From 4be77ca9becdd088ed39b3acb3dd060cf6bad6f359bdf8811094c7265d5162e2 Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Tue, 10 Sep 2024 13:35:10 +0000 Subject: [PATCH] - New version 1.4.1: * [CVE-2024-20506, bsc#1230162]: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files. * [CVE-2024-20505, bsc#1230161]: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service (DoS) condition. * https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html - New version 1.4.0: * Added support for extracting ALZ archives. * Added support for extracting LHA/LZH archives. * Added the ability to disable image fuzzy hashing, if needed. For context, image fuzzy hashing is a detection mechanism useful for identifying malware by matching images included with the malware or phishing email/document. * https://blog.clamav.net/2024/08/clamav-140-feature-release-and-clamav.html OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=264 --- clam.tcl | 38 ++++++++++++++++++++++++++++++++++++ clamav-1.4.1.tar.gz | 3 +++ clamav-1.4.1.tar.gz.sig | 16 +++++++++++++++ clamav-conf.patch | 10 +++++----- clamav-format.patch | 14 ++++++------- clamav-obsolete-config.patch | 2 +- clamav.changes | 23 ++++++++++++++++++++++ clamav.spec | 3 ++- clamscan.log | 18 +++++++++++++++++ 9 files changed, 113 insertions(+), 14 deletions(-) create mode 100644 clam.tcl create mode 100644 clamav-1.4.1.tar.gz create mode 100644 clamav-1.4.1.tar.gz.sig create mode 100644 clamscan.log diff --git a/clam.tcl b/clam.tcl new file mode 100644 index 0000000..dd4e3e8 --- /dev/null +++ b/clam.tcl @@ -0,0 +1,38 @@ +#!/usr/bin/tclsh +package require Expect + +proc pne {x} { + if {$x != ""} { + puts $x + } +} + +set x 0 +set L "" +set C "" +log_user 0 +spawn clamscan eicar_test_files +expect_before -re "((L|C)\[^\r\]*)\r" { + set $expect_out(2,string) $expect_out(1,string) + exp_continue +} eof { + pne $L + pne $C + pne $expect_out(buffer) + puts "*** clamscan died! ***" + exit 1 +} +expect "\n"; # newline after "Loading: ..." +expect "\n"; # newline after "Compiling: ..." +expect_before +pne $L +pne $C +puts "" +log_user 1 +expect "FOUND" { + incr x + exp_continue +} eof +if {$x ne 3} { + exit 1 +} diff --git a/clamav-1.4.1.tar.gz b/clamav-1.4.1.tar.gz new file mode 100644 index 0000000..bba20bc --- /dev/null +++ b/clamav-1.4.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a318e780ac39a6b3d6c46971382f96edde97ce48b8e361eb80e63415ed416ad8 +size 50078871 diff --git a/clamav-1.4.1.tar.gz.sig b/clamav-1.4.1.tar.gz.sig new file mode 100644 index 0000000..70f22be --- /dev/null +++ b/clamav-1.4.1.tar.gz.sig @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABAgAGBQJm12IWAAoJEMzg39Iewam/rIQQAKv+zANPKfIta+VJRKkD0Wxa +LJGDBKKifqyM1HiR+YxGMUuElgmpRvozfZ7ifBGvz/IxjPmUag/BNfOl4JVsSAnL +WsOhUMSEYxLtpJUywFakI58O/yDSvYlpzfcks0nAIjfeQkhTz0vqqYlyEXR7aDCe +G/5yOGJtuwAiKclgLCTwqlevZ15ff+3z/UIJ9yAfqM9WPXPQA/lJk1Mp1FmIwVfw +T/0p8kJJj4Z8aH+jXqOXrKnw9L4Acig3axSneN8QcL5tNosMAQOxhkQuYc6g4V+h +vDX7N3G5UdPo6jpGoF8NmLu2VFGfWEymBzftMqYZ84Jli9t9RGN8UBEueGERjMsh +9/3NSAdxeDlR5ELB565a+x/pIOOjovERZdXs9UW8U8NXPeDnIuTTFnqip3e21OGY +WP3ioP85ixzLFDfZVTaLN97ym2+STiPt+KN7QBEUW0cP/wJFlEcXgRHyY3uQ/iET +grCTApBuNdOzzgm9lSka653AexhaFTAXtp4NJ5xXThQcFzJ+urDAc6LfPzyknHDx ++lfI5bMeW9I6E7CbkFOELqInzAk6uMZFxbp4Qte8so3GFdCTPtFVTbS4v+Ctx3oi +r6oIEFLzhbbNz8lX4JrmXTO1WLiy8uoS4xCEEpITAG9iDvPZ2N7iaTiBgI1B4jNN +W/t/iIUkO7udL0eyZBzF +=6wKd +-----END PGP SIGNATURE----- diff --git a/clamav-conf.patch b/clamav-conf.patch index 8ba2411..28112f4 100644 --- a/clamav-conf.patch +++ b/clamav-conf.patch @@ -123,7 +123,7 @@ # Stop daemon when libclamav reports out of memory condition. #ExitOnOOM yes -@@ -708,7 +704,7 @@ Example +@@ -727,7 +723,7 @@ Example # multiple OnAccessIncludePath directives but each directory must be added # in a separate line. # Default: disabled @@ -132,7 +132,7 @@ #OnAccessIncludePath /students # Set the exclude paths. All subdirectories are also excluded. -@@ -778,7 +774,7 @@ Example +@@ -797,7 +793,7 @@ Example # It has the same potential race condition limitations of the # OnAccessExcludeUID option. # Default: disabled @@ -156,8 +156,8 @@ - # Path to the database directory. # WARNING: It must match clamd.conf's directive! - # Default: hardcoded (depends on installation options) -@@ -52,12 +48,12 @@ Example + # WARNING: It must already exist, be an absolute path, be writeable by +@@ -54,12 +50,12 @@ Example # It is recommended that the directory where this file is stored is # also owned by root to keep other users from tampering with it. # Default: disabled @@ -172,7 +172,7 @@ # Use DNS to verify virus database version. FreshClam uses DNS TXT records # to verify database and software versions. With this directive you can change -@@ -148,7 +144,7 @@ DatabaseMirror database.clamav.net +@@ -150,7 +146,7 @@ DatabaseMirror database.clamav.net # Send the RELOAD command to clamd. # Default: no diff --git a/clamav-format.patch b/clamav-format.patch index e874146..d882511 100644 --- a/clamav-format.patch +++ b/clamav-format.patch @@ -64,7 +64,7 @@ } --- libclamav/pe.c.orig +++ libclamav/pe.c -@@ -5185,12 +5185,12 @@ cl_error_t cli_peheader(fmap_t *map, str +@@ -5117,12 +5117,12 @@ cl_error_t cli_peheader(fmap_t *map, str /* If a section is truncated, adjust its size value */ if (!CLI_ISCONTAINED_0_TO(fsize, section->raw, section->rsz)) { @@ -81,7 +81,7 @@ } --- libfreshclam/libfreshclam_internal.c.orig +++ libfreshclam/libfreshclam_internal.c -@@ -226,7 +226,7 @@ fc_error_t load_freshclam_dat(void) +@@ -229,7 +229,7 @@ fc_error_t load_freshclam_dat(void) if (-1 == lseek(handle, strlen(MIRRORS_DAT_MAGIC), SEEK_SET)) { char error_message[260]; cli_strerror(errno, error_message, 260); @@ -92,7 +92,7 @@ --- unit_tests/check_clamav.c.orig +++ unit_tests/check_clamav.c -@@ -1939,7 +1939,7 @@ void diff_file_mem(int fd, const char *r +@@ -1925,7 +1925,7 @@ void diff_file_mem(int fd, const char *r ck_assert_msg(!!buf, "unable to malloc buffer: %zu", len); p = read(fd, buf, len); @@ -101,7 +101,7 @@ p = 0; while (len > 0) { c1 = ref[p]; -@@ -1950,10 +1950,10 @@ void diff_file_mem(int fd, const char *r +@@ -1936,10 +1936,10 @@ void diff_file_mem(int fd, const char *r len--; } if (len > 0) @@ -114,7 +114,7 @@ close(fd); } -@@ -1969,7 +1969,7 @@ void diff_files(int fd, int ref_fd) +@@ -1955,7 +1955,7 @@ void diff_files(int fd, int ref_fd) ck_assert_msg(lseek(ref_fd, 0, SEEK_SET) == 0, "lseek failed"); nread = read(ref_fd, ref, siz); @@ -154,7 +154,7 @@ rc = memcmp(p, expect, expect_len); --- libclamav/others_common.c.orig +++ libclamav/others_common.c -@@ -312,7 +312,7 @@ char *cli_strdup(const char *s) +@@ -362,7 +362,7 @@ char *cli_safer_strdup(const char *s) } alloc = strdup(s); @@ -162,4 +162,4 @@ + if (!alloc) { perror("strdup_problem"); - cli_errmsg("cli_strdup(): Can't allocate memory (%u bytes).\n", (unsigned int)strlen(s)); + cli_errmsg("cli_safer_strdup(): Can't allocate memory (%u bytes).\n", (unsigned int)strlen(s)); diff --git a/clamav-obsolete-config.patch b/clamav-obsolete-config.patch index 587e55b..3349082 100644 --- a/clamav-obsolete-config.patch +++ b/clamav-obsolete-config.patch @@ -1,6 +1,6 @@ --- common/optparser.c.orig +++ common/optparser.c -@@ -598,6 +598,13 @@ const struct clam_option __clam_options[ +@@ -602,6 +602,13 @@ const struct clam_option __clam_options[ {"MailFollowURLs", "mail-follow-urls", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "", ""}, {"AllowSupplementaryGroups", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER | OPT_DEPRECATED, "Initialize a supplementary group access (the process must be started by root).", "no"}, {"ScanOnAccess", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", ""}, diff --git a/clamav.changes b/clamav.changes index 4fb8438..1c11e08 100644 --- a/clamav.changes +++ b/clamav.changes @@ -1,3 +1,26 @@ +------------------------------------------------------------------- +Tue Sep 10 13:05:08 UTC 2024 - Reinhard Max + +- New version 1.4.1: + * [CVE-2024-20506, bsc#1230162]: Changed the logging module to + disable following symlinks on Linux and Unix systems so as to + prevent an attacker with existing access to the 'clamd' or + 'freshclam' services from using a symlink to corrupt system + files. + * [CVE-2024-20505, bsc#1230161]: Fixed a possible out-of-bounds + read bug in the PDF file parser that could cause a + denial-of-service (DoS) condition. + * https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html + +- New version 1.4.0: + * Added support for extracting ALZ archives. + * Added support for extracting LHA/LZH archives. + * Added the ability to disable image fuzzy hashing, if needed. + For context, image fuzzy hashing is a detection mechanism + useful for identifying malware by matching images included with + the malware or phishing email/document. + * https://blog.clamav.net/2024/08/clamav-140-feature-release-and-clamav.html + ------------------------------------------------------------------- Wed Sep 4 19:29:48 UTC 2024 - Arjen de Korte diff --git a/clamav.spec b/clamav.spec index 1392c96..038edaa 100644 --- a/clamav.spec +++ b/clamav.spec @@ -32,7 +32,7 @@ %global confdir %_prefix%_sysconfdir Name: clamav -Version: 1.3.2 +Version: 1.4.1 Release: 0 Summary: Antivirus Toolkit License: GPL-2.0-only @@ -205,6 +205,7 @@ chmod -x docs/html/images/flamegraph.svg -DENABLE_CLAMONACC=ON \ -DENABLE_MILTER=ON \ -DSYSTEMD_UNIT_DIR=%{_unitdir} \ + -DPCRE2_LIBRARY=%{_libdir}/libpcre2-8.so \ %if %{without clammspack} -DENABLE_EXTERNAL_MSPACK=ON %endif diff --git a/clamscan.log b/clamscan.log new file mode 100644 index 0000000..e00c7f1 --- /dev/null +++ b/clamscan.log @@ -0,0 +1,18 @@ + +------------------------------------------------------------------------------- + +/abuild/max/OBS/security/clamav/eicar/eicar.zip: Eicar-Signature FOUND +/abuild/max/OBS/security/clamav/eicar/eicar.txt: Eicar-Signature FOUND +/abuild/max/OBS/security/clamav/eicar/eicar.pdf: Pdf.Dropper.Agent-7001939-0 FOUND + +----------- SCAN SUMMARY ----------- +Known viruses: 8695659 +Engine version: 1.3.1 +Scanned directories: 1 +Scanned files: 3 +Infected files: 3 +Data scanned: 0.00 MB +Data read: 0.00 MB (ratio 1.00:1) +Time: 15.206 sec (0 m 15 s) +Start Date: 2024:07:04 18:40:39 +End Date: 2024:07:04 18:40:54