Accepting request 975241 from home:adkorte:branches:security

- Update to 0.103.6
  * CVE-2022-20770: Fixed a possible infinite loop vulnerability in the CHM
    file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS
    version 0.103.5 and prior versions.
  * CVE-2022-20796: Fixed a possible NULL-pointer dereference crash in the
    scan verdict cache check. Issue affects versions 0.103.4, 0.103.5,
    0.104.1, and 0.104.2.
  * CVE-2022-20771: Fixed a possible infinite loop vulnerability in the
    TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and
    LTS version 0.103.5 and prior versions. The issue only occurs if the
    "--alert-broken-media" ClamScan option is enabled. For ClamD, the
    affected option is "AlertBrokenMedia yes", and for libclamav it is the
    "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option.
  * CVE-2022-20785: Fixed a possible memory leak in the HTML file parser /
    Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2
    and LTS version 0.103.5 and prior versions.
  * CVE-2022-20792: Fixed a possible multi-byte heap buffer overflow write
    vulnerability in the signature database load module. The fix was to
    update the vendored regex library to the latest version. Issue affects
    versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior
    versions.
  * ClamOnAcc: Fixed a number of assorted stability issues and added
    niceties for debugging ClamOnAcc.
  * Fixed an issue causing byte-compare subsignatures to cause an alert
    when they match even if other conditions of the given logical
    signatures were not met.
  * Fix memleak when using multiple byte-compare subsignatures. This fix
    was backported from 0.104.0.
  * Assorted bug fixes and improvements.
- Remove upstreamed clamav-ck_assert_msg.patch

OBS-URL: https://build.opensuse.org/request/show/975241
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=232

clamav-0.103.5.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1e74b1e1d2a8a9056449c313f48a6983b9d5ba0d6fb5ef0b2be6ad3c841a5426
-size 16434316

clamav-0.103.5.tar.gz.sig

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIcBAABAgAGBQJh3ZK/AAoJEGCbAk8rPt0HxwkP/iSf9aUJipn5YgqjqyVC1fKl
-wUwvV8KoPH7C2kgo0AKZFTKRxaRahvL1WLx6PnnArl1ZVoH2JVrqm/1+Z8MT9U7J
-YOKG3aI+KgBNG6ihxizsL37ZNn4aE7ne4SY7219rei7IW12OyiUvIkF3kA9lHtDX
-/cqkrqu9GT7pB5dxt+GCQ/oX1cgMzV6/Hg9wE4DS0hSuQy74WRUZ/Rp+JAeQ7dUv
-4u1dkGoUJQpo4g94amwOqcHlc+bBZMItTVSoJercjl8eOZqxSEN7kkHa2MrPFiaX
-AJN4B4wMfrxi+jn+HUo7TshrRkzUzP0i+rIAn3hsvG4sjOxH/vWrCyfOGCIQb/l+
-ug1gBJ4LDSoQ9rL41c1OBYFPKhbrTYCSs+TULoKSFCJv8RgQA7/Vu3bulIHFRhtp
-Lpvhgo1fsb741EVSoPFqQJe+XUAdH5BsW03TZuHnuIEnLvHbctYDJlkg0KN2IYg+
-4JgO65spoEHW2hldKR0A8W8U4+bPC2+94QuLoV6OXrnlL8qCj9RhRqywBM4gqSgC
-p9rnx0E0tTrCDmevXn0IvTbwqxjtC8ig/mJejc4TiV70ps8xgLBeml4xsgr+PLYn
-Obwf8/GOY3RwGQQMROLQSChenvXU/qnjqDRRzVtZSgBF7xBlGJ1xVm7pRLA/OF5d
-sbOrPkTfkT+0ayLU46vg
-=lf26
------END PGP SIGNATURE-----

clamav-0.103.6.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:aaa12e3dc19f1d323b1c50d7a10fa8af557e4390149e864d59bde39b6ad9ba33
+size 16491761

clamav-0.103.6.tar.gz.sig

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABAgAGBQJicDP4AAoJEGCbAk8rPt0HoMcP/i4uV0VatuqjIL1ULq5/Q7Wl
+EQoo6J3SvnvbyDQSeQV/eBT3kmSvFonz1d2erg85uM/+JHzMPatFu44xJ8cXDmX8
+RhjVeJepMnKkXnP3MIdIbXnQJFkFxlOrNuJQ19waDbbe0PSySj9Z8XjhepdnnWFW
+bZH0Oo+EyXK/KGLQkdNEXJH0hJtcy2VowYizNO15xszTcZn/weiggzkVUOj99i8N
+oLtnQ6g9gLZtI7AFSw35ISnJ4ZEGGsuOy7ABTzu0rgJEka2A5JxicNhh/X058EXe
+7UmqDJWHpc6CCu9cip03M/q7yNFz3mO+Su7P3fPZ0q3wGuYbodIVXec57j7BvvMO
+/ehEmUg9FAeQa6Y9ub6c2HNYRkt652uRYvpRBh/Fwd/Jlx14kddW3pfNq7TUDJaU
+KHQuEyfXRs96kwzKI5SWb7T6/bdvwl8mxzIBbCvftsxtuRVbDsIsgzduq8Yyct1L
+kcdzs5jPNzPeLPD02W/6GeVbaJiJC2P3Ic4u0EKBjjLHuTYwOtIqp+He76aBx09Y
+/lMfkFCteld8ivy29IRuidgsbgx5fyp3pB7c6CWZJU1ks/6gxcfY6VGKDVdbRPiq
+n1w0xG9leSX3C3aAsRNVAaTyifqrjZZurFZTLFeM9W8/pB02MvsNo2wx/ALEWKzc
+YHfGNkn6ucI+Rf7ShWiq
+=nD0e
+-----END PGP SIGNATURE-----

clamav-ck_assert_msg.patch

@@ -1,22 +0,0 @@
-From 58d199cbe00e8a5ef5858ffc7991a346b9f3469e Mon Sep 17 00:00:00 2001
-From: Orion Poplawski <orion@nwra.com>
-Date: Thu, 17 Sep 2020 22:26:04 -0600
-Subject: [PATCH] Fix ck_assert_msg() call
-
----
- unit_tests/check_jsnorm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/unit_tests/check_jsnorm.c b/unit_tests/check_jsnorm.c
-index 5067a21a55..64f6bf8b37 100644
---- a/unit_tests/check_jsnorm.c
-+++ b/unit_tests/check_jsnorm.c
-@@ -247,7 +247,7 @@ static void tokenizer_test(const char *in, const char *expected, int split)
-     fd = open(filename, O_RDONLY);
-     if (fd < 0) {
-         jstest_teardown();
--        ck_assert_msg("failed to open output file: %s", filename);
-+        ck_assert_msg(0, "failed to open output file: %s", filename);
-     }
- 
-     diff_file_mem(fd, expected, len);

clamav.changes

@@ -1,3 +1,37 @@
+-------------------------------------------------------------------
+Thu May  5 15:50:42 UTC 2022 - Arjen de Korte <suse+build@de-korte.org>
+
+- Update to 0.103.6
+  * CVE-2022-20770: Fixed a possible infinite loop vulnerability in the CHM
+    file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS
+    version 0.103.5 and prior versions.
+  * CVE-2022-20796: Fixed a possible NULL-pointer dereference crash in the
+    scan verdict cache check. Issue affects versions 0.103.4, 0.103.5,
+    0.104.1, and 0.104.2.
+  * CVE-2022-20771: Fixed a possible infinite loop vulnerability in the
+    TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and
+    LTS version 0.103.5 and prior versions. The issue only occurs if the
+    "--alert-broken-media" ClamScan option is enabled. For ClamD, the
+    affected option is "AlertBrokenMedia yes", and for libclamav it is the
+    "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option.
+  * CVE-2022-20785: Fixed a possible memory leak in the HTML file parser /
+    Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2
+    and LTS version 0.103.5 and prior versions.
+  * CVE-2022-20792: Fixed a possible multi-byte heap buffer overflow write
+    vulnerability in the signature database load module. The fix was to
+    update the vendored regex library to the latest version. Issue affects
+    versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior
+    versions.
+  * ClamOnAcc: Fixed a number of assorted stability issues and added
+    niceties for debugging ClamOnAcc.
+  * Fixed an issue causing byte-compare subsignatures to cause an alert
+    when they match even if other conditions of the given logical
+    signatures were not met.
+  * Fix memleak when using multiple byte-compare subsignatures. This fix
+    was backported from 0.104.0.
+  * Assorted bug fixes and improvements.
+- Remove upstreamed clamav-ck_assert_msg.patch
+
 -------------------------------------------------------------------
 Tue Apr 12 13:56:37 UTC 2022 - Marcus Meissner <meissner@suse.com>
 

clamav.spec

@@ -19,7 +19,7 @@
 %bcond_with	clammspack
 %bcond_with	valgrind
 Name:           clamav
-Version:        0.103.5
+Version:        0.103.6
 Release:        0
 Summary:        Antivirus Toolkit
 License:        GPL-2.0-only
@@ -39,7 +39,6 @@ Patch1:         clamav-conf.patch
 Patch5:         clamav-obsolete-config.patch
 Patch6:         clamav-disable-yara.patch
 Patch12:        clamav-fips.patch
-Patch13:        clamav-ck_assert_msg.patch
 Patch14:        clamav-document-maxsize.patch
 
 BuildRequires:  autoconf
@@ -148,7 +147,6 @@ that want to make use of libclamav.
 %patch5
 %patch6
 %patch12
-%patch13 -p1
 %patch14 -p1
 
 %build