Accepting request 821356 from home:adkorte

- Update to 0.102.4
  * CVE-2020-3350: Fix a vulnerability wherein a malicious user could
    replace a scan target's directory with a symlink to another path
    to trick clamscan, clamdscan, or clamonacc into removing or moving
    a different file (eg. a critical system file). The issue would
    affect users that use the --move or --remove options for clamscan,
    clamdscan, and clamonacc.
  * CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing
    module in ClamAV 0.102.3 that could cause a Denial-of-Service
    (DoS) condition. Improper bounds checking results in an
    out-of-bounds read which could cause a crash. The previous fix for
    this CVE in 0.102.3 was incomplete. This fix correctly resolves
    the issue.
  * CVE-2020-3481: Fix a vulnerability in the EGG archive module in
    ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS)
    condition. Improper error handling may result in a crash due to a
    NULL pointer dereference. This vulnerability is mitigated for
    those using the official ClamAV signature databases because the
    file type signatures in daily.cvd will not enable the EGG archive
    parser in versions affected by the vulnerability.

OBS-URL: https://build.opensuse.org/request/show/821356
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=207

clamav-0.102.3.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ed3050c4569989ee7ab54c7b87246b41ed808259632849be0706467442dc0693
-size 13226108

clamav-0.102.3.tar.gz.sig

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIcBAABAgAGBQJeuqCcAAoJEPE/nha8pb+tUXsP/Rq7nf3Z8JA/cakdVVqh1qPq
-rr3+aHXgCK55exapNl/e3rXshqqXyDX0NFH+REf7yb1LArM6W89hZdY4WIcEJ6kt
-FF2UpJTWKmLCQ69uTYUxs3vdN3UjmcRA5AVv4CPevANCY9y8+iNju+HDKlb9fFVC
-aS2wdRNNIARI3C38STt3dYnhi1IHaK2vbld8a9MTN0BYPqFhFtPJjCkUTAG5J0yP
-+BQlN/aqtZpQZblY1Bl/um6lTgizdcBikWJ28YxDPCVoWpVuUwDL10hQwtpL9WBB
-ijmA5YuG4t6aHr+VcuFXa90DWnclGHhrNkA3+Pdaa0U/IUI+J8gZQnlEsXL+s67G
-SPaLvKqLPRRN3h8gSfhMzhBCra6l+MMJX/IgGG+yNgxMl7dp72KflCHk54aF6/XG
-LUEIiRvrbiVRh3YyAXJevAluXd8egwIDdE+QPlrZUHE205q8pCDUNYsBV5vYW0Vg
-Drn2swhmXvFhlon/1QLBUqcsfrDNUlq3HhLonNRAuiwJ4162oZSajigfQPgeoUzU
-OF8jm7iNNmq6sjh1huGOKreMxCn0oV3z7nT2UV5ecWpXFGBqe9tiXAg0VL8FBsJN
-yijWJW4X6s3WD3SsjLORubCZ9lwGzG0+q2NlsojZDjdVcP7wk+3IZi+N4bdi46ud
-sF6hgdqC/vPnL7zEHxRJ
-=ecNL
------END PGP SIGNATURE-----

clamav-0.102.4.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eebd426a68020ecad0d2084b8c763e6898ccfd5febcae833d719640bb3ff391b
+size 13234444

clamav-0.102.4.tar.gz.sig

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABAgAGBQJfD5GjAAoJEPE/nha8pb+tICwP/jLhv1LzuxcvHxxbjWK14+SQ
+rY9DazbS7yxnCR62Esy/kbiyjq/EWTLGmWH1U95T1dde+RfBI5dUpcNVvgx2gO+f
+tXn4Y9kdN/Zuu6QgD8aqgJ9+jwgdkaoh2a5DpBYM58dsjQuDfPMR61QWMUJBag36
+0g9XniENUiTS/a4Sff1U58tnHoj0VM9R6Zf7NktscomeQ7yy3g7ShPAttdcGVje6
+CECoeZFUO0C8YlgRqBC7O1d3xYusjUeudaYcVu0toeieRK8t2Imbl3XzYmb5T4sK
+ZY7ORRPE+z4mT3zaJ+zOrk6mZROUKjt1tgWG4TJEl/tDaQJrJnp8AJpfBtmn8EzP
+MAeHyeKF1wNH8cQJzQoZUgaz+mJvVCUWlzRNLaZqi65TZwmxRMF8EPFx5sBPbf/S
+bp1fS7NThOTBucjFoZmD6j09YTW1Qs/Zk17naPS61oOReZXdTaojeZoLa+l+JJk/
+Ds6D5TMu+qIAGGGhN70KYsHfH6EmnaDcoUQjUs1nAQ8p+1r7oHhaZFBuhWGZstak
+eoTO6jr7KjvwpkkQ+lSeOE+G/sNwZ2PktCVZ8y5S40U8JbWYr6TBBbGwbqSeNckc
+ZZkP5Uh/8E6Z9TfoeuXwbHcEG2XQtYjtuDG3JWwAOEk8RpEjqz7E0rjkG4DEHQma
+SuDZ2RZq4zwHaZEIA9ja
+=K+Ht
+-----END PGP SIGNATURE-----

clamav-disable-timestamps.patch

@@ -82,4 +82,4 @@ Index: configure
 +_ACEOF
  
  
- VERSION="0.102.3"
+ VERSION="0.102.4"

clamav.changes

@@ -1,3 +1,27 @@
+-------------------------------------------------------------------
+Thu Jul 16 20:02:03 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
+
+- Update to 0.102.4
+  * CVE-2020-3350: Fix a vulnerability wherein a malicious user could
+    replace a scan target's directory with a symlink to another path
+    to trick clamscan, clamdscan, or clamonacc into removing or moving
+    a different file (eg. a critical system file). The issue would
+    affect users that use the --move or --remove options for clamscan,
+    clamdscan, and clamonacc.
+  * CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing
+    module in ClamAV 0.102.3 that could cause a Denial-of-Service
+    (DoS) condition. Improper bounds checking results in an
+    out-of-bounds read which could cause a crash. The previous fix for
+    this CVE in 0.102.3 was incomplete. This fix correctly resolves
+    the issue.
+  * CVE-2020-3481: Fix a vulnerability in the EGG archive module in
+    ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS)
+    condition. Improper error handling may result in a crash due to a
+    NULL pointer dereference. This vulnerability is mitigated for
+    those using the official ClamAV signature databases because the
+    file type signatures in daily.cvd will not enable the EGG archive
+    parser in versions affected by the vulnerability.
+
 -------------------------------------------------------------------
 Tue May 12 17:31:15 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
 

clamav.spec

@@ -19,7 +19,7 @@
 %define clamav_check --enable-check
 %bcond_with clammspack
 Name:           clamav
-Version:        0.102.3
+Version:        0.102.4
 Release:        0
 Summary:        Antivirus Toolkit
 License:        GPL-2.0-only
@@ -153,7 +153,7 @@ CFLAGS="$CFLAGS -DFP_64BIT"
 	--with-system-libmspack
 %endif
 
-make V=1 %?_smp_mflags
+%make_build
 
 %install
 %make_install
@@ -247,7 +247,7 @@ getent passwd vscan >/dev/null || \
 %service_add_pre clamd.service freshclam.service clamav-milter.service
 
 %post
-systemd-tmpfiles --create %_tmpfilesdir/clamav.conf
+%tmpfiles_create %_tmpfilesdir/clamav.conf
 %service_add_post clamd.service freshclam.service clamav-milter.service
 
 %preun