----- clamav.changes | 11 +++++++++++ clamav.spec | 2 +- 7 files changed, 40 insertions(+), 25 deletions(-) delete mode 100644 clamav-0.101.3.tar.gz delete mode 100644 clamav-0.101.3.tar.gz.sig create mode 100644 clamav-0.101.4.tar.gz create mode 100644 clamav-0.101.4.tar.gz.sig diff --git a/clamav-0.101.3.tar.gz b/clamav-0.101.3.tar.gz deleted file mode 100644 index 9745e11..0000000 --- a/clamav-0.101.3.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:68d42aac4a9cbde293288533a9a3c3d55863de38f2b8707c1ef2d987b1260338 -size 21389753 diff --git a/clamav-0.101.3.tar.gz.sig b/clamav-0.101.3.tar.gz.sig deleted file mode 100644 index df87065..0000000 --- a/clamav-0.101.3.tar.gz.sig +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIcBAABAgAGBQJdRIRbAAoJEPE/nha8pb+tXEMP/Ry/gsL64Ih9W8I3z8k8ob88 -5tJDE2+9nasPMtoWuQlkAvdc6TV+bWc0WahjAJw7Y8Nq4fxu663WBh1V2I86V9NN -qS197FtWNnBL9Z1VCvcoT98Hhoiwr/iUPTH/9bEn9cElFj5fMlHhA33hg0ZCPh/z -BG9kLKy1Wy+68ThDfpdcPjkhdBZRkXTFCIblMzcYnIXcMSsiuS9xVflOk+tgzoVK -BAQp96+t6G2vtwOgioZ9Fl9sEeGBXoAlTKZ9Co65a7BRnHJiMpmxvUjs7nPjrVcP -+NDGBZ4fig9kJGyIjRkIdXeZs3HzJfHjrJ0Qpw9Jv5lGDS6UdgqemW9DIt84xDKw -aCR/Z2yHEe1xai2GeGKqVKorQ6grVAPtfaAd3DnEC7Fjmm/KiyQDSyyDpWEouAbL -cT8TMlWEVrXzqgFIbVBiEVoc5fXqrfU7ichVdLBsToYCWHrWIoikKaFmFh3QrUhj -nbtWzHas++lMhXU39E18/vo088qyFD0MRyOtgzq5uGS8Oi81Ft/pz2ryv1DlBpt9 -kGsvoo4jjMXfwANRcS5HwGvlZuIj0WtEYrK34WzGlTu6hmCnnK3gHCXbY0HwyEgU -BZy18RHV1R6iEgRJxORqe8BW3oSAK4ZtjJEj0oju7UME7hepuBfzoOZYuAXHNAUS -PTYn72bl18ztZOtEZPoJ -=gcl/ ------END PGP SIGNATURE----- diff --git a/clamav-0.101.4.tar.gz b/clamav-0.101.4.tar.gz new file mode 100644 index 0000000..2302324 --- /dev/null +++ b/clamav-0.101.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0bf094f0919d158a578421d66bc2569c8c8181233ba162bb51722f98c802bccd +size 21408145 diff --git a/clamav-0.101.4.tar.gz.sig b/clamav-0.101.4.tar.gz.sig new file mode 100644 index 0000000..d02a7df --- /dev/null +++ b/clamav-0.101.4.tar.gz.sig @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABAgAGBQJdXCszAAoJEPE/nha8pb+tAjsP/RsKRXprSsubOacVYYaz5ItZ +psOcDrqf+u7K+fWKx9lQzIEfyeD6BcH75WRU+juPvuWCkEVrKBaU0Xm3FtZKr589 +mUzT7GpALdkIQor5gc2dqYmM2d3ajcoYFBVwvkMmUuaaz1UBdT7DcL+m56I5gqZr +IDs7072Ve58drkTm6wGBuawVSgO99w4EKjBDDk+GS9c52BYGUyDp2n65VjMrN+wj +sSPx19nzRXCNFHQUrPa4Xnz1sE2POuY5HaOEQDHQHOYQp2mFVtmxZjAJqSxwUdY8 +hJgryjQBV+hbgA+1ffNK9EKLzkZLZiSzaA3kkMW3ILzCGc2Wq8iHsKgO/y/DJVE3 +Vb3tEcnToss9wFNm710Ykn15+xvYn+5FcNE5MgUk8pmYqwWkSF3qv4pycnTLGW1e +lK6+o37tsDsC8ZBTRtrkePmpw1VG+21peaBEWFZ5BMmN7Lg/HkilAzoq5+Q8ECnJ +tg43n7Mc+w8LwfDfUtcPxQ395kOyMt5vqJ92XJiGoKW2I12YUetYiYkUKACxEVN8 +wTi4P13iIDPxGGmdpEAONI+ow4vKRk8zFLHuP54fqUYGR+mRV8uz5X6i8j0mWWXa +ZiD2Mmgk5kkDJ87bWxEjAtLKw/3yHxYt4YjhVXz/7a2rog8f5L65RRazKDiduGa/ +g6v2vqvhQ2r1gnkOfbW4 +=teQA +-----END PGP SIGNATURE----- diff --git a/clamav-disable-timestamps.patch b/clamav-disable-timestamps.patch index d740ac4..1a5f4b8 100644 --- a/clamav-disable-timestamps.patch +++ b/clamav-disable-timestamps.patch @@ -1,3 +1,5 @@ +Index: libclamav/tomsfastmath/misc/fp_ident.c +=================================================================== --- libclamav/tomsfastmath/misc/fp_ident.c.orig +++ libclamav/tomsfastmath/misc/fp_ident.c @@ -15,7 +15,11 @@ const char *fp_ident(void) @@ -25,9 +27,11 @@ if (sizeof(fp_digit) == sizeof(fp_word)) { strncat(buf, "WARNING: sizeof(fp_digit) == sizeof(fp_word), this build is likely to not work properly.\n", +Index: configure +=================================================================== --- configure.orig +++ configure -@@ -812,6 +812,7 @@ FGREP +@@ -814,6 +814,7 @@ FGREP SED LIBTOOL LIBCLAMAV_VERSION @@ -35,7 +39,7 @@ EGREP GREP CPP -@@ -922,6 +923,7 @@ ac_user_opts=' +@@ -924,6 +925,7 @@ ac_user_opts=' enable_option_checking enable_dependency_tracking enable_silent_rules @@ -43,7 +47,7 @@ enable_static enable_shared with_pic -@@ -1641,6 +1643,8 @@ Optional Features: +@@ -1644,6 +1646,8 @@ Optional Features: --enable-silent-rules less verbose build output (undo: "make V=1") --disable-silent-rules verbose build output (undo: "make V=0") --enable-static[=PKGS] build static libraries [default=no] @@ -52,7 +56,7 @@ --enable-shared[=PKGS] build shared libraries [default=yes] --enable-fast-install[=PKGS] optimize for fast installation [default=yes] -@@ -5923,6 +5927,26 @@ $as_echo "$ac_cv_safe_to_define___extens +@@ -5927,6 +5931,26 @@ $as_echo "$ac_cv_safe_to_define___extens $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h @@ -78,4 +82,4 @@ +_ACEOF - VERSION="0.101.3" + VERSION="0.101.4" diff --git a/clamav.changes b/clamav.changes index 91c9814..aa822f7 100644 --- a/clamav.changes +++ b/clamav.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Wed Sep 4 19:12:01 UTC 2019 - Andreas Stieger + +- update to 0.101.4: + * CVE-2019-12900: An out of bounds write in the NSIS bzip2 + (boo#1149458) + * CVE-2019-12625: Introduce a configurable time limit to mitigate + zip bomb vulnerability completely. Default is 2 minutes, + configurable useing the clamscan --max-scantime and for clamd + using the MaxScanTime config option (boo#1144504) + ------------------------------------------------------------------- Tue Aug 6 15:34:08 UTC 2019 - Reinhard Max diff --git a/clamav.spec b/clamav.spec index 585cea3..ea4cf50 100644 --- a/clamav.spec +++ b/clamav.spec @@ -20,7 +20,7 @@ %define clamav_check --enable-check Name: clamav -Version: 0.101.3 +Version: 0.101.4 Release: 0 Summary: Antivirus Toolkit License: GPL-2.0-only