- New version 1.4.1:

* [CVE-2024-20506, bsc#1230162]: Changed the logging module to
    disable following symlinks on Linux and Unix systems so as to
    prevent an attacker with existing access to the 'clamd' or
    'freshclam' services from using a symlink to corrupt system
    files.
  * [CVE-2024-20505, bsc#1230161]: Fixed a possible out-of-bounds
    read bug in the PDF file parser that could cause a
    denial-of-service (DoS) condition.
  * https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html
- New version 1.4.0:
  * Added support for extracting ALZ archives.
  * Added support for extracting LHA/LZH archives.
  * Added the ability to disable image fuzzy hashing, if needed.
    For context, image fuzzy hashing is a detection mechanism
    useful for identifying malware by matching images included with
    the malware or phishing email/document.
  * https://blog.clamav.net/2024/08/clamav-140-feature-release-and-clamav.html

OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=264

clam.tcl

@@ -0,0 +1,38 @@
+#!/usr/bin/tclsh
+package require Expect
+
+proc pne {x} {
+    if {$x != ""} {
+	puts $x
+    }
+}
+
+set x 0
+set L ""
+set C ""
+log_user 0
+spawn clamscan eicar_test_files
+expect_before -re "((L|C)\[^\r\]*)\r" {
+    set $expect_out(2,string) $expect_out(1,string)
+    exp_continue
+} eof {
+    pne $L
+    pne $C
+    pne $expect_out(buffer)
+    puts "*** clamscan died! ***"
+    exit 1
+}
+expect "\n"; # newline after "Loading: ..."
+expect "\n"; # newline after "Compiling: ..."
+expect_before
+pne $L
+pne $C
+puts ""
+log_user 1
+expect "FOUND" {
+    incr x
+    exp_continue
+} eof
+if {$x ne 3} {
+    exit 1
+}

clamav-1.4.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:a318e780ac39a6b3d6c46971382f96edde97ce48b8e361eb80e63415ed416ad8
+size 50078871

clamav-1.4.1.tar.gz.sig

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABAgAGBQJm12IWAAoJEMzg39Iewam/rIQQAKv+zANPKfIta+VJRKkD0Wxa
+LJGDBKKifqyM1HiR+YxGMUuElgmpRvozfZ7ifBGvz/IxjPmUag/BNfOl4JVsSAnL
+WsOhUMSEYxLtpJUywFakI58O/yDSvYlpzfcks0nAIjfeQkhTz0vqqYlyEXR7aDCe
+G/5yOGJtuwAiKclgLCTwqlevZ15ff+3z/UIJ9yAfqM9WPXPQA/lJk1Mp1FmIwVfw
+T/0p8kJJj4Z8aH+jXqOXrKnw9L4Acig3axSneN8QcL5tNosMAQOxhkQuYc6g4V+h
+vDX7N3G5UdPo6jpGoF8NmLu2VFGfWEymBzftMqYZ84Jli9t9RGN8UBEueGERjMsh
+9/3NSAdxeDlR5ELB565a+x/pIOOjovERZdXs9UW8U8NXPeDnIuTTFnqip3e21OGY
+WP3ioP85ixzLFDfZVTaLN97ym2+STiPt+KN7QBEUW0cP/wJFlEcXgRHyY3uQ/iET
+grCTApBuNdOzzgm9lSka653AexhaFTAXtp4NJ5xXThQcFzJ+urDAc6LfPzyknHDx
++lfI5bMeW9I6E7CbkFOELqInzAk6uMZFxbp4Qte8so3GFdCTPtFVTbS4v+Ctx3oi
+r6oIEFLzhbbNz8lX4JrmXTO1WLiy8uoS4xCEEpITAG9iDvPZ2N7iaTiBgI1B4jNN
+W/t/iIUkO7udL0eyZBzF
+=6wKd
+-----END PGP SIGNATURE-----

clamav-conf.patch

@@ -123,7 +123,7 @@
  
  # Stop daemon when libclamav reports out of memory condition.
  #ExitOnOOM yes
-@@ -708,7 +704,7 @@ Example
+@@ -727,7 +723,7 @@ Example
  # multiple OnAccessIncludePath directives but each directory must be added
  # in a separate line.
  # Default: disabled
@@ -132,7 +132,7 @@
  #OnAccessIncludePath /students
  
  # Set the exclude paths. All subdirectories are also excluded.
-@@ -778,7 +774,7 @@ Example
+@@ -797,7 +793,7 @@ Example
  # It has the same potential race condition limitations of the
  # OnAccessExcludeUID option.
  # Default: disabled
@@ -156,8 +156,8 @@
 -
  # Path to the database directory.
  # WARNING: It must match clamd.conf's directive!
- # Default: hardcoded (depends on installation options)
+ # WARNING: It must already exist, be an absolute path, be writeable by
-@@ -52,12 +48,12 @@ Example
+@@ -54,12 +50,12 @@ Example
  # It is recommended that the directory where this file is stored is
  # also owned by root to keep other users from tampering with it.
  # Default: disabled
@@ -172,7 +172,7 @@
  
  # Use DNS to verify virus database version. FreshClam uses DNS TXT records
  # to verify database and software versions. With this directive you can change
-@@ -148,7 +144,7 @@ DatabaseMirror database.clamav.net
+@@ -150,7 +146,7 @@ DatabaseMirror database.clamav.net
  
  # Send the RELOAD command to clamd.
  # Default: no

clamav-format.patch

@@ -64,7 +64,7 @@
      }
 --- libclamav/pe.c.orig
 +++ libclamav/pe.c
-@@ -5185,12 +5185,12 @@ cl_error_t cli_peheader(fmap_t *map, str
+@@ -5117,12 +5117,12 @@ cl_error_t cli_peheader(fmap_t *map, str
  
                  /* If a section is truncated, adjust its size value */
                  if (!CLI_ISCONTAINED_0_TO(fsize, section->raw, section->rsz)) {
@@ -81,7 +81,7 @@
              }
 --- libfreshclam/libfreshclam_internal.c.orig
 +++ libfreshclam/libfreshclam_internal.c
-@@ -226,7 +226,7 @@ fc_error_t load_freshclam_dat(void)
+@@ -229,7 +229,7 @@ fc_error_t load_freshclam_dat(void)
              if (-1 == lseek(handle, strlen(MIRRORS_DAT_MAGIC), SEEK_SET)) {
                  char error_message[260];
                  cli_strerror(errno, error_message, 260);
@@ -92,7 +92,7 @@
  
 --- unit_tests/check_clamav.c.orig
 +++ unit_tests/check_clamav.c
-@@ -1939,7 +1939,7 @@ void diff_file_mem(int fd, const char *r
+@@ -1925,7 +1925,7 @@ void diff_file_mem(int fd, const char *r
  
      ck_assert_msg(!!buf, "unable to malloc buffer: %zu", len);
      p = read(fd, buf, len);
@@ -101,7 +101,7 @@
      p = 0;
      while (len > 0) {
          c1 = ref[p];
-@@ -1950,10 +1950,10 @@ void diff_file_mem(int fd, const char *r
+@@ -1936,10 +1936,10 @@ void diff_file_mem(int fd, const char *r
          len--;
      }
      if (len > 0)
@@ -114,7 +114,7 @@
      close(fd);
  }
  
-@@ -1969,7 +1969,7 @@ void diff_files(int fd, int ref_fd)
+@@ -1955,7 +1955,7 @@ void diff_files(int fd, int ref_fd)
  
      ck_assert_msg(lseek(ref_fd, 0, SEEK_SET) == 0, "lseek failed");
      nread = read(ref_fd, ref, siz);
@@ -154,7 +154,7 @@
      rc = memcmp(p, expect, expect_len);
 --- libclamav/others_common.c.orig
 +++ libclamav/others_common.c
-@@ -312,7 +312,7 @@ char *cli_strdup(const char *s)
+@@ -362,7 +362,7 @@ char *cli_safer_strdup(const char *s)
      }
  
      alloc = strdup(s);
@@ -162,4 +162,4 @@
 +    
      if (!alloc) {
          perror("strdup_problem");
-         cli_errmsg("cli_strdup(): Can't allocate memory (%u bytes).\n", (unsigned int)strlen(s));
+         cli_errmsg("cli_safer_strdup(): Can't allocate memory (%u bytes).\n", (unsigned int)strlen(s));

clamav-obsolete-config.patch

@@ -1,6 +1,6 @@
 --- common/optparser.c.orig
 +++ common/optparser.c
-@@ -598,6 +598,13 @@ const struct clam_option __clam_options[
+@@ -602,6 +602,13 @@ const struct clam_option __clam_options[
      {"MailFollowURLs", "mail-follow-urls", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN | OPT_DEPRECATED, "", ""},
      {"AllowSupplementaryGroups", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER | OPT_DEPRECATED, "Initialize a supplementary group access (the process must be started by root).", "no"},
      {"ScanOnAccess", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, -1, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", ""},

clamav.changes

@@ -1,3 +1,26 @@
+-------------------------------------------------------------------
+Tue Sep 10 13:05:08 UTC 2024 - Reinhard Max <max@suse.com>
+
+- New version 1.4.1:
+  * [CVE-2024-20506, bsc#1230162]: Changed the logging module to
+    disable following symlinks on Linux and Unix systems so as to
+    prevent an attacker with existing access to the 'clamd' or
+    'freshclam' services from using a symlink to corrupt system
+    files.
+  * [CVE-2024-20505, bsc#1230161]: Fixed a possible out-of-bounds
+    read bug in the PDF file parser that could cause a
+    denial-of-service (DoS) condition.
+  * https://blog.clamav.net/2024/09/clamav-141-132-107-and-010312-security.html
+
+- New version 1.4.0:
+  * Added support for extracting ALZ archives.
+  * Added support for extracting LHA/LZH archives.
+  * Added the ability to disable image fuzzy hashing, if needed.
+    For context, image fuzzy hashing is a detection mechanism
+    useful for identifying malware by matching images included with
+    the malware or phishing email/document.
+  * https://blog.clamav.net/2024/08/clamav-140-feature-release-and-clamav.html
+
 -------------------------------------------------------------------
 Wed Sep  4 19:29:48 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
 

clamav.spec

@@ -32,7 +32,7 @@
 %global confdir %_prefix%_sysconfdir
 
 Name:           clamav
-Version:        1.3.2
+Version:        1.4.1
 Release:        0
 Summary:        Antivirus Toolkit
 License:        GPL-2.0-only
@@ -205,6 +205,7 @@ chmod -x docs/html/images/flamegraph.svg
     -DENABLE_CLAMONACC=ON \
     -DENABLE_MILTER=ON \
     -DSYSTEMD_UNIT_DIR=%{_unitdir} \
+    -DPCRE2_LIBRARY=%{_libdir}/libpcre2-8.so \
 %if %{without clammspack}
     -DENABLE_EXTERNAL_MSPACK=ON
 %endif

clamscan.log

@@ -0,0 +1,18 @@
+
+-------------------------------------------------------------------------------
+
+/abuild/max/OBS/security/clamav/eicar/eicar.zip: Eicar-Signature FOUND
+/abuild/max/OBS/security/clamav/eicar/eicar.txt: Eicar-Signature FOUND
+/abuild/max/OBS/security/clamav/eicar/eicar.pdf: Pdf.Dropper.Agent-7001939-0 FOUND
+
+----------- SCAN SUMMARY -----------
+Known viruses: 8695659
+Engine version: 1.3.1
+Scanned directories: 1
+Scanned files: 3
+Infected files: 3
+Data scanned: 0.00 MB
+Data read: 0.00 MB (ratio 1.00:1)
+Time: 15.206 sec (0 m 15 s)
+Start Date: 2024:07:04 18:40:39
+End Date:   2024:07:04 18:40:54