Accepting request 750749 from home:adkorte:branches:security

- update to 0.102.1 * CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may occur when scanning a specially crafted email file as a result of excessively long scan times. The issue is resolved by implementing several maximums in parsing MIME messages and by optimizing use of memory allocation. * Build system fixes to build clamav-milter, to correctly link with libxml2 when detected, and to correctly detect fanotify for on-access scanning feature support. * Signature load time is significantly reduced by changing to a more efficient algorithm for loading signature patterns and allocating the AC trie. Patch courtesy of Alberto Wu. * Introduced a new configure option to statically link libjson-c with libclamav. Static linking with libjson is highly recommended to prevent crashes in applications that use libclamav alongside another JSON parsing library. * Null-dereference fix in email parser when using the --gen-json metadata option. * Fixes for Authenticode parsing and certificate signature (.crb database) bugs. - dropped clamav-fix_building_milter.patch (upstreamed) - update to 0.102.0 * The On-Access Scanning feature has been migrated out of clamd and into a brand new utility named clamonacc. This utility is similar to clamdscan and clamav-milter in that it acts as a client to clamd. This separation from clamd means that clamd no longer needs to run with root privileges while scanning potentially malicious files. Instead, clamd may drop privileges to run under an account that does not have super-user. In addition to improving the security posture of running clamd with On-Access enabled, this update fixed a few outstanding defects: - On-Access scanning for created and moved files (Extra-Scanning) is fixed. - VirusEvent for On-Access scans is fixed. - With clamonacc, it is now possible to copy, move, or remove a file if the scan triggered an alert, just like with clamdscan. * The freshclam database update utility has undergone a significant update. This includes: - Added support for HTTPS. - Support for database mirrors hosted on ports other than 80. - Removal of the mirror management feature (mirrors.dat). - An all new libfreshclam library API. - created new subpackage libfreshclam2 - dropped clamav-max_patch.patch (upstreamed) - added clamav-fix_building_milter.patch to fix build of milter OBS-URL: https://build.opensuse.org/request/show/750749 OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=193
2019-11-25 23:01:55 +00:00 · 2019-11-25 23:01:55 +00:00 · 419e234024
commit 419e234024
parent 61f3c20dcc
10 changed files with 83 additions and 56 deletions
--- a/clamav-0.101.4.tar.gz
+++ b/clamav-0.101.4.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0bf094f0919d158a578421d66bc2569c8c8181233ba162bb51722f98c802bccd
-size 21408145
--- a/clamav-0.101.4.tar.gz.sig
+++ b/clamav-0.101.4.tar.gz.sig
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIcBAABAgAGBQJdXCszAAoJEPE/nha8pb+tAjsP/RsKRXprSsubOacVYYaz5ItZ
-psOcDrqf+u7K+fWKx9lQzIEfyeD6BcH75WRU+juPvuWCkEVrKBaU0Xm3FtZKr589
-mUzT7GpALdkIQor5gc2dqYmM2d3ajcoYFBVwvkMmUuaaz1UBdT7DcL+m56I5gqZr
-IDs7072Ve58drkTm6wGBuawVSgO99w4EKjBDDk+GS9c52BYGUyDp2n65VjMrN+wj
-sSPx19nzRXCNFHQUrPa4Xnz1sE2POuY5HaOEQDHQHOYQp2mFVtmxZjAJqSxwUdY8
-hJgryjQBV+hbgA+1ffNK9EKLzkZLZiSzaA3kkMW3ILzCGc2Wq8iHsKgO/y/DJVE3
-Vb3tEcnToss9wFNm710Ykn15+xvYn+5FcNE5MgUk8pmYqwWkSF3qv4pycnTLGW1e
-lK6+o37tsDsC8ZBTRtrkePmpw1VG+21peaBEWFZ5BMmN7Lg/HkilAzoq5+Q8ECnJ
-tg43n7Mc+w8LwfDfUtcPxQ395kOyMt5vqJ92XJiGoKW2I12YUetYiYkUKACxEVN8
-wTi4P13iIDPxGGmdpEAONI+ow4vKRk8zFLHuP54fqUYGR+mRV8uz5X6i8j0mWWXa
-ZiD2Mmgk5kkDJ87bWxEjAtLKw/3yHxYt4YjhVXz/7a2rog8f5L65RRazKDiduGa/
-g6v2vqvhQ2r1gnkOfbW4
-=teQA
-----END PGP SIGNATURE-----
--- a/clamav-0.102.1.tar.gz
+++ b/clamav-0.102.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0dbda8d0d990d068732966f13049d112a26dce62145d234383467c1d877dedd6
+size 13215586
--- a/clamav-0.102.1.tar.gz.sig
+++ b/clamav-0.102.1.tar.gz.sig
--- a/clamav-conf.patch
+++ b/clamav-conf.patch
@ -140,17 +140,6 @@
 
 # Stop daemon when libclamav reports out of memory condition.
 #ExitOnOOM yes
-@@ -613,6 +609,10 @@ Example
- ##
- ## On-access Scan Settings
- ##
-+#
-+# When enabling this, you most probably have to set "User root" above,
-+# so that clamav can access the files to be scanned.
-+#
- 
- # Enable on-access scanning. Currently, this is supported via fanotify.
- # Clamuko/Dazuko support has been deprecated.
 --- etc/freshclam.conf.sample.orig
 +++ etc/freshclam.conf.sample
@@ -1,12 +1,8 @@
--- a/clamav-disable-timestamps.patch
+++ b/clamav-disable-timestamps.patch
@ -32,15 +32,15 @@ Index: configure
 --- configure.orig
 +++ configure
@@ -814,6 +814,7 @@ FGREP
- SED
- LIBTOOL
+ LIBFRESHCLAM_VERSION
+ LIBCLAMAV_VERSION_NUM
 LIBCLAMAV_VERSION
 +ENABLE_TIMESTAMPS
+ PACKAGE_VERSION_NUM
 EGREP
 GREP
- CPP
@@ -924,6 +925,7 @@ ac_user_opts='
- enable_option_checking
+ enable_mmap_for_cross_compiling
 enable_dependency_tracking
 enable_silent_rules
 +enable_timestamps
@ -82,4 +82,4 @@ Index: configure
 +_ACEOF
 
 
- VERSION="0.101.4"
+ VERSION="0.102.1"
--- a/clamav-max_patch.patch
+++ b/clamav-max_patch.patch
@ -1,11 +0,0 @@
--- libclamav/others_common.c.orig
-+++ libclamav/others_common.c
-@@ -855,7 +855,7 @@
-     size_t sanitized_index   = 0;
-     char* sanitized_filepath = NULL;
- 
-    if((NULL == filepath) || (0 == filepath_len) || (MAX_PATH < filepath_len)) {
-+    if((NULL == filepath) || (0 == filepath_len) || (PATH_MAX < filepath_len)) {
-         goto done;
-     }
- 
--- a/clamav-obsolete-config.patch
+++ b/clamav-obsolete-config.patch
@ -1,9 +1,9 @@
 --- shared/optparser.c.orig
 +++ shared/optparser.c
@@ -517,6 +517,13 @@ const struct clam_option __clam_options[
-     { "ClamukoExcludeUID", NULL, 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_DEPRECATED, "", "" },
-     { "ClamukoMaxFileSize", NULL, 0, CLOPT_TYPE_SIZE, MATCH_SIZE, 5242880, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", "" },
-     { "AllowSupplementaryGroups", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER | OPT_DEPRECATED, "Initialize a supplementary group access (the process must be started by root).", "no" },
+     {"MailFollowURLs", "mail-follow-urls", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "", ""},
+     {"AllowSupplementaryGroups", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER | OPT_DEPRECATED, "Initialize a supplementary group access (the process must be started by root).", "no"},
+     {"ScanOnAccess", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", ""},
 +    { "StatsHostID", "stats-host-id", 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_FRESHCLAM | OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "", "" },
 +    { "StatsEnabled", "enable-stats", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_CLAMSCAN | OPT_DEPRECATED, "", "" },
 +    { "StatsPEDisabled", "disable-pe-stats", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "", "" },
--- a/clamav.changes
+++ b/clamav.changes
@ -1,3 +1,56 @@
+-------------------------------------------------------------------
+Wed Nov 20 19:01:10 UTC 2019 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 0.102.1
+  * CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may
+    occur when scanning a specially crafted email file as a result
+    of excessively long scan times. The issue is resolved by
+    implementing several maximums in parsing MIME messages and by
+    optimizing use of memory allocation.
+  * Build system fixes to build clamav-milter, to correctly link
+    with libxml2 when detected, and to correctly detect fanotify
+    for on-access scanning feature support.
+  * Signature load time is significantly reduced by changing to a
+    more efficient algorithm for loading signature patterns and
+    allocating the AC trie. Patch courtesy of Alberto Wu.
+  * Introduced a new configure option to statically link libjson-c
+    with libclamav. Static linking with libjson is highly
+    recommended to prevent crashes in applications that use
+    libclamav alongside another JSON parsing library.
+  * Null-dereference fix in email parser when using the
+    --gen-json metadata option.
+  * Fixes for Authenticode parsing and certificate signature
+    (.crb database) bugs.
+- dropped clamav-fix_building_milter.patch (upstreamed)
+
+-------------------------------------------------------------------
+Fri Nov  1 09:46:17 UTC 2019 - Arjen de Korte <suse+build@de-korte.org>
+
+- update to 0.102.0
+  * The On-Access Scanning feature has been migrated out of clamd
+    and into a brand new utility named clamonacc. This utility is
+    similar to clamdscan and clamav-milter in that it acts as a
+    client to clamd. This separation from clamd means that clamd no
+    longer needs to run with root privileges while scanning potentially
+    malicious files. Instead, clamd may drop privileges to run under an
+    account that does not have super-user. In addition to improving the
+    security posture of running clamd with On-Access enabled, this
+    update fixed a few outstanding defects:
+    - On-Access scanning for created and moved files (Extra-Scanning)
+      is fixed.
+    - VirusEvent for On-Access scans is fixed.
+    - With clamonacc, it is now possible to copy, move, or remove a
+      file if the scan triggered an alert, just like with clamdscan.
+  * The freshclam database update utility has undergone a significant
+    update. This includes:
+    - Added support for HTTPS.
+    - Support for database mirrors hosted on ports other than 80.
+    - Removal of the mirror management feature (mirrors.dat).
+    - An all new libfreshclam library API.
+- created new subpackage libfreshclam2
+- dropped clamav-max_patch.patch (upstreamed)
+- added clamav-fix_building_milter.patch to fix build of milter
+
 -------------------------------------------------------------------
 Fri Oct 25 14:53:06 UTC 2019 - Reinhard Max <max@suse.com>

--- a/clamav.spec
+++ b/clamav.spec
@ -1,7 +1,7 @@
 #
 # spec file for package clamav
 #
-# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -20,12 +20,12 @@

 %define clamav_check --enable-check
 Name:           clamav
-Version:        0.101.4
+Version:        0.102.1
 Release:        0
 Summary:        Antivirus Toolkit
 License:        GPL-2.0-only
 Group:          Productivity/Security
-Url:            http://www.clamav.net
+URL:            http://www.clamav.net
 Source0:        http://www.clamav.net/downloads/production/%name-%version.tar.gz
 Source1:        http://www.clamav.net/downloads/production/%name-%version.tar.gz.sig
 Source4:        clamav-rpmlintrc
@ -39,8 +39,6 @@ Patch4:         clamav-disable-timestamps.patch
 Patch5:         clamav-obsolete-config.patch
 Patch6:         clamav-disable-yara.patch
 Patch7:         clamav-str-h.patch
-#PATCH-FIX-UPSTREAM clamav-max_patch.patch
-Patch8:         clamav-max_patch.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bc
@ -94,6 +92,14 @@ Group:          System/Libraries
 ClamAV is an antivirus engine designed for detecting trojans,
 viruses, malware and other malicious threats.

+%package -n libfreshclam2
+Summary:        ClamAV updater library
+Group:          System/Libraries
+
+%description -n libfreshclam2
+ClamAV is an antivirus engine designed for detecting trojans,
+viruses, malware and other malicious threats.
+
 %package -n libclammspack0
 Summary:        ClamAV antivirus engine runtime
 Group:          System/Libraries
@ -106,6 +112,7 @@ viruses, malware and other malicious threats.
 Summary:        Development files for libclamav, an antivirus engine
 Group:          Development/Libraries/C and C++
 Requires:       libclamav9 = %version
+Requires:       libfreshclam2 = %version

 %description devel
 ClamAV is an antivirus engine designed for detecting trojans,
@ -121,7 +128,6 @@ that want to make use of libclamav.
 %patch5
 %patch6
 %patch7
-%patch8

 %build
 CFLAGS="-fstack-protector"
@ -195,7 +201,9 @@ VALGRIND_GENSUP=1 make check

 %post   -n libclamav9 -p /sbin/ldconfig
 %postun -n libclamav9 -p /sbin/ldconfig
-%post -n libclammspack0 -p /sbin/ldconfig
+%post   -n libfreshclam2 -p /sbin/ldconfig
+%postun -n libfreshclam2 -p /sbin/ldconfig
+%post   -n libclammspack0 -p /sbin/ldconfig
 %postun -n libclammspack0 -p /sbin/ldconfig

 %files
@ -218,6 +226,9 @@ VALGRIND_GENSUP=1 make check
 %files -n libclamav9
 %_libdir/libclam*.so.9*

+%files -n libfreshclam2
+%_libdir/libfreshclam.so.2*
+
 %if %{with clammspack}
 %files -n libclammspack0
 %_libdir/libclammspack.so.0*
@ -226,6 +237,7 @@ VALGRIND_GENSUP=1 make check
 %files devel
 %_libdir/pkgconfig/*
 %_libdir/libclam*.so
+%_libdir/libfreshclam*.so
 %_includedir/*

 %pre