From 8ab7edbf9a8616ac2b84d77a4000d1df46a80d080b84759ad73dab9ecaf36d4e Mon Sep 17 00:00:00 2001 From: OBS User unknown Date: Sat, 18 Apr 2009 11:53:13 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/clamav?expand=0&rev=22 --- clamav-0.95.1.tar.bz2 | 3 + clamav-0.95.tar.bz2 | 3 - clamav-milter.patch | 397 ------------------------------------------ clamav.changes | 5 + clamav.spec | 8 +- 5 files changed, 12 insertions(+), 404 deletions(-) create mode 100644 clamav-0.95.1.tar.bz2 delete mode 100644 clamav-0.95.tar.bz2 delete mode 100644 clamav-milter.patch diff --git a/clamav-0.95.1.tar.bz2 b/clamav-0.95.1.tar.bz2 new file mode 100644 index 0000000..bf6c421 --- /dev/null +++ b/clamav-0.95.1.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:84ce8f1aad04a66dfc7af54bb91dfbda23c4171ea16496d5de460ef040e1b0d4 +size 24098220 diff --git a/clamav-0.95.tar.bz2 b/clamav-0.95.tar.bz2 deleted file mode 100644 index ebe4291..0000000 --- a/clamav-0.95.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5f4ad3db46fa7d19b530c5651d04334e39ec24a1223f79c93612aaeb413b24d5 -size 23934489 diff --git a/clamav-milter.patch b/clamav-milter.patch deleted file mode 100644 index 9d95360..0000000 --- a/clamav-milter.patch +++ /dev/null @@ -1,397 +0,0 @@ ---- clamav-milter/Makefile.in -+++ clamav-milter/Makefile.in -@@ -58,10 +58,11 @@ - ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 - am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \ - $(top_srcdir)/m4/argz.m4 $(top_srcdir)/m4/fdpassing.m4 \ -- $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ -- $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltdl.m4 \ -- $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ -- $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ -+ $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ -+ $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \ -+ $(top_srcdir)/m4/ltdl.m4 $(top_srcdir)/m4/ltoptions.m4 \ -+ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ -+ $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/m4/mmap_private.m4 $(top_srcdir)/m4/resolv.m4 \ - $(top_srcdir)/configure.in - am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ ---- clamav-milter/clamav-milter.c -+++ clamav-milter/clamav-milter.c -@@ -211,6 +211,14 @@ - return 1; - } - -+ if((opt = optget(opts, "SkipAuthenticated"))->enabled && smtpauth_init(opt->strarg)) { -+ localnets_free(); -+ whitelist_free(); -+ logg_close(); -+ optfree(opts); -+ return 1; -+ } -+ - if(optget(opts, "AddHeader")->enabled) { - char myname[255]; - ---- clamav-milter/clamfi.c -+++ clamav-milter/clamfi.c -@@ -61,6 +61,7 @@ - } loginfected; - - #define CLAMFIBUFSZ 1424 -+static const char *HDR_UNAVAIL = "UNKNOWN"; - - struct CLAMFI { - char buffer[CLAMFIBUFSZ]; -@@ -74,6 +75,7 @@ - unsigned int totsz; - unsigned int bufsz; - unsigned int all_whitelisted; -+ unsigned int gotbody; - }; - - -@@ -91,12 +93,15 @@ - }; - - --void makesanehdr(char *hdr) { -+static const char *makesanehdr(char *hdr) { -+ char *ret = hdr; -+ if(!hdr) return HDR_UNAVAIL; - while(*hdr) { - if(*hdr=='\'' || *hdr=='\t' || *hdr=='\r' || *hdr=='\n' || !isprint(*hdr)) - *hdr = ' '; - hdr++; - } -+ return ret; - } - - static void nullify(SMFICTX *ctx, struct CLAMFI *cf, enum CFWHAT closewhat) { -@@ -113,9 +118,22 @@ - - - static sfsistat sendchunk(struct CLAMFI *cf, unsigned char *bodyp, size_t len, SMFICTX *ctx) { -- if(cf->totsz >= maxfilesize) -+ if(cf->totsz >= maxfilesize || len == 0) - return SMFIS_CONTINUE; - -+ if(!cf->totsz) { -+ sfsistat ret; -+ if(nc_connect_rand(&cf->main, &cf->alt, &cf->local)) { -+ logg("!Failed to initiate streaming/fdpassing\n"); -+ nullify(ctx, cf, CF_NONE); -+ return FailAction; -+ } -+ cf->totsz = 1; /* do not infloop */ -+ if((ret = sendchunk(cf, (unsigned char *)"From clamav-milter\n", 19, ctx)) != SMFIS_CONTINUE) -+ return ret; -+ cf->totsz -= 1; -+ } -+ - if(cf->totsz + len > maxfilesize) - len = maxfilesize - cf->totsz; - -@@ -166,35 +184,28 @@ - if(!(cf = (struct CLAMFI *)smfi_getpriv(ctx))) - return SMFIS_CONTINUE; /* whatever */ - -- if(loginfected == LOGINF_FULL) { -- if(headerf && !strcasecmp(headerf, "Subject") && !cf->msg_subj) -- cf->msg_subj = strdup(headerv); -- if(headerf && !strcasecmp(headerf, "Date") && !cf->msg_date) -- cf->msg_date = strdup(headerv); -- if(headerf && !strcasecmp(headerf, "Message-ID") && !cf->msg_id) -- cf->msg_id = strdup(headerv); -+ if(!cf->totsz && cf->all_whitelisted) { -+ logg("*Skipping scan (all destinations whitelisted)\n"); -+ nullify(ctx, cf, CF_NONE); -+ return SMFIS_ACCEPT; - } - -- if(!cf->totsz) { -- if(cf->all_whitelisted) { -- logg("*Skipping scan (all destinations whitelisted)\n"); -- nullify(ctx, cf, CF_NONE); -- return SMFIS_ACCEPT; -- } -- if(nc_connect_rand(&cf->main, &cf->alt, &cf->local)) { -- logg("!Failed to initiate streaming/fdpassing\n"); -- nullify(ctx, cf, CF_NONE); -- return FailAction; -- } -- if((ret = sendchunk(cf, (unsigned char *)"From clamav-milter\n", 19, ctx)) != SMFIS_CONTINUE) -- return ret; -+ if(!headerf) return SMFIS_CONTINUE; /* just in case */ -+ -+ if(loginfected == LOGINF_FULL) { -+ if(!cf->msg_subj && !strcasecmp(headerf, "Subject")) -+ cf->msg_subj = strdup(headerv ? headerv : ""); -+ if(!cf->msg_date && !strcasecmp(headerf, "Date")) -+ cf->msg_date = strdup(headerv ? headerv : ""); -+ if(!cf->msg_id && !strcasecmp(headerf, "Message-ID")) -+ cf->msg_id = strdup(headerv ? headerv : ""); - } - - if((ret = sendchunk(cf, (unsigned char *)headerf, strlen(headerf), ctx)) != SMFIS_CONTINUE) - return ret; - if((ret = sendchunk(cf, (unsigned char *)": ", 2, ctx)) != SMFIS_CONTINUE) - return ret; -- if((ret = sendchunk(cf, (unsigned char *)headerv, strlen(headerv), ctx)) != SMFIS_CONTINUE) -+ if(headerv && (ret = sendchunk(cf, (unsigned char *)headerv, strlen(headerv), ctx)) != SMFIS_CONTINUE) - return ret; - return sendchunk(cf, (unsigned char *)"\r\n", 2, ctx); - } -@@ -205,6 +216,14 @@ - - if(!(cf = (struct CLAMFI *)smfi_getpriv(ctx))) - return SMFIS_CONTINUE; /* whatever */ -+ -+ if(!cf->gotbody) { -+ sfsistat ret = sendchunk(cf, (unsigned char *)"\r\n", 2, ctx); -+ if(ret != SMFIS_CONTINUE) -+ return ret; -+ cf->gotbody = 1; -+ } -+ - return sendchunk(cf, bodyp, len, ctx); - } - -@@ -225,6 +244,14 @@ - if(!(cf = (struct CLAMFI *)smfi_getpriv(ctx))) - return SMFIS_CONTINUE; /* whatever */ - -+ if(!cf->totsz) { -+ /* got no headers and no body */ -+ logg("*Not scanning an empty message\n"); -+ ret = CleanAction(ctx); -+ nullify(ctx, cf, CF_NONE); -+ return ret; -+ } -+ - if(cf->local) { - if(nc_send(cf->main, "nFILDES\n", 8)) { - logg("!FD scan request failed\n"); -@@ -286,18 +313,19 @@ - } - - if(loginfected) { -- const char *from = smfi_getsymval(ctx, "{mail_addr}"), *to = smfi_getsymval(ctx, "{rcpt_addr}"); -- -- if(!from) from = "UNKNOWN"; -- if(!to) to = "UNKNOWN"; -- -+ const char *from = smfi_getsymval(ctx, "{mail_addr}"); -+ const char *to = smfi_getsymval(ctx, "{rcpt_addr}"); -+ -+ if(!from) from = HDR_UNAVAIL; -+ if(!to) to = HDR_UNAVAIL; - if(loginfected == LOGINF_FULL) { - const char *id = smfi_getsymval(ctx, "{i}"); -+ const char *msg_subj = makesanehdr(cf->msg_subj); -+ const char *msg_date = makesanehdr(cf->msg_date); -+ const char *msg_id = makesanehdr(cf->msg_id); - -- makesanehdr(cf->msg_subj); -- makesanehdr(cf->msg_date); -- makesanehdr(cf->msg_id); -- logg("~Message %s from <%s> to <%s> with subject '%s' message-id '%s' date '%s' infected by %s\n", id ? id : "UNKNOWN", from, to, cf->msg_subj, cf->msg_id, cf->msg_date, vir); -+ if(!id) id = HDR_UNAVAIL; -+ logg("~Message %s from <%s> to <%s> with subject '%s' message-id '%s' date '%s' infected by %s\n", id, from, to, msg_subj, msg_id, msg_date, vir); - } else logg("~Message from <%s> to <%s> infected by %s\n", from, to, vir); - } - } -@@ -504,12 +532,18 @@ - - sfsistat clamfi_envfrom(SMFICTX *ctx, char **argv) { - struct CLAMFI *cf; -+ const char *login = smfi_getsymval(ctx, "{auth_authen}"); -+ -+ if(login && smtpauthed(login)) { -+ logg("*Skipping scan for authenticated user %s\n", login); -+ return SMFIS_ACCEPT; -+ } - - if(whitelisted(argv[0], 1)) { - logg("*Skipping scan for %s (whitelisted from)\n", argv[0]); - return SMFIS_ACCEPT; - } -- -+ - if(!(cf = (struct CLAMFI *)malloc(sizeof(*cf)))) { - logg("!Failed to allocate CLAMFI struct\n"); - return FailAction; -@@ -518,6 +552,7 @@ - cf->bufsz = 0; - cf->main = cf->alt = -1; - cf->all_whitelisted = 1; -+ cf->gotbody = 0; - cf->msg_subj = cf->msg_date = cf->msg_id = NULL; - smfi_setpriv(ctx, (void *)cf); - ---- clamav-milter/netcode.c -+++ clamav-milter/netcode.c -@@ -129,7 +129,7 @@ - close(s); - return -1; - } -- if (getsockopt(s, SOL_SOCKET, SO_ERROR, &s_err, &s_len) || s_err) { -+ if(getsockopt(s, SOL_SOCKET, SO_ERROR, &s_err, &s_len) || s_err) { - logg("*Failed to establish a connection to clamd\n"); - close(s); - return -1; -@@ -163,8 +163,6 @@ - tv.tv_usec = 0; - while(1) { - fd_set fds; -- int s_err; -- socklen_t s_len = sizeof(s_err); - - FD_ZERO(&fds); - FD_SET(s, &fds); -@@ -177,12 +175,10 @@ - tv.tv_usec = 0; - continue; - } -- logg("!Failed stream to clamd\n"); -+ logg("!Failed to stream to clamd\n"); - close(s); - return 1; - } -- len-=s_len; -- buf+=s_len; - break; - } - } ---- clamav-milter/whitelist.c -+++ clamav-milter/whitelist.c -@@ -25,8 +25,8 @@ - #include - #include - #include --#include - -+#include "libclamav/regex/regex.h" - #include "shared/output.h" - #include "whitelist.h" - -@@ -38,17 +38,20 @@ - struct WHLST *wfrom = NULL; - struct WHLST *wto = NULL; - -+int skipauth = 0; -+regex_t authreg; -+ - void whitelist_free(void) { - struct WHLST *w; - while(wfrom) { - w = wfrom->next; -- regfree(&wfrom->preg); -+ cli_regfree(&wfrom->preg); - free(wfrom); - wfrom = w; - } - while(wto) { - w = wto->next; -- regfree(&wto->preg); -+ cli_regfree(&wto->preg); - free(wto); - wto = w; - } -@@ -85,14 +88,14 @@ - } - if(!len) continue; - if (!(w = (struct WHLST *)malloc(sizeof(*w)))) { -- logg("!Out of memory loading whitelist\n"); -+ logg("!Out of memory loading whitelist file\n"); - whitelist_free(); - return 1; - } - w->next = (*addto); - (*addto) = w; -- if (regcomp(&w->preg, ptr, REG_ICASE|REG_NOSUB)) { -- logg("!Failed to compile regex '%s'\n", ptr); -+ if (cli_regcomp(&w->preg, ptr, REG_ICASE|REG_NOSUB)) { -+ logg("!Failed to compile regex '%s' in whitelist file\n", ptr); - whitelist_free(); - return 1; - } -@@ -108,13 +111,30 @@ - else w = wto; - - while(w) { -- if(!regexec(&w->preg, addr, 0, NULL, 0)) -+ if(!cli_regexec(&w->preg, addr, 0, NULL, 0)) - return 1; - w = w->next; - } - return 0; - } - -+ -+int smtpauth_init(const char *r) { -+ if (cli_regcomp(&authreg, r, REG_ICASE|REG_NOSUB|REG_EXTENDED)) { -+ logg("!Failed to compile regex '%s' for SkipAuthSenders\n", r); -+ return 1; -+ } -+ skipauth = 1; -+ return 0; -+} -+ -+ -+int smtpauthed(const char *login) { -+ if(skipauth && !cli_regexec(&authreg, login, 0, NULL, 0)) -+ return 1; -+ return 0; -+} -+ - - /* - * Local Variables: ---- clamav-milter/whitelist.h -+++ clamav-milter/whitelist.h -@@ -24,4 +24,6 @@ - int whitelist_init(const char *fname); - void whitelist_free(void); - int whitelisted(const char *addr, int from); -+int smtpauth_init(const char *r); -+int smtpauthed(const char *login); - #endif ---- etc/clamav-milter.conf -+++ etc/clamav-milter.conf -@@ -94,7 +94,7 @@ - #LocalNet 192.168.0.0/24 - #LocalNet 1111:2222:3333::/48 - --# This option specifies a file which contains a list of POSIX regular -+# This option specifies a file which contains a list of basic POSIX regular - # expressions. Addresses (sent to or from - see below) matching these regexes - # will not be scanned. Optionally each line can start with the string "From:" - # or "To:" (note: no whitespace after the colon) indicating if it is, -@@ -105,6 +105,13 @@ - # Default unset (no exclusion applied) - #Whitelist /etc/whitelisted_addresses - -+# Messages from authenticated SMTP users matching this extended POSIX -+# regular expression (egrep-like) will not be scanned. -+# Note: this is the AUTH login name! -+# -+# Default: unset (no whitelisting based on SMTP auth) -+#SkipAuthenticated ^(tom|dick|henry)$ -+ - - ## - ## Actions ---- shared/optparser.c -+++ shared/optparser.c -@@ -382,7 +382,9 @@ - - { "Chroot", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "Chroot to the specified directory.\nChrooting is performed just after reading the config file and before\ndropping privileges.", "/newroot" }, - -- { "Whitelist", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "This option specifies a file which contains a list of POSIX regular\nexpressions. Addresses (sent to or from - see below) matching these regexes\nwill not be scanned. Optionally each line can start with the string \"From:\"\nor \"To:\" (note: no whitespace after the colon) indicating if it is,\nrespectively, the sender or recipient that is to be whitelisted.\nIf the field is missing, \"To:\" is assumed.\nLines starting with #, : or ! are ignored.", "/etc/whitelisted_addresses" }, -+ { "Whitelist", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "This option specifies a file which contains a list of basic POSIX regular\nexpressions. Addresses (sent to or from - see below) matching these regexes\nwill not be scanned. Optionally each line can start with the string \"From:\"\nor \"To:\" (note: no whitespace after the colon) indicating if it is,\nrespectively, the sender or recipient that is to be whitelisted.\nIf the field is missing, \"To:\" is assumed.\nLines starting with #, : or ! are ignored.", "/etc/whitelisted_addresses" }, -+ -+ { "SkipAuthenticated", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "Messages from authenticated SMTP users matching this extended POSIX\nregular expression (egrep-like) will not be scanned.\nNote: this is the AUTH login name!", "SkipAuthenticated ^(tom|dick|henry)$" }, - - { "LogInfected", NULL, 0, TYPE_STRING, NULL, -1, NULL, 0, OPT_MILTER, "This option allows to tune what is logged when a message is infected.\nPossible values are Off (the default - nothing is logged),\nBasic (minimal info logged), Full (verbose info logged)", "Basic" }, - diff --git a/clamav.changes b/clamav.changes index 0861a19..e9ff923 100644 --- a/clamav.changes +++ b/clamav.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Apr 14 16:04:26 CEST 2009 - max@suse.de + +- Security release: 0.95.1 (bnc#493562) + ------------------------------------------------------------------- Mon Apr 6 17:14:47 CEST 2009 - max@suse.de diff --git a/clamav.spec b/clamav.spec index a011c6c..cccf141 100644 --- a/clamav.spec +++ b/clamav.spec @@ -1,5 +1,5 @@ # -# spec file for package clamav (Version 0.95) +# spec file for package clamav (Version 0.95.1) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -30,7 +30,7 @@ BuildRequires: check-devel pwdutils %define clamav_check --disable-check %endif Summary: Antivirus Toolkit -Version: 0.95 +Version: 0.95.1 Release: 1 License: GPL v2 or later Group: Productivity/Security @@ -47,7 +47,6 @@ Source3: clamav-updateclamconf Source4: clamav-rpmlintrc Source5: clamav-rcmilter Patch1: clamav-conf.patch -Patch2: clamav-milter.patch Patch3: clamav-valgrind.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -87,7 +86,6 @@ Authors: %prep %setup -q %patch1 -%patch2 %patch3 %build @@ -261,6 +259,8 @@ for f in main daily; do done %changelog +* Tue Apr 14 2009 max@suse.de +- Security release: 0.95.1 (bnc#493562) * Mon Apr 06 2009 max@suse.de - Version 0.95 also fixes two security issues: bnc#491935 and bnc#491938.