Accepting request 626690 from security

- bsc#1101654: Disable YARA support for licensing reasons
  (clamav-disable-yara.patch).
- Do not ignore errors from useradd et al.
- Unclutter the spec file.

- Update dendencies (pcre2, libjson-c and systemd)
- Modernise spec file with spec-cleaner

- fix library-without-ldconfig warnings on libclammspack

- Update to version 0.100.1
  * CVE-2018-0360: HWP integer overflow, infinite loop
    vulnerability (bsc#1101410)
  * CVE-2018-0361: PDF object length check, unreasonably long time
    to parse relatively small file (bsc#1101412) 
  * Buffer over-read in unRAR code due to missing max value checks
    in table initialization
  * Libmspack heap buffer over-read in CHM parser
  * PDF parser bugs
  * Add HTTPS support for clamsubmit
  * Fix for DNS resolution for users on IPv4-only machines where
    IPv6 is not available or is link-local only

OBS-URL: https://build.opensuse.org/request/show/626690
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/clamav?expand=0&rev=95

clamav-0.100.0.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c5c5edaf75a3c53ac0f271148fd6447310bce53f448ec7e6205124a25918f65c
-size 16036757

clamav-0.100.0.tar.gz.sig

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIcBAABAgAGBQJay4N+AAoJEPE/nha8pb+tUiEP/isw/OZ5t183XjjPVV3wtIH1
-xbPkCG5/842Ui8Dd2G14VUEW+abUDueBU1Fn4hPixGVOmXiEmltwlM2R6+qjutVO
-al18jCkJXMq9sfqO0pMom8NDf3mNu9sy3oqARekrnLO1JZI0w5HKAAJg3VaCBBEZ
-YD7XxtuO8R1R9BBSAwx4E1NG9skQ+WAJVlT7ckWCuqW6SafIsqnM2f9KV1lYitod
-7mXl72nPQA3xkiqri1XLZrkiViZyzX5q3LRYdADlHk79MmDZuaaVIfza42SEYjQm
-TYTh5vvi1yUz6qhALFfbqOdOTQLri0gZp00xlmH+5MhVcnHZVAfzA3R57VcleD+o
-LpC9WUAEUL3D15KQlLhrV7Y0D82M79jJDXExRM2TozjUnA3WrQRZZqlJg5iEBHcu
-VP/O7hLNslm8SFRd1SHQ7C4D7X9odW3D64QySEpx9TyUWSesQg/hSO3F9Xj6eBRy
-JWYc90iu8DFedR+QrkwnMIbgbTeYxVjnPwKfI1E8vGrojYFKI3nFATQERRAcnrSz
-FjaffXxkMPULKCi8JqcvomlZkj+W1LvZ9OEdtD92nz4mX/C6tHaPy6A2alByHElp
-CMXYc8IIT3WWFV73O17xBdLhpyJRnmuHQ3IpJMKXh89lgX+t/ABAkWlmQsLy9PpH
-SlfPF6qoRTu2fSlQmEJu
-=KvcM
------END PGP SIGNATURE-----

clamav-0.100.1.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:84e026655152247de7237184ee13003701c40be030dd68e0316111049f58a59f
+size 16154415

clamav-0.100.1.tar.gz.sig

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABAgAGBQJbO66OAAoJEPE/nha8pb+t2SkP/0i9fOLm2FCBs/kRGiGgd4zn
+RxLwsW0Wskf0C/5dLhNHP/aeHSqeWZQdasmIgUzxxGhksp/gxwmH66h5y6qjACU2
+LnDytMr5DuM0rPAfNtOmnCQcpKVXvRA5utboCP7BWBLsfdfi1tF/Sw/JknDzDu5a
+AExBpiclix4EEHa4VkG+pMYpLLYUfxMZgKuq9b3ytWgNbCz0riSugr3hkoL72uRy
+xfrN2S0YkHy1Kw/7zohcHJa1qfPXZ/V6S1iSBCSfk3OTeExJhQIDxlLNTkcBr8L0
+H9Fo6RnQ2ttYtdphKU1suN4spFxBJD94zkOB+0cLfk6sCeYb4BXrqX6t19N+9Z9+
+m2fx2zay12skW/eABFtG82ToWTojCfHhKrRRDZRE8iXh2KUKMUkx7kSjhDRNR9eE
+WIpfAom4vdgDwDOgHwziUqr65l8Dr3NFC1LJl8F0uaFGshbjbtMufD88S0TQCvw6
+pJAZ8ZiTXqtmT9Uyw9aObffA2ekKWOY4k/6Z7ved76GkXC+e922Z+LpRE8wE05Cz
+sqwkzIQMLwwBo3468vB0RFxS14AVyLFVogmYxkhLcZC39yFBZVJF4++efsrlt+vq
++OoJl7JF1NYp8KSGGAIuNY5dyJGtiu709n7ppU6JAY2uhAzEjHYeqM0caDjPDjT2
+/LK7EO0s7O30HEld5gDC
+=xbrK
+-----END PGP SIGNATURE-----

clamav-disable-timestamps.patch

@@ -78,4 +78,4 @@
 +_ACEOF
  
  
- VERSION="0.100.0"
+ VERSION="0.100.1"

clamav-disable-yara.patch

@@ -0,0 +1,39 @@
+--- m4/reorganization/yara.m4.orig
++++ m4/reorganization/yara.m4
+@@ -6,7 +6,7 @@ enable_yara=$enableval, enable_yara="yes
+ 
+ if test "$enable_yara" = "yes"; then
+     AC_DEFINE([HAVE_YARA],1,[yara sources are compiled in])
+-    AC_SUBST([HAVE_YARA])
++    AC_SUBST([HAVE_YARA], 1)
+ fi
+ 
+ 
+--- unit_tests/check_common.sh.orig
++++ unit_tests/check_common.sh
+@@ -222,6 +222,7 @@ EOF
+ 	scan_failed clamscan4.log "clamscan has detected spurious VI's"
+     fi
+ 
++if test "x$HAVE_YARA" = "x1"; then
+ cat <<EOF >test-db/test.yara
+ rule yara_at_offset {strings: \$tar_magic = { 75 73 74 61 72 } condition: \$tar_magic at 257}
+ EOF
+@@ -249,6 +250,7 @@ EOF
+     fi
+ 
+     test_end $1
++fi
+ }
+ 
+ # ----------- clamd tests --------------------------------------------------------
+--- configure.orig
++++ configure
+@@ -24324,6 +24324,7 @@ if test "$enable_yara" = "yes"; then
+ 
+ $as_echo "#define HAVE_YARA 1" >>confdefs.h
+ 
++    HAVE_YARA=1
+ 
+ fi
+ 

clamav.changes

@@ -1,3 +1,38 @@
+-------------------------------------------------------------------
+Tue Jul 31 08:43:39 UTC 2018 - max@suse.com
+
+- bsc#1101654: Disable YARA support for licensing reasons
+  (clamav-disable-yara.patch).
+- Do not ignore errors from useradd et al.
+- Unclutter the spec file.
+
+-------------------------------------------------------------------
+Wed Jul 25 16:23:09 UTC 2018 - mpluskal@suse.com
+
+- Update dendencies (pcre2, libjson-c and systemd)
+- Modernise spec file with spec-cleaner
+
+-------------------------------------------------------------------
+Tue Jul 17 14:21:35 UTC 2018 - security@suse.com
+
+- fix library-without-ldconfig warnings on libclammspack
+
+-------------------------------------------------------------------
+Tue Jul 10 08:06:33 UTC 2018 - egdfree@opensuse.org
+
+- Update to version 0.100.1
+  * CVE-2018-0360: HWP integer overflow, infinite loop
+    vulnerability (bsc#1101410)
+  * CVE-2018-0361: PDF object length check, unreasonably long time
+    to parse relatively small file (bsc#1101412) 
+  * Buffer over-read in unRAR code due to missing max value checks
+    in table initialization
+  * Libmspack heap buffer over-read in CHM parser
+  * PDF parser bugs
+  * Add HTTPS support for clamsubmit
+  * Fix for DNS resolution for users on IPv4-only machines where
+    IPv6 is not available or is link-local only
+
 -------------------------------------------------------------------
 Thu Apr 26 15:35:15 UTC 2018 - max@suse.com
 

clamav.spec

@@ -16,49 +16,55 @@
 #
 
 
+%define clamav_check --enable-check
 Name:           clamav
+Version:        0.100.1
+Release:        0
+Summary:        Antivirus Toolkit
+License:        GPL-2.0-only
+Group:          Productivity/Security
+URL:            http://www.clamav.net
+Source0:        http://www.clamav.net/downloads/production/%name-%version.tar.gz
+Source1:        http://www.clamav.net/downloads/production/%name-%version.tar.gz.sig
+Source4:        clamav-rpmlintrc
+Source6:        clamav-tmpfiles.conf
+Source7:        service.clamd
+Source8:        service.freshclam
+Source9:        service.clamav-milter
+Source11:       clamav.keyring
+Patch1:         clamav-conf.patch
+Patch4:         clamav-disable-timestamps.patch
+Patch5:         clamav-obsolete-config.patch
+Patch6:         clamav-disable-yara.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bc
 BuildRequires:  check-devel
 BuildRequires:  libbz2-devel
 BuildRequires:  libcurl-devel
+BuildRequires:  libjson-c-devel
 BuildRequires:  libopenssl-devel
 BuildRequires:  libtool
 BuildRequires:  libxml2-devel
 BuildRequires:  ncurses-devel
-BuildRequires:  pcre-devel
+BuildRequires:  pcre2-devel
 BuildRequires:  pkgconfig
 BuildRequires:  pwdutils
 BuildRequires:  python-devel
 BuildRequires:  sed
 BuildRequires:  sendmail-devel
-BuildRequires:  zlib-devel
-%define clamav_check --enable-check
-Summary:        Antivirus Toolkit
-License:        GPL-2.0-only
-Group:          Productivity/Security
-Version:        0.100.0
-Release:        0
-Url:            http://www.clamav.net
-Obsoletes:      clamav-db < 0.88.3
-Provides:       clamav-nodb = %{version}
-Obsoletes:      clamav-nodb <= 0.98.4
-Requires(pre):  %_sbindir/groupadd %_sbindir/useradd %_sbindir/usermod
-Requires(pre):  /usr/bin/awk /bin/sed /bin/tar
-Source0:        http://www.clamav.net/downloads/production/%{name}-%{version}.tar.gz
-Source1:        http://www.clamav.net/downloads/production/%{name}-%{version}.tar.gz.sig
-Source11:       clamav.keyring
-Source4:        clamav-rpmlintrc
-Source6:        clamav-tmpfiles.conf
-Source7:        service.clamd
-Source8:        service.freshclam
-Source9:        service.clamav-milter
-Patch1:         clamav-conf.patch
-Patch4:         clamav-disable-timestamps.patch
-Patch5:         clamav-obsolete-config.patch
-BuildRequires:  systemd
+BuildRequires:  systemd-devel
 BuildRequires:  systemd-rpm-macros
+BuildRequires:  zlib-devel
+Requires(pre):  %_bindir/awk
+Requires(pre):  %_sbindir/groupadd
+Requires(pre):  %_sbindir/useradd
+Requires(pre):  %_sbindir/usermod
+Requires(pre):  /bin/sed
+Requires(pre):  /bin/tar
+Obsoletes:      clamav-db < 0.88.3
+Provides:       clamav-nodb = %version
+Obsoletes:      clamav-nodb <= 0.98.4
 %systemd_requires
 
 %description
@@ -104,6 +110,7 @@ that want to make use of libclamav.
 %patch1
 %patch4
 %patch5
+%patch6
 
 %build
 CFLAGS="-fstack-protector"
@@ -125,18 +132,19 @@ CFLAGS="$CFLAGS -DFP_64BIT"
 	%clamav_check \
 	--enable-clamdtop \
 	--disable-zlib-vcheck \
-	--disable-timestamps
+	--disable-timestamps \
+	--disable-yara
 
-make V=1 %{?_smp_mflags}
+make V=1 %?_smp_mflags
 
 %install
 %make_install
 install -d -m755 %buildroot/var/lib/clamav
 install -d -m755 %buildroot/%_tmpfilesdir
-install -m644 %{S:6} %buildroot%_tmpfilesdir/clamav.conf
+install -m644 %SOURCE6 %buildroot%_tmpfilesdir/clamav.conf
 mkdir -p %buildroot/var/spool/amavis
 mkdir -p -m 0755 %buildroot/run/clamav
-rm %buildroot/%_libdir/*.la
+find %buildroot -type f -name "*.la" -delete -print
 
 # libclammspack is not meant to be linked against by anything but
 # libclamav
@@ -144,24 +152,24 @@ rm %buildroot%_libdir/pkgconfig/libclammspack.pc
 rm %buildroot%_libdir/libclammspack.so
 
 # fix the new config file names
-pushd %buildroot/etc
+pushd %buildroot%_sysconfdir
 mv clamd.conf.sample clamd.conf
 mv clamav-milter.conf.sample clamav-milter.conf
 mv freshclam.conf.sample freshclam.conf
 popd
 
 # Systemd...
-install -d -m 0755 %buildroot/%{_unitdir}
-install -m 0644 %{S:7} %buildroot/%{_unitdir}/clamd.service
-install -m 0644 %{S:8} %buildroot/%{_unitdir}/freshclam.service
-install -m 0644 %{S:9} %buildroot/%{_unitdir}/clamav-milter.service
-rm -f %buildroot/%{_unitdir}/clamav-daemon.service
-rm -f %buildroot/%{_unitdir}/clamav-daemon.socket
-rm -f %buildroot/%{_unitdir}/clamav-freshclam.service
-# this is broken if system does not have systemd so don't 
+install -d -m 0755 %buildroot/%_unitdir
+install -m 0644 %SOURCE7 %buildroot/%_unitdir/clamd.service
+install -m 0644 %SOURCE8 %buildroot/%_unitdir/freshclam.service
+install -m 0644 %SOURCE9 %buildroot/%_unitdir/clamav-milter.service
+rm -f %buildroot/%_unitdir/clamav-daemon.service
+rm -f %buildroot/%_unitdir/clamav-daemon.socket
+rm -f %buildroot/%_unitdir/clamav-freshclam.service
+# this is broken if system does not have systemd so don't
 # use it at all on systems without mandatory systemd
 for srvname in clamd freshclam clamav-milter;do
-        (export PATH=/usr/sbin:/sbin:$PATH ;ln -sf $(which service) %{buildroot}/%{_sbindir}/rc${srvname})
+        (export PATH=%_prefix/sbin:/sbin:$PATH ;ln -sf $(which service) %buildroot/%_sbindir/rc${srvname})
 done
 
 %check
@@ -173,17 +181,19 @@ VALGRIND_GENSUP=1 make check
 
 %post   -n libclamav7 -p /sbin/ldconfig
 %postun -n libclamav7 -p /sbin/ldconfig
+%post -n libclammspack0 -p /sbin/ldconfig
+%postun -n libclammspack0 -p /sbin/ldconfig
 
 %files
 %config(noreplace) %_sysconfdir/*.conf
 #systemd...
-%{_unitdir}/clamd.service
-%{_unitdir}/freshclam.service
-%{_unitdir}/clamav-milter.service
+%_unitdir/clamd.service
+%_unitdir/freshclam.service
+%_unitdir/clamav-milter.service
 %_tmpfilesdir
-%doc COPYING*
+%license COPYING*
 %doc docs/*.pdf docs/html
-%doc %_mandir/*/*
+%_mandir/*/*
 %_bindir/*
 %_sbindir/*
 %defattr(-,vscan,vscan)
@@ -203,11 +213,11 @@ VALGRIND_GENSUP=1 make check
 %_includedir/*
 
 %pre
-getent group vscan >/dev/null || %_sbindir/groupadd -r vscan || :
+getent group vscan >/dev/null || %_sbindir/groupadd -r vscan
 getent passwd vscan >/dev/null || \
 	%_sbindir/useradd -r -o -g vscan -u 65 -s /bin/false \
-	-c "Vscan account" -d /var/spool/amavis vscan || :
-%_sbindir/usermod vscan -g vscan 2> /dev/null || :
+	-c "Vscan account" -d /var/spool/amavis vscan
+%_sbindir/usermod vscan -g vscan
 %service_add_pre clamd.service freshclam.service clamav-milter.service
 
 %post