Accepting request 689169 from home:EGDFree:branches:security

- Update to version 0.101.2
  * CVE-2019-1787:
    An out-of-bounds heap read condition may occur when scanning PDF
    documents. The defect is a failure to correctly keep track of the number
    of bytes remaining in a buffer when indexing file data.
  * CVE-2019-1789:
    An out-of-bounds heap read condition may occur when scanning PE files
    (i.e. Windows EXE and DLL files) that have been packed using Aspack as a
    result of inadequate bound-checking.
  * CVE-2019-1788:
    An out-of-bounds heap write condition may occur when scanning OLE2 files
    such as Microsoft Office 97-2003 documents. The invalid write happens when
    an invalid pointer is mistakenly used to initialize a 32bit integer to
    zero. This is likely to crash the application.
- added clamav-max_patch.patch to fix build

OBS-URL: https://build.opensuse.org/request/show/689169
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=181

clamav-0.101.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fa368fa9b2f57638696150c7d108b06dec284e8d8e3b8e702c784947c01fb806
-size 21691396

clamav-0.101.1.tar.gz.sig

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIcBAABAgAGBQJcG8GBAAoJEPE/nha8pb+tUBUQAMdAGB7BjCaDZks8vDOMv9oi
-2kfVECXq3JDt/vRe5WT3VpqUSzUhSDhTkD9NUZ8f0/4Kz+IMNQYLHX3AOASgTpNP
-thxHGeuF7pcQb3Nws13jUEYTX2e9KdPa3ELqsL0e2VMmWmZBbGZML0cHxCMMt9wo
-VJFXG7Lm66/wlegaAhZKWogvWG1W0V3Tn/SgHxPx8tkEC7PYFJRehr2K7mszgJ9V
-dtIZ4s8ZfON8hF6J+OwUPk/ue2L2XlbcaE/K96vqOTvUH2it25N2jIjkEcoX6A0u
-jpVLBEJODT85fVuejYk1Hpx9VzKSwO5hVOV3uXp2yy5CNea63M/LZ3jDwpWwk2vF
-m51GSvR9GZDs5dGuS1ENVbtLLj9UEzBo/mlhBXDuJ8Y142CAAVN0st8riV3n9e7M
-oCBk7dpsjxFgbSU0deON/oNalTTlK0A1Z63YLvgR+AUCSbEjS1Tx4hJlFQkcETFP
-+1aJprBNMMYheS+qt3BvRasqw34Slj7+gAnAwiQovAxGJsVCgqe62IK8sFNRib6A
-EJq5+GoFvwW2wt12kXvf/OPsidnZMQh6OpFphd2sDXt+LMUJBgeLWsRA0Aiv5j2R
-e6dUZuJf480bMKukvSqORPgA98frOxI354AtBkPI8JQs35tfwLcmJQglpr6HHSF/
-6E/dEufsIz8WlF2KWtLv
-=JBvc
------END PGP SIGNATURE-----

clamav-0.101.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0a12ebdf6ff7a74c0bde2bdc2b55cae33449e6dd953ec90824a9e01291277634
+size 21722932

clamav-0.101.2.tar.gz.sig

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABAgAGBQJcinEPAAoJEPE/nha8pb+t9c8P/RD394ZqBL+EcSSG/XTEq8pm
+pKUl70vDDOXbJuTUjxONFO60JcPK2uVrvBlWUsQejH7636ruuslHqwNjloBuKxkb
+j7SCFO7dVW7doi9p4eiItBk0KroJvzsTU2k3IojeeJRDfKU6eVhtSwjMWVbHs5XY
+UaRekwzrJl0K0xO/6TPDAt9K2bLsdXTCQwVCGyxDhtrAP90fpLeIR50EpVPs+a1/
+3xfLjdcJthszTtm4CefPhhQ6jkT/qg8ZAhVMoR+sUf83x2CncouV61A7FzpWmoZj
+WLHddHl8v68K8As/PNQwoA/YkPBqugLM8VsUaR2nBzmQVO+Gk9wY9m7LCPux1fWc
+3WVDhhVSUry7UgtY1J/8kYioShnX4I1ohWm6rEzCoWJFQmfQoDnp2wfTtz8fsq1x
+2JkwKNgj/rt/y04rgFLnouZGLfz1UMaaUYsWF0cCsr2r42DoWkq976cxM+KnTxna
+dgZkzudqmi1ph9OAu+cHnlmzMVeet7S3mKCMT/mACpAUGwE/xlAFv2L/6bm5yKtP
+I5sEyAvOfEb5NnrIcmR/SJAT3PQnqEPrDUNY8M+rAn9vXKTl+nhlcp14ZYh4ZMQL
+1uzMsK2HlnNUMHwTCj64Exvq22wwHqL4zuEQvFr4w0s8peY8BHw3S3mxxLABg1b0
+Fj0HUMDjH3TALfIXf80m
+=lLJG
+-----END PGP SIGNATURE-----

clamav-disable-timestamps.patch

@@ -78,4 +78,4 @@
 +_ACEOF
  
  
- VERSION="0.101.1"
+ VERSION="0.101.2"

clamav-max_patch.patch

@@ -0,0 +1,11 @@
+--- libclamav/others_common.c.orig
++++ libclamav/others_common.c
+@@ -855,7 +855,7 @@
+     size_t sanitized_index   = 0;
+     char* sanitized_filepath = NULL;
+ 
+-    if((NULL == filepath) || (0 == filepath_len) || (MAX_PATH < filepath_len)) {
++    if((NULL == filepath) || (0 == filepath_len) || (PATH_MAX < filepath_len)) {
+         goto done;
+     }
+ 

clamav-str-h.patch

@@ -6,5 +6,5 @@
  #include "clamav.h"
 +#include "str.h"
  #include "others.h"
+ #include "platform.h"
  #include "regex/regex.h"
- #include "ltdl.h"

clamav.changes

@@ -1,3 +1,22 @@
+-------------------------------------------------------------------
+Wed Mar 27 17:30:05 UTC 2019 - Andrey Karepin <egdfree@opensuse.org>
+
+- Update to version 0.101.2
+  * CVE-2019-1787:
+    An out-of-bounds heap read condition may occur when scanning PDF
+    documents. The defect is a failure to correctly keep track of the number
+    of bytes remaining in a buffer when indexing file data.
+  * CVE-2019-1789:
+    An out-of-bounds heap read condition may occur when scanning PE files
+    (i.e. Windows EXE and DLL files) that have been packed using Aspack as a
+    result of inadequate bound-checking.
+  * CVE-2019-1788:
+    An out-of-bounds heap write condition may occur when scanning OLE2 files
+    such as Microsoft Office 97-2003 documents. The invalid write happens when
+    an invalid pointer is mistakenly used to initialize a 32bit integer to
+    zero. This is likely to crash the application.
+- added clamav-max_patch.patch to fix build
+
 -------------------------------------------------------------------
 Mon Jan 21 17:30:15 UTC 2019 - Reinhard Max <max@suse.com>
 

clamav.spec

@@ -20,7 +20,7 @@
 
 %define clamav_check --enable-check
 Name:           clamav
-Version:        0.101.1
+Version:        0.101.2
 Release:        0
 Summary:        Antivirus Toolkit
 License:        GPL-2.0-only
@@ -39,6 +39,8 @@ Patch4:         clamav-disable-timestamps.patch
 Patch5:         clamav-obsolete-config.patch
 Patch6:         clamav-disable-yara.patch
 Patch7:         clamav-str-h.patch
+#PATCH-FIX-UPSTREAM clamav-max_patch.patch
+Patch8:         clamav-max_patch.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bc
@@ -121,6 +123,7 @@ that want to make use of libclamav.
 %patch5
 %patch6
 %patch7
+%patch8
 
 %build
 CFLAGS="-fstack-protector"