- New version 1.4.1:

* [CVE-2024-20506, bsc#1230162]: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files. * [CVE-2024-20505, bsc#1230161]: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service (DoS) condition. * https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html - New version 1.4.0: * Added support for extracting ALZ archives. * Added support for extracting LHA/LZH archives. * Added the ability to disable image fuzzy hashing, if needed. For context, image fuzzy hashing is a detection mechanism useful for identifying malware by matching images included with the malware or phishing email/document. * https://blog.clamav.net/2024/08/clamav-140-feature-release-and-clamav.html OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=264
2024-09-10 13:35:10 +00:00 · 2024-09-10 13:35:10 +00:00 · 4be77ca9be
commit 4be77ca9be
parent 896f44d06a
9 changed files with 113 additions and 14 deletions
--- a/clam.tcl
+++ b/clam.tcl
@ -0,0 +1,38 @@
+#!/usr/bin/tclsh
+package require Expect
+
+proc pne {x} {
+    if {$x != ""} {
+	puts $x
+    }
+}
+
+set x 0
+set L ""
+set C ""
+log_user 0
+spawn clamscan eicar_test_files
+expect_before -re "((L|C)\[^\r\]*)\r" {
+    set $expect_out(2,string) $expect_out(1,string)
+    exp_continue
+} eof {
+    pne $L
+    pne $C
+    pne $expect_out(buffer)
+    puts "*** clamscan died! ***"
+    exit 1
+}
+expect "\n"; # newline after "Loading: ..."
+expect "\n"; # newline after "Compiling: ..."
+expect_before
+pne $L
+pne $C
+puts ""
+log_user 1
+expect "FOUND" {
+    incr x
+    exp_continue
+} eof
+if {$x ne 3} {
+    exit 1
+}
--- a/clamav-1.4.1.tar.gz
+++ b/clamav-1.4.1.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a318e780ac39a6b3d6c46971382f96edde97ce48b8e361eb80e63415ed416ad8
+size 50078871
--- a/clamav-1.4.1.tar.gz.sig
+++ b/clamav-1.4.1.tar.gz.sig
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABAgAGBQJm12IWAAoJEMzg39Iewam/rIQQAKv+zANPKfIta+VJRKkD0Wxa
+LJGDBKKifqyM1HiR+YxGMUuElgmpRvozfZ7ifBGvz/IxjPmUag/BNfOl4JVsSAnL
+WsOhUMSEYxLtpJUywFakI58O/yDSvYlpzfcks0nAIjfeQkhTz0vqqYlyEXR7aDCe
+G/5yOGJtuwAiKclgLCTwqlevZ15ff+3z/UIJ9yAfqM9WPXPQA/lJk1Mp1FmIwVfw
+T/0p8kJJj4Z8aH+jXqOXrKnw9L4Acig3axSneN8QcL5tNosMAQOxhkQuYc6g4V+h
+vDX7N3G5UdPo6jpGoF8NmLu2VFGfWEymBzftMqYZ84Jli9t9RGN8UBEueGERjMsh
+9/3NSAdxeDlR5ELB565a+x/pIOOjovERZdXs9UW8U8NXPeDnIuTTFnqip3e21OGY
+WP3ioP85ixzLFDfZVTaLN97ym2+STiPt+KN7QBEUW0cP/wJFlEcXgRHyY3uQ/iET
+grCTApBuNdOzzgm9lSka653AexhaFTAXtp4NJ5xXThQcFzJ+urDAc6LfPzyknHDx
+lfI5bMeW9I6E7CbkFOELqInzAk6uMZFxbp4Qte8so3GFdCTPtFVTbS4v+Ctx3oi
+r6oIEFLzhbbNz8lX4JrmXTO1WLiy8uoS4xCEEpITAG9iDvPZ2N7iaTiBgI1B4jNN
+W/t/iIUkO7udL0eyZBzF
+=6wKd
+-----END PGP SIGNATURE-----
--- a/clamav-conf.patch
+++ b/clamav-conf.patch
@ -123,7 +123,7 @@
 
 # Stop daemon when libclamav reports out of memory condition.
 #ExitOnOOM yes
-@@ -708,7 +704,7 @@ Example
+@@ -727,7 +723,7 @@ Example
 # multiple OnAccessIncludePath directives but each directory must be added
 # in a separate line.
 # Default: disabled
@ -132,7 +132,7 @@
 #OnAccessIncludePath /students
 
 # Set the exclude paths. All subdirectories are also excluded.
-@@ -778,7 +774,7 @@ Example
+@@ -797,7 +793,7 @@ Example
 # It has the same potential race condition limitations of the
 # OnAccessExcludeUID option.
 # Default: disabled
@ -156,8 +156,8 @@
 -
 # Path to the database directory.
 # WARNING: It must match clamd.conf's directive!
- # Default: hardcoded (depends on installation options)
-@@ -52,12 +48,12 @@ Example
+ # WARNING: It must already exist, be an absolute path, be writeable by
+@@ -54,12 +50,12 @@ Example
 # It is recommended that the directory where this file is stored is
 # also owned by root to keep other users from tampering with it.
 # Default: disabled
@ -172,7 +172,7 @@
 
 # Use DNS to verify virus database version. FreshClam uses DNS TXT records
 # to verify database and software versions. With this directive you can change
-@@ -148,7 +144,7 @@ DatabaseMirror database.clamav.net
+@@ -150,7 +146,7 @@ DatabaseMirror database.clamav.net
 
 # Send the RELOAD command to clamd.
 # Default: no
--- a/clamav-format.patch
+++ b/clamav-format.patch
@ -64,7 +64,7 @@
     }
 --- libclamav/pe.c.orig
 +++ libclamav/pe.c
-@@ -5185,12 +5185,12 @@ cl_error_t cli_peheader(fmap_t *map, str
+@@ -5117,12 +5117,12 @@ cl_error_t cli_peheader(fmap_t *map, str
 
                 /* If a section is truncated, adjust its size value */
                 if (!CLI_ISCONTAINED_0_TO(fsize, section->raw, section->rsz)) {
@ -81,7 +81,7 @@
             }
 --- libfreshclam/libfreshclam_internal.c.orig
 +++ libfreshclam/libfreshclam_internal.c
-@@ -226,7 +226,7 @@ fc_error_t load_freshclam_dat(void)
+@@ -229,7 +229,7 @@ fc_error_t load_freshclam_dat(void)
             if (-1 == lseek(handle, strlen(MIRRORS_DAT_MAGIC), SEEK_SET)) {
                 char error_message[260];
                 cli_strerror(errno, error_message, 260);
@ -92,7 +92,7 @@
 
 --- unit_tests/check_clamav.c.orig
 +++ unit_tests/check_clamav.c
-@@ -1939,7 +1939,7 @@ void diff_file_mem(int fd, const char *r
+@@ -1925,7 +1925,7 @@ void diff_file_mem(int fd, const char *r
 
     ck_assert_msg(!!buf, "unable to malloc buffer: %zu", len);
     p = read(fd, buf, len);
@ -101,7 +101,7 @@
     p = 0;
     while (len > 0) {
         c1 = ref[p];
-@@ -1950,10 +1950,10 @@ void diff_file_mem(int fd, const char *r
+@@ -1936,10 +1936,10 @@ void diff_file_mem(int fd, const char *r
         len--;
     }
     if (len > 0)
@ -114,7 +114,7 @@
     close(fd);
 }
 
-@@ -1969,7 +1969,7 @@ void diff_files(int fd, int ref_fd)
+@@ -1955,7 +1955,7 @@ void diff_files(int fd, int ref_fd)
 
     ck_assert_msg(lseek(ref_fd, 0, SEEK_SET) == 0, "lseek failed");
     nread = read(ref_fd, ref, siz);
@ -154,7 +154,7 @@
     rc = memcmp(p, expect, expect_len);
 --- libclamav/others_common.c.orig
 +++ libclamav/others_common.c
-@@ -312,7 +312,7 @@ char *cli_strdup(const char *s)
+@@ -362,7 +362,7 @@ char *cli_safer_strdup(const char *s)
     }
 
     alloc = strdup(s);
@ -162,4 +162,4 @@
 +    
     if (!alloc) {
         perror("strdup_problem");
-         cli_errmsg("cli_strdup(): Can't allocate memory (%u bytes).\n", (unsigned int)strlen(s));
+         cli_errmsg("cli_safer_strdup(): Can't allocate memory (%u bytes).\n", (unsigned int)strlen(s));
--- a/clamav-obsolete-config.patch
+++ b/clamav-obsolete-config.patch
@ -1,6 +1,6 @@
 --- common/optparser.c.orig
 +++ common/optparser.c
-@@ -598,6 +598,13 @@ const struct clam_option __clam_options[
+@@ -602,6 +602,13 @@ const struct clam_option __clam_options[
     {"MailFollowURLs", "mail-follow-urls", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "", ""},
     {"AllowSupplementaryGroups", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER | OPT_DEPRECATED, "Initialize a supplementary group access (the process must be started by root).", "no"},
     {"ScanOnAccess", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", ""},
--- a/clamav.changes
+++ b/clamav.changes
@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Tue Sep 10 13:05:08 UTC 2024 - Reinhard Max <max@suse.com>
+
+- New version 1.4.1:
+  * [CVE-2024-20506, bsc#1230162]: Changed the logging module to
+    disable following symlinks on Linux and Unix systems so as to
+    prevent an attacker with existing access to the 'clamd' or
+    'freshclam' services from using a symlink to corrupt system
+    files.
+  * [CVE-2024-20505, bsc#1230161]: Fixed a possible out-of-bounds
+    read bug in the PDF file parser that could cause a
+    denial-of-service (DoS) condition.
+  * https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html
+
+- New version 1.4.0:
+  * Added support for extracting ALZ archives.
+  * Added support for extracting LHA/LZH archives.
+  * Added the ability to disable image fuzzy hashing, if needed.
+    For context, image fuzzy hashing is a detection mechanism
+    useful for identifying malware by matching images included with
+    the malware or phishing email/document.
+  * https://blog.clamav.net/2024/08/clamav-140-feature-release-and-clamav.html
+
 -------------------------------------------------------------------
 Wed Sep  4 19:29:48 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>

--- a/clamav.spec
+++ b/clamav.spec
@ -32,7 +32,7 @@
 %global confdir %_prefix%_sysconfdir

 Name:           clamav
-Version:        1.3.2
+Version:        1.4.1
 Release:        0
 Summary:        Antivirus Toolkit
 License:        GPL-2.0-only
@ -205,6 +205,7 @@ chmod -x docs/html/images/flamegraph.svg
    -DENABLE_CLAMONACC=ON \
    -DENABLE_MILTER=ON \
    -DSYSTEMD_UNIT_DIR=%{_unitdir} \
+    -DPCRE2_LIBRARY=%{_libdir}/libpcre2-8.so \
 %if %{without clammspack}
    -DENABLE_EXTERNAL_MSPACK=ON
 %endif
--- a/clamscan.log
+++ b/clamscan.log
@ -0,0 +1,18 @@
+
+-------------------------------------------------------------------------------
+
+/abuild/max/OBS/security/clamav/eicar/eicar.zip: Eicar-Signature FOUND
+/abuild/max/OBS/security/clamav/eicar/eicar.txt: Eicar-Signature FOUND
+/abuild/max/OBS/security/clamav/eicar/eicar.pdf: Pdf.Dropper.Agent-7001939-0 FOUND
+
+----------- SCAN SUMMARY -----------
+Known viruses: 8695659
+Engine version: 1.3.1
+Scanned directories: 1
+Scanned files: 3
+Infected files: 3
+Data scanned: 0.00 MB
+Data read: 0.00 MB (ratio 1.00:1)
+Time: 15.206 sec (0 m 15 s)
+Start Date: 2024:07:04 18:40:39
+End Date:   2024:07:04 18:40:54