From 835832e4d17df9ec06bd5ef073fc9b41ad53f8ab53133ed1a1ea397c35d36cf3 Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Sun, 16 Jan 2022 14:09:37 +0000 Subject: [PATCH] Accepting request 945934 from home:adkorte:branches:security - Update to 0.103.5 * CVE-2022-20698: Fix for invalid pointer read that may cause a crash. This issue affects 0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json option) is enabled. * Fixed ability to disable the file size limit with libclamav C API, like this: cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0); This issue didn't affect ClamD or ClamScan which also can disable the limit by setting it to zero using MaxFileSize 0 in clamd.conf for ClamD, or clamscan --max-filesize=0 for ClamScan. Note: Internally, the max file size is still set to 2 GiB. Disabling the limit for a scan will fall back on the internal 2 GiB limitation. * Increased the maximum line length for ClamAV config files from 512 bytes to 1,024 bytes to allow for longer config option strings. * SigTool: Fix insufficient buffer size for --list-sigs that caused a failure when listing a database containing one or more very long signatures. This fix was backported from 0.104. OBS-URL: https://build.opensuse.org/request/show/945934 OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=229 --- clamav-0.103.4.tar.gz | 3 --- clamav-0.103.4.tar.gz.sig | 16 ---------------- clamav-0.103.5.tar.gz | 3 +++ clamav-0.103.5.tar.gz.sig | 16 ++++++++++++++++ clamav.changes | 24 ++++++++++++++++++++++++ clamav.spec | 2 +- 6 files changed, 44 insertions(+), 20 deletions(-) delete mode 100644 clamav-0.103.4.tar.gz delete mode 100644 clamav-0.103.4.tar.gz.sig create mode 100644 clamav-0.103.5.tar.gz create mode 100644 clamav-0.103.5.tar.gz.sig diff --git a/clamav-0.103.4.tar.gz b/clamav-0.103.4.tar.gz deleted file mode 100644 index 9bb5094..0000000 --- a/clamav-0.103.4.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:def0ad15500fa6aff81d8e68b9f83aa75ee5b607a01335c1d26dbcc959932f85 -size 16425023 diff --git a/clamav-0.103.4.tar.gz.sig b/clamav-0.103.4.tar.gz.sig deleted file mode 100644 index 27778cd..0000000 --- a/clamav-0.103.4.tar.gz.sig +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIcBAABAgAGBQJhgZyJAAoJEGCbAk8rPt0H7AMQAJ7wxx96nMvhTGkxSAen/BZa -fHFrF0eof2x5DZc7e7fXV7OoHAQ78dftGIey2pqu0qPtONxPo1ZyBClHP4sWFdV2 -NlVExiKSzB2wOw1nGJN2CYnNI1uFRm3jzxZP2fhfcUnpL1spuWKAAKUZqyKxIRIa -j4jBc+Gu9F+svBwIyZZk9ga+W4U04oNafsgTtZJoZ7Rf3uWujws6Zy98hMeuO71I -cI6UF1nb4TBSYj2OgXYY+bl8qvhswzcjYCT+OHDXLXqCgcNxSEcK6vcgyRcCfBJQ -YPYQc0uziG+BzaOLxjHZMpIzbCo2SBRtyluH16Fddy2DJmMrgpuOPNeaeAHFW5uM -OK0dEUleYuBKpbQxHVDQC6Qw5xSqtVXdfAyYQJ/p7k9fCFbsLxx8HGVSEoqE6jEH -dwe7mCNfKrlQSxQSJaRZKaAsqDAd+2zxkUYuT6IP0dXFzeoihwvuppPmBvEwErDV -4OgnZC2Aw6LHIYqjvQWTyxd1euL7UUoeNel3nLZwZ0EmnhJ3C5RIp97MUHM+vOWY -EIyxx93GKHZWM18WOxXPV87Lt7YCIo1QOUQVbhapmKRGOYFq8bu/75LFlpKwebnw -MOljABOb1td7qqsYy30awp7bGiqni2dXXRA5eHwl5q+11776BP4yERIUDNJbG++M -kuhICU7B1d21gl5MwFuw -=CJWI ------END PGP SIGNATURE----- diff --git a/clamav-0.103.5.tar.gz b/clamav-0.103.5.tar.gz new file mode 100644 index 0000000..c8ad812 --- /dev/null +++ b/clamav-0.103.5.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1e74b1e1d2a8a9056449c313f48a6983b9d5ba0d6fb5ef0b2be6ad3c841a5426 +size 16434316 diff --git a/clamav-0.103.5.tar.gz.sig b/clamav-0.103.5.tar.gz.sig new file mode 100644 index 0000000..2335009 --- /dev/null +++ b/clamav-0.103.5.tar.gz.sig @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABAgAGBQJh3ZK/AAoJEGCbAk8rPt0HxwkP/iSf9aUJipn5YgqjqyVC1fKl +wUwvV8KoPH7C2kgo0AKZFTKRxaRahvL1WLx6PnnArl1ZVoH2JVrqm/1+Z8MT9U7J +YOKG3aI+KgBNG6ihxizsL37ZNn4aE7ne4SY7219rei7IW12OyiUvIkF3kA9lHtDX +/cqkrqu9GT7pB5dxt+GCQ/oX1cgMzV6/Hg9wE4DS0hSuQy74WRUZ/Rp+JAeQ7dUv +4u1dkGoUJQpo4g94amwOqcHlc+bBZMItTVSoJercjl8eOZqxSEN7kkHa2MrPFiaX +AJN4B4wMfrxi+jn+HUo7TshrRkzUzP0i+rIAn3hsvG4sjOxH/vWrCyfOGCIQb/l+ +ug1gBJ4LDSoQ9rL41c1OBYFPKhbrTYCSs+TULoKSFCJv8RgQA7/Vu3bulIHFRhtp +Lpvhgo1fsb741EVSoPFqQJe+XUAdH5BsW03TZuHnuIEnLvHbctYDJlkg0KN2IYg+ +4JgO65spoEHW2hldKR0A8W8U4+bPC2+94QuLoV6OXrnlL8qCj9RhRqywBM4gqSgC +p9rnx0E0tTrCDmevXn0IvTbwqxjtC8ig/mJejc4TiV70ps8xgLBeml4xsgr+PLYn +Obwf8/GOY3RwGQQMROLQSChenvXU/qnjqDRRzVtZSgBF7xBlGJ1xVm7pRLA/OF5d +sbOrPkTfkT+0ayLU46vg +=lf26 +-----END PGP SIGNATURE----- diff --git a/clamav.changes b/clamav.changes index 2bf3317..f8695e5 100644 --- a/clamav.changes +++ b/clamav.changes @@ -1,3 +1,27 @@ +------------------------------------------------------------------- +Wed Jan 12 21:04:58 UTC 2022 - Arjen de Korte + +- Update to 0.103.5 + * CVE-2022-20698: Fix for invalid pointer read that may cause a crash. + This issue affects 0.104.1, 0.103.4 and prior when ClamAV is compiled + with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option + (the clamscan --gen-json option) is enabled. + * Fixed ability to disable the file size limit with libclamav C API, + like this: + + cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0); + + This issue didn't affect ClamD or ClamScan which also can disable the + limit by setting it to zero using MaxFileSize 0 in clamd.conf for ClamD, + or clamscan --max-filesize=0 for ClamScan. + Note: Internally, the max file size is still set to 2 GiB. Disabling the + limit for a scan will fall back on the internal 2 GiB limitation. + * Increased the maximum line length for ClamAV config files from 512 bytes + to 1,024 bytes to allow for longer config option strings. + * SigTool: Fix insufficient buffer size for --list-sigs that caused a + failure when listing a database containing one or more very long + signatures. This fix was backported from 0.104. + ------------------------------------------------------------------- Wed Nov 3 20:52:19 UTC 2021 - Arjen de Korte diff --git a/clamav.spec b/clamav.spec index 7218561..74ef24e 100644 --- a/clamav.spec +++ b/clamav.spec @@ -19,7 +19,7 @@ %bcond_with clammspack %bcond_with valgrind Name: clamav -Version: 0.103.4 +Version: 0.103.5 Release: 0 Summary: Antivirus Toolkit License: GPL-2.0-only