Accepting request 848312 from security

Add missing bug references.

- Do not hard-depend on systemd: use systemd_ordering instead of
  systemd_requires.
- Sync Factory to SLE-15 to implement jsc#ECO-3010 and bsc#1118459.
- bsc#1119353, clamav-fips.patch: Fix freshclam crash in FIPS mode.

OBS-URL: https://build.opensuse.org/request/show/848312
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/clamav?expand=0&rev=110

clamav-fips.patch

@@ -0,0 +1,12 @@
+--- libclamav/crypto.c.orig
++++ libclamav/crypto.c
+@@ -145,6 +145,9 @@ int cl_initialize_crypto(void)
+     ERR_load_crypto_strings();
+ #endif
+ 
++    /* avoid fips issues */
++    EVP_add_digest(EVP_md5());
++
+     return 0;
+ }
+ 

clamav.changes

@@ -1,3 +1,20 @@
+-------------------------------------------------------------------
+Thu Nov 12 11:02:09 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Do not hard-depend on systemd: use systemd_ordering instead of
+  systemd_requires.
+
+-------------------------------------------------------------------
+Tue Nov 10 16:44:57 UTC 2020 - Reinhard Max <max@suse.com>
+
+- Sync Factory to SLE-15 to implement jsc#ECO-3010 and bsc#1118459.
+- bsc#1119353, clamav-fips.patch: Fix freshclam crash in FIPS mode.
+- Keep OBS from installing an existing clamav instance to scan the
+  sources, because this makes "make check" use the old library
+  instead of the just built one. This is only a workaround until
+  we found a way to keep libtool from adding libdir to rpath and
+  LD_LIBRARY_PATH of the binaries in the testsuite.
+
 -------------------------------------------------------------------
 Mon Sep 14 17:39:16 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
 
@@ -112,11 +129,11 @@ Thu Dec 19 15:31:58 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
 Wed Nov 20 19:01:10 UTC 2019 - Arjen de Korte <suse+build@de-korte.org>
 
 - update to 0.102.1
-  * CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may
-    occur when scanning a specially crafted email file as a result
-    of excessively long scan times. The issue is resolved by
-    implementing several maximums in parsing MIME messages and by
-    optimizing use of memory allocation.
+  * CVE-2019-15961, bsc#1157763: A Denial-of-Service (DoS)
+    vulnerability may occur when scanning a specially crafted email
+    file as a result of excessively long scan times. The issue is
+    resolved by implementing several maximums in parsing MIME
+    messages and by optimizing use of memory allocation.
   * Build system fixes to build clamav-milter, to correctly link
     with libxml2 when detected, and to correctly detect fanotify
     for on-access scanning feature support.

clamav.spec

@@ -37,6 +37,7 @@ Patch1:         clamav-conf.patch
 Patch4:         clamav-disable-timestamps.patch
 Patch5:         clamav-obsolete-config.patch
 Patch6:         clamav-disable-yara.patch
+Patch12:        clamav-fips.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bc
@@ -58,6 +59,13 @@ BuildRequires:  systemd-rpm-macros
 #BuildRequires:  valgrind
 BuildRequires:  zlib-devel
 BuildRequires:  pkgconfig(libsystemd)
+#
+# Workaround to keep "make check" from using an existing libclamav
+# instead of the just built one. This should rather be fixed
+# by keeping libtool from adding libdir to rpath and LD_LIBRARY_PATH
+# of the test binaries.
+#
+#!BuildIgnore:    clamav
 Requires(pre):  %_bindir/awk
 Requires(pre):  %_sbindir/groupadd
 Requires(pre):  %_sbindir/useradd
@@ -67,7 +75,7 @@ Requires(pre):  /bin/tar
 Obsoletes:      clamav-db < 0.88.3
 Provides:       clamav-nodb = %version
 Obsoletes:      clamav-nodb <= 0.98.4
-%systemd_requires
+%systemd_ordering
 %if %{without clammspack}
 BuildRequires:  libmspack-devel
 %endif
@@ -125,6 +133,7 @@ that want to make use of libclamav.
 %patch4
 %patch5
 %patch6
+%patch12
 
 %build
 CFLAGS="-fstack-protector"