From a2ea93b4246151e74c6dddc299d21d4019b936d1f8c5c658e78ba380f137fd78 Mon Sep 17 00:00:00 2001
From: Robert Frohl <rfrohl@suse.com>
Date: Fri, 6 May 2022 09:28:32 +0000
Subject: [PATCH] Accepting request 975241 from home:adkorte:branches:security

- Update to 0.103.6
  * CVE-2022-20770: Fixed a possible infinite loop vulnerability in the CHM
    file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS
    version 0.103.5 and prior versions.
  * CVE-2022-20796: Fixed a possible NULL-pointer dereference crash in the
    scan verdict cache check. Issue affects versions 0.103.4, 0.103.5,
    0.104.1, and 0.104.2.
  * CVE-2022-20771: Fixed a possible infinite loop vulnerability in the
    TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and
    LTS version 0.103.5 and prior versions. The issue only occurs if the
    "--alert-broken-media" ClamScan option is enabled. For ClamD, the
    affected option is "AlertBrokenMedia yes", and for libclamav it is the
    "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option.
  * CVE-2022-20785: Fixed a possible memory leak in the HTML file parser /
    Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2
    and LTS version 0.103.5 and prior versions.
  * CVE-2022-20792: Fixed a possible multi-byte heap buffer overflow write
    vulnerability in the signature database load module. The fix was to
    update the vendored regex library to the latest version. Issue affects
    versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior
    versions.
  * ClamOnAcc: Fixed a number of assorted stability issues and added
    niceties for debugging ClamOnAcc.
  * Fixed an issue causing byte-compare subsignatures to cause an alert
    when they match even if other conditions of the given logical
    signatures were not met.
  * Fix memleak when using multiple byte-compare subsignatures. This fix
    was backported from 0.104.0.
  * Assorted bug fixes and improvements.
- Remove upstreamed clamav-ck_assert_msg.patch

OBS-URL: https://build.opensuse.org/request/show/975241
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=232
---
 clamav-0.103.5.tar.gz      |  3 ---
 clamav-0.103.5.tar.gz.sig  | 16 ----------------
 clamav-0.103.6.tar.gz      |  3 +++
 clamav-0.103.6.tar.gz.sig  | 16 ++++++++++++++++
 clamav-ck_assert_msg.patch | 22 ----------------------
 clamav.changes             | 34 ++++++++++++++++++++++++++++++++++
 clamav.spec                |  4 +---
 7 files changed, 54 insertions(+), 44 deletions(-)
 delete mode 100644 clamav-0.103.5.tar.gz
 delete mode 100644 clamav-0.103.5.tar.gz.sig
 create mode 100644 clamav-0.103.6.tar.gz
 create mode 100644 clamav-0.103.6.tar.gz.sig
 delete mode 100644 clamav-ck_assert_msg.patch

diff --git a/clamav-0.103.5.tar.gz b/clamav-0.103.5.tar.gz
deleted file mode 100644
index c8ad812..0000000
--- a/clamav-0.103.5.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1e74b1e1d2a8a9056449c313f48a6983b9d5ba0d6fb5ef0b2be6ad3c841a5426
-size 16434316
diff --git a/clamav-0.103.5.tar.gz.sig b/clamav-0.103.5.tar.gz.sig
deleted file mode 100644
index 2335009..0000000
--- a/clamav-0.103.5.tar.gz.sig
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIcBAABAgAGBQJh3ZK/AAoJEGCbAk8rPt0HxwkP/iSf9aUJipn5YgqjqyVC1fKl
-wUwvV8KoPH7C2kgo0AKZFTKRxaRahvL1WLx6PnnArl1ZVoH2JVrqm/1+Z8MT9U7J
-YOKG3aI+KgBNG6ihxizsL37ZNn4aE7ne4SY7219rei7IW12OyiUvIkF3kA9lHtDX
-/cqkrqu9GT7pB5dxt+GCQ/oX1cgMzV6/Hg9wE4DS0hSuQy74WRUZ/Rp+JAeQ7dUv
-4u1dkGoUJQpo4g94amwOqcHlc+bBZMItTVSoJercjl8eOZqxSEN7kkHa2MrPFiaX
-AJN4B4wMfrxi+jn+HUo7TshrRkzUzP0i+rIAn3hsvG4sjOxH/vWrCyfOGCIQb/l+
-ug1gBJ4LDSoQ9rL41c1OBYFPKhbrTYCSs+TULoKSFCJv8RgQA7/Vu3bulIHFRhtp
-Lpvhgo1fsb741EVSoPFqQJe+XUAdH5BsW03TZuHnuIEnLvHbctYDJlkg0KN2IYg+
-4JgO65spoEHW2hldKR0A8W8U4+bPC2+94QuLoV6OXrnlL8qCj9RhRqywBM4gqSgC
-p9rnx0E0tTrCDmevXn0IvTbwqxjtC8ig/mJejc4TiV70ps8xgLBeml4xsgr+PLYn
-Obwf8/GOY3RwGQQMROLQSChenvXU/qnjqDRRzVtZSgBF7xBlGJ1xVm7pRLA/OF5d
-sbOrPkTfkT+0ayLU46vg
-=lf26
------END PGP SIGNATURE-----
diff --git a/clamav-0.103.6.tar.gz b/clamav-0.103.6.tar.gz
new file mode 100644
index 0000000..8d8780f
--- /dev/null
+++ b/clamav-0.103.6.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aaa12e3dc19f1d323b1c50d7a10fa8af557e4390149e864d59bde39b6ad9ba33
+size 16491761
diff --git a/clamav-0.103.6.tar.gz.sig b/clamav-0.103.6.tar.gz.sig
new file mode 100644
index 0000000..4a2fcfa
--- /dev/null
+++ b/clamav-0.103.6.tar.gz.sig
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABAgAGBQJicDP4AAoJEGCbAk8rPt0HoMcP/i4uV0VatuqjIL1ULq5/Q7Wl
+EQoo6J3SvnvbyDQSeQV/eBT3kmSvFonz1d2erg85uM/+JHzMPatFu44xJ8cXDmX8
+RhjVeJepMnKkXnP3MIdIbXnQJFkFxlOrNuJQ19waDbbe0PSySj9Z8XjhepdnnWFW
+bZH0Oo+EyXK/KGLQkdNEXJH0hJtcy2VowYizNO15xszTcZn/weiggzkVUOj99i8N
+oLtnQ6g9gLZtI7AFSw35ISnJ4ZEGGsuOy7ABTzu0rgJEka2A5JxicNhh/X058EXe
+7UmqDJWHpc6CCu9cip03M/q7yNFz3mO+Su7P3fPZ0q3wGuYbodIVXec57j7BvvMO
+/ehEmUg9FAeQa6Y9ub6c2HNYRkt652uRYvpRBh/Fwd/Jlx14kddW3pfNq7TUDJaU
+KHQuEyfXRs96kwzKI5SWb7T6/bdvwl8mxzIBbCvftsxtuRVbDsIsgzduq8Yyct1L
+kcdzs5jPNzPeLPD02W/6GeVbaJiJC2P3Ic4u0EKBjjLHuTYwOtIqp+He76aBx09Y
+/lMfkFCteld8ivy29IRuidgsbgx5fyp3pB7c6CWZJU1ks/6gxcfY6VGKDVdbRPiq
+n1w0xG9leSX3C3aAsRNVAaTyifqrjZZurFZTLFeM9W8/pB02MvsNo2wx/ALEWKzc
+YHfGNkn6ucI+Rf7ShWiq
+=nD0e
+-----END PGP SIGNATURE-----
diff --git a/clamav-ck_assert_msg.patch b/clamav-ck_assert_msg.patch
deleted file mode 100644
index 29554cd..0000000
--- a/clamav-ck_assert_msg.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 58d199cbe00e8a5ef5858ffc7991a346b9f3469e Mon Sep 17 00:00:00 2001
-From: Orion Poplawski <orion@nwra.com>
-Date: Thu, 17 Sep 2020 22:26:04 -0600
-Subject: [PATCH] Fix ck_assert_msg() call
-
----
- unit_tests/check_jsnorm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/unit_tests/check_jsnorm.c b/unit_tests/check_jsnorm.c
-index 5067a21a55..64f6bf8b37 100644
---- a/unit_tests/check_jsnorm.c
-+++ b/unit_tests/check_jsnorm.c
-@@ -247,7 +247,7 @@ static void tokenizer_test(const char *in, const char *expected, int split)
-     fd = open(filename, O_RDONLY);
-     if (fd < 0) {
-         jstest_teardown();
--        ck_assert_msg("failed to open output file: %s", filename);
-+        ck_assert_msg(0, "failed to open output file: %s", filename);
-     }
- 
-     diff_file_mem(fd, expected, len);
diff --git a/clamav.changes b/clamav.changes
index b438f1d..08d63c5 100644
--- a/clamav.changes
+++ b/clamav.changes
@@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Thu May  5 15:50:42 UTC 2022 - Arjen de Korte <suse+build@de-korte.org>
+
+- Update to 0.103.6
+  * CVE-2022-20770: Fixed a possible infinite loop vulnerability in the CHM
+    file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS
+    version 0.103.5 and prior versions.
+  * CVE-2022-20796: Fixed a possible NULL-pointer dereference crash in the
+    scan verdict cache check. Issue affects versions 0.103.4, 0.103.5,
+    0.104.1, and 0.104.2.
+  * CVE-2022-20771: Fixed a possible infinite loop vulnerability in the
+    TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and
+    LTS version 0.103.5 and prior versions. The issue only occurs if the
+    "--alert-broken-media" ClamScan option is enabled. For ClamD, the
+    affected option is "AlertBrokenMedia yes", and for libclamav it is the
+    "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option.
+  * CVE-2022-20785: Fixed a possible memory leak in the HTML file parser /
+    Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2
+    and LTS version 0.103.5 and prior versions.
+  * CVE-2022-20792: Fixed a possible multi-byte heap buffer overflow write
+    vulnerability in the signature database load module. The fix was to
+    update the vendored regex library to the latest version. Issue affects
+    versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior
+    versions.
+  * ClamOnAcc: Fixed a number of assorted stability issues and added
+    niceties for debugging ClamOnAcc.
+  * Fixed an issue causing byte-compare subsignatures to cause an alert
+    when they match even if other conditions of the given logical
+    signatures were not met.
+  * Fix memleak when using multiple byte-compare subsignatures. This fix
+    was backported from 0.104.0.
+  * Assorted bug fixes and improvements.
+- Remove upstreamed clamav-ck_assert_msg.patch
+
 -------------------------------------------------------------------
 Tue Apr 12 13:56:37 UTC 2022 - Marcus Meissner <meissner@suse.com>
 
diff --git a/clamav.spec b/clamav.spec
index b886909..b12d28d 100644
--- a/clamav.spec
+++ b/clamav.spec
@@ -19,7 +19,7 @@
 %bcond_with	clammspack
 %bcond_with	valgrind
 Name:           clamav
-Version:        0.103.5
+Version:        0.103.6
 Release:        0
 Summary:        Antivirus Toolkit
 License:        GPL-2.0-only
@@ -39,7 +39,6 @@ Patch1:         clamav-conf.patch
 Patch5:         clamav-obsolete-config.patch
 Patch6:         clamav-disable-yara.patch
 Patch12:        clamav-fips.patch
-Patch13:        clamav-ck_assert_msg.patch
 Patch14:        clamav-document-maxsize.patch
 
 BuildRequires:  autoconf
@@ -148,7 +147,6 @@ that want to make use of libclamav.
 %patch5
 %patch6
 %patch12
-%patch13 -p1
 %patch14 -p1
 
 %build