diff --git a/clamav-0.91.2.tar.bz2 b/clamav-0.91.2.tar.bz2 deleted file mode 100644 index 8f699bd..0000000 --- a/clamav-0.91.2.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:73e0b9e80da9fd30e4c8bee293fd39a220fc73af67e126d44ac0df1c2bfe1f44 -size 12967327 diff --git a/clamav-0.92.1.tar.bz2 b/clamav-0.92.1.tar.bz2 new file mode 100644 index 0000000..f79ccb8 --- /dev/null +++ b/clamav-0.92.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5c694084f662d294ed18820e460a60d65774711f5dd383af18324a8e2e77705f +size 14869157 diff --git a/clamav-conf.patch b/clamav-conf.patch index db81bb4..81f3afa 100644 --- a/clamav-conf.patch +++ b/clamav-conf.patch @@ -38,17 +38,16 @@ # Optional path to the global temporary directory. # Default: system specific (usually /tmp or /var/tmp). -@@ -69,22 +65,22 @@ +@@ -69,7 +65,7 @@ # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) -LocalSocket /tmp/clamd.socket -+#LocalSocket /var/lib/clamav/clamd-socket ++LocalSocket /var/lib/clamav/clamd-socket # Remove stale socket after unclean shutdown. # Default: no --#FixStaleSocket yes -+FixStaleSocket yes +@@ -77,14 +73,14 @@ # TCP port address. # Default: no @@ -65,16 +64,16 @@ # Maximum length the queue of pending connections may grow to. # Default: 15 -@@ -142,7 +138,7 @@ - # Run as another user (clamd must be started by root to make this option - # working). +@@ -141,7 +137,7 @@ + + # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges -#User clamav +User vscan # Initialize supplementary group access (clamd must be started by root). # Default: no -@@ -323,6 +319,10 @@ +@@ -326,6 +322,10 @@ ## # Enable Clamuko. Dazuko (/dev/dazuko) must be configured and running. diff --git a/clamav-milter-sysconfig b/clamav-milter-sysconfig new file mode 100644 index 0000000..a9e5535 --- /dev/null +++ b/clamav-milter-sysconfig @@ -0,0 +1 @@ +CLAMAV_MILTER_OPTIONS="" diff --git a/clamav-open.patch b/clamav-open.patch deleted file mode 100644 index d5c009c..0000000 --- a/clamav-open.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- shared/misc.c -+++ shared/misc.c -@@ -165,7 +165,7 @@ - if((s = open(src, O_RDONLY|O_BINARY)) == -1) - return -1; - -- if((d = open(dest, O_CREAT|O_WRONLY|O_TRUNC|O_BINARY)) == -1) { -+ if((d = open(dest, O_CREAT|O_WRONLY|O_TRUNC|O_BINARY, 0600)) == -1) { - close(s); - return -1; - } diff --git a/clamav-rcmilter b/clamav-rcmilter new file mode 100644 index 0000000..8977dfa --- /dev/null +++ b/clamav-rcmilter @@ -0,0 +1,171 @@ +#!/bin/sh +# +# SUSE system startup script for clamav-milter +# Copyright (C) 1995--2005 Kurt Garloff, SUSE / Novell Inc. +# Copyright (C) 2007 Reinhard Max, SUSE / Novell Inc. +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or (at +# your option) any later version. +# +# This library is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, +# USA. +# +# /etc/init.d/clamav-milter +# and its symbolic link +# /(usr/)sbin/rcclamav-milter +# + +### BEGIN INIT INFO +# Provides: clamav-milter +# Required-Start: clamd $syslog $remote_fs +# Required-Stop: clamd $syslog $remote_fs +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: milter compatible mail scanner +# Description: Start clamav-milter, which is needed to +# use ClamAV for virus scanning in a sendmail environment. +### END INIT INFO + + +# Check for missing binaries (stale symlinks should not happen) +# Note: Special treatment of stop for LSB conformance +CLAMAV_MILTER_BIN=/usr/sbin/clamav-milter +PIDFILE=/var/lib/clamav/clamav-milter.pid +test -x $CLAMAV_MILTER_BIN || { echo "$CLAMAV_MILTER_BIN not installed"; + if [ "$1" = "stop" ]; then exit 0; + else exit 5; fi; } + +# Check for existence of needed config file and read it +CLAMAV_MILTER_CONFIG=/etc/sysconfig/clamav-milter +test -r $CLAMAV_MILTER_CONFIG || { echo "$CLAMAV_MILTER_CONFIG not existing"; + if [ "$1" = "stop" ]; then exit 0; + else exit 6; fi; } + +# Read config +. $CLAMAV_MILTER_CONFIG + +# Source LSB init functions +. /etc/rc.status + +# Reset status of this service +rc_reset + +# Return values acc. to LSB for all commands but status: +# 0 - success +# 1 - generic or unspecified error +# 2 - invalid or excess argument(s) +# 3 - unimplemented feature (e.g. "reload") +# 4 - user had insufficient privileges +# 5 - program is not installed +# 6 - program is not configured +# 7 - program is not running +# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl) +# +# Note that starting an already running service, stopping +# or restarting a not-running service as well as the restart +# with force-reload (in case signaling is not supported) are +# considered a success. + +case "$1" in + start) + echo -n "Starting clamav-milter " + ## Start daemon with startproc(8). If this fails + ## the return value is set appropriately by startproc. + /sbin/startproc -p $PIDFILE $CLAMAV_MILTER_BIN -i $PIDFILE + + # Remember status and be verbose + rc_status -v + ;; + stop) + echo -n "Shutting down clamav-milter " + ## Stop daemon with killproc(8) and if this fails + ## killproc sets the return value according to LSB. + + /sbin/killproc -TERM -p $PIDFILE $CLAMAV_MILTER_BIN + + # Remember status and be verbose + rc_status -v + ;; + try-restart|condrestart) + ## Do a restart only if the service was active before. + ## Note: try-restart is now part of LSB (as of 1.9). + ## RH has a similar command named condrestart. + if test "$1" = "condrestart"; then + echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}" + fi + $0 status + if test $? = 0; then + $0 restart + else + rc_reset # Not running is not a failure. + fi + # Remember status and be quiet + rc_status + ;; + restart) + ## Stop the service and regardless of whether it was + ## running or not, start it again. + $0 stop + $0 start + + # Remember status and be quiet + rc_status + ;; + force-reload) + ## Signal the daemon to reload its config. Most daemons + ## do this on signal 1 (SIGHUP). + ## If it does not support it, restart the service if it + ## is running. + $0 try-restart + rc_status + ;; + reload) + ## Like force-reload, but if daemon does not support + ## signaling, do nothing (!) + + rc_failed 3 + rc_status -v + ;; + status) + echo -n "Checking for clamav-milter " + ## Check status with checkproc(8), if process is running + ## checkproc will return with exit status 0. + + # Return value is slightly different for the status command: + # 0 - service up and running + # 1 - service dead, but /var/run/ pid file exists + # 2 - service dead, but /var/lock/ lock file exists + # 3 - service not running (unused) + # 4 - service status unknown :-( + # 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.) + + # NOTE: checkproc returns LSB compliant status values. + /sbin/checkproc -p $PIDFILE $CLAMAV_MILTER_BIN + # NOTE: rc_status knows that we called this init script with + # "status" option and adapts its messages accordingly. + rc_status -v + ;; + probe) + ## Optional: Probe for the necessity of a reload, print out the + ## argument to this init script which is required for a reload. + ## Note: probe is not (yet) part of LSB (as of 1.9) + + test /etc/clamd.conf -nt $PIDFILE -o \ + /etc/sysconfig/clamav-milter -nt $PIDFILE \ + && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}" + exit 1 + ;; +esac +rc_exit diff --git a/clamav-regex.patch b/clamav-regex.patch new file mode 100644 index 0000000..e06920d --- /dev/null +++ b/clamav-regex.patch @@ -0,0 +1,10 @@ +--- libclamav/regex/engine.c ++++ libclamav/regex/engine.c +@@ -662,6 +662,7 @@ + /* "can't happen" */ + assert(nope); + /* NOTREACHED */ ++ return(NULL); + } + + /* diff --git a/clamav-rpmlintrc b/clamav-rpmlintrc index 712d42e..dd42f83 100644 --- a/clamav-rpmlintrc +++ b/clamav-rpmlintrc @@ -1,2 +1,3 @@ addFilter("non-standard-uid.*") addFilter("devel-file-in-non-devel-package.*") +addFilter("obsolete-not-provided") diff --git a/clamav.changes b/clamav.changes index 9fa403b..7838047 100644 --- a/clamav.changes +++ b/clamav.changes @@ -1,8 +1,31 @@ +------------------------------------------------------------------- +Wed Feb 13 12:12:56 CET 2008 - max@suse.de + +- Security update 0.92.1: (bnc#361374) + * CVE-2008-0318: libclamav PE File Integer Overflow Vulnerability + * CVE-2008-0728: heap corruption + ------------------------------------------------------------------- Tue Jan 15 21:21:41 CET 2008 - aj@suse.de - Fix open call to build again. +------------------------------------------------------------------- +Fri Dec 14 14:56:29 CET 2007 - max@suse.de + +- Security update 0.92 (#343277): + * CVE-2007-6335 - MEW PE File Integer Overflow + * CVE-2007-6336 - Off-by-one error in LZX_READ_HUFFSYM() + * CVE-2007-6337 - bzlib issue +- Make clamd error out if /dev/null can't be opened (#300019). + +------------------------------------------------------------------- +Mon Nov 5 16:50:30 CET 2007 - max@suse.de + +- Added sendmail and sendmail-devel to BuildRequires. +- Enabled clamav-milter and added an init script for it. + (fate#302362) + ------------------------------------------------------------------- Tue Aug 21 18:55:36 CEST 2007 - max@suse.de diff --git a/clamav.spec b/clamav.spec index b6f01fb..4978afb 100644 --- a/clamav.spec +++ b/clamav.spec @@ -1,5 +1,5 @@ # -# spec file for package clamav (Version 0.91.2) +# spec file for package clamav (Version 0.92.1) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -10,20 +10,26 @@ # norootforbuild + Name: clamav %if 0%{?suse_version} >= 1010 || 0%{!?suse_version:1} -BuildRequires: bc gmp-devel pkgconfig tcpd-devel zlib-devel +BuildRequires: bc gmp-devel pkgconfig zlib-devel %endif %if 0%{?suse_version} > 1020 BuildRequires: pwdutils %endif +%if 0%{?suse_version} >= 0910 +BuildRequires: tcpd-devel +%endif +BuildRequires: sendmail sendmail-devel Summary: Antivirus Toolkit -Version: 0.91.2 -Release: 34 +Version: 0.92.1 +Release: 1 License: GPL v2 or later Group: Productivity/Security Url: http://www.clamav.net Requires: latex2html-pngicons +PreReq: %insserv_prereq %fillup_prereq Obsoletes: clamav-db < 0.88.3 PreReq: %_sbindir/groupadd %_sbindir/useradd /usr/bin/awk /bin/sed Source0: %{name}-%{version}.tar.bz2 @@ -31,8 +37,10 @@ Source1: clamav-rcclamd Source2: clamav-rcfreshclam Source3: clamav-updateclamconf Source4: clamav-rpmlintrc -Patch1: %name-conf.patch -Patch2: %name-open.patch +Source5: clamav-rcmilter +Source6: clamav-milter-sysconfig +Patch1: clamav-conf.patch +Patch3: clamav-regex.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -53,7 +61,7 @@ Authors: %package db Group: Productivity/Security Summary: Virus Database for ClamAV -PreReq: clamav sed +PreReq: clamav sed /bin/cp %description db This package contains a snapshot of the virus description database for @@ -70,7 +78,7 @@ Authors: %prep %setup -q %patch1 -%patch2 +%patch3 %build %if %suse_version >= 1010 @@ -89,7 +97,8 @@ export CFLAGS="%optflags -fno-strict-aliasing $SP" --with-group=vscan \ --with-tcpwrappers \ --with-libcurl \ - --disable-zlib-vcheck + --disable-zlib-vcheck \ + --enable-milter make %{?jobs:-j%jobs} # SLES8 does not support %check %if 0%{?suse_version} > 810 || 0%{!?suse_version:1} @@ -99,13 +108,17 @@ make %{?jobs:-j%jobs} make check %install -rm -rf %buildroot %makeinstall +ln -sf docs/html/{clamdoc,index}.html mkdir -p %buildroot/etc/init.d install -m755 %SOURCE1 %buildroot/etc/init.d/clamd ln -s /etc/init.d/clamd %buildroot%_sbindir/rcclamd install -m755 %SOURCE2 %buildroot/etc/init.d/freshclam ln -s /etc/init.d/freshclam %buildroot%_sbindir/rcfreshclam +install -m755 %SOURCE5 %buildroot/etc/init.d/clamav-milter +ln -s /etc/init.d/clamav-milter %buildroot%_sbindir/rcclamav-milter +mkdir -p %buildroot/var/adm/fillup-templates +install -m644 %SOURCE6 %buildroot/var/adm/fillup-templates/sysconfig.clamav-milter install -m755 %SOURCE3 %buildroot%_sbindir/updateclamconf touch %buildroot/var/lib/clamav/{clamd,freshclam}.pid for f in %buildroot/var/lib/clamav/*.cvd; do @@ -137,6 +150,7 @@ rm -rf %buildroot %dir /var/lib/clamav %ghost /var/lib/clamav/*.pid %ghost /var/lib/clamav/*.cvd +/var/adm/fillup-templates/* %files db %defattr(-,vscan,vscan) @@ -150,12 +164,14 @@ rm -rf %buildroot %post %run_ldconfig +%{?fillup_only:%fillup_only -n clamav-milter} # merge config files on update test "0$1" -lt 2 && exit 0 # The old default to run clamd in foreground mode was wrong OVERRIDE="Foreground no" for f in /etc/clamd.conf /etc/freshclam.conf; do if test -e $f.rpmnew; then + echo "Merging $f and $f.rpmnew" %_sbindir/updateclamconf -v override="$OVERRIDE" $f $f.rpmnew > $f.tmp if test $? == 0; then mv $f $f.old @@ -207,8 +223,22 @@ for distfile in {main,daily}.cvd.dist; do done %changelog +* Wed Feb 13 2008 max@suse.de +- Security update 0.92.1: (bnc#361374) + * CVE-2008-0318: libclamav PE File Integer Overflow Vulnerability + * CVE-2008-0728: heap corruption * Tue Jan 15 2008 aj@suse.de - Fix open call to build again. +* Fri Dec 14 2007 max@suse.de +- Security update 0.92 (#343277): + * CVE-2007-6335 - MEW PE File Integer Overflow + * CVE-2007-6336 - Off-by-one error in LZX_READ_HUFFSYM() + * CVE-2007-6337 - bzlib issue +- Make clamd error out if /dev/null can't be opened (#300019). +* Mon Nov 05 2007 max@suse.de +- Added sendmail and sendmail-devel to BuildRequires. +- Enabled clamav-milter and added an init script for it. + (fate#302362) * Tue Aug 21 2007 max@suse.de - Bugfix update 0.91.2. - Fixes some NULL dereferences and variable initialisation problems