diff --git a/clamav-fips.patch b/clamav-fips.patch new file mode 100644 index 0000000..796abc4 --- /dev/null +++ b/clamav-fips.patch @@ -0,0 +1,12 @@ +--- libclamav/crypto.c.orig ++++ libclamav/crypto.c +@@ -145,6 +145,9 @@ int cl_initialize_crypto(void) + ERR_load_crypto_strings(); + #endif + ++ /* avoid fips issues */ ++ EVP_add_digest(EVP_md5()); ++ + return 0; + } + diff --git a/clamav.changes b/clamav.changes index a321da8..5eb72f5 100644 --- a/clamav.changes +++ b/clamav.changes @@ -1,3 +1,20 @@ +------------------------------------------------------------------- +Thu Nov 12 11:02:09 UTC 2020 - Dominique Leuenberger + +- Do not hard-depend on systemd: use systemd_ordering instead of + systemd_requires. + +------------------------------------------------------------------- +Tue Nov 10 16:44:57 UTC 2020 - Reinhard Max + +- Sync Factory to SLE-15 to implement jsc#ECO-3010 and bsc#1118459. +- bsc#1119353, clamav-fips.patch: Fix freshclam crash in FIPS mode. +- Keep OBS from installing an existing clamav instance to scan the + sources, because this makes "make check" use the old library + instead of the just built one. This is only a workaround until + we found a way to keep libtool from adding libdir to rpath and + LD_LIBRARY_PATH of the binaries in the testsuite. + ------------------------------------------------------------------- Mon Sep 14 17:39:16 UTC 2020 - Arjen de Korte @@ -112,11 +129,11 @@ Thu Dec 19 15:31:58 UTC 2019 - Dominique Leuenberger Wed Nov 20 19:01:10 UTC 2019 - Arjen de Korte - update to 0.102.1 - * CVE-2019-15961: A Denial-of-Service (DoS) vulnerability may - occur when scanning a specially crafted email file as a result - of excessively long scan times. The issue is resolved by - implementing several maximums in parsing MIME messages and by - optimizing use of memory allocation. + * CVE-2019-15961, bsc#1157763: A Denial-of-Service (DoS) + vulnerability may occur when scanning a specially crafted email + file as a result of excessively long scan times. The issue is + resolved by implementing several maximums in parsing MIME + messages and by optimizing use of memory allocation. * Build system fixes to build clamav-milter, to correctly link with libxml2 when detected, and to correctly detect fanotify for on-access scanning feature support. diff --git a/clamav.spec b/clamav.spec index b69ddb0..9746d6a 100644 --- a/clamav.spec +++ b/clamav.spec @@ -37,6 +37,7 @@ Patch1: clamav-conf.patch Patch4: clamav-disable-timestamps.patch Patch5: clamav-obsolete-config.patch Patch6: clamav-disable-yara.patch +Patch12: clamav-fips.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: bc @@ -58,6 +59,13 @@ BuildRequires: systemd-rpm-macros #BuildRequires: valgrind BuildRequires: zlib-devel BuildRequires: pkgconfig(libsystemd) +# +# Workaround to keep "make check" from using an existing libclamav +# instead of the just built one. This should rather be fixed +# by keeping libtool from adding libdir to rpath and LD_LIBRARY_PATH +# of the test binaries. +# +#!BuildIgnore: clamav Requires(pre): %_bindir/awk Requires(pre): %_sbindir/groupadd Requires(pre): %_sbindir/useradd @@ -67,7 +75,7 @@ Requires(pre): /bin/tar Obsoletes: clamav-db < 0.88.3 Provides: clamav-nodb = %version Obsoletes: clamav-nodb <= 0.98.4 -%systemd_requires +%systemd_ordering %if %{without clammspack} BuildRequires: libmspack-devel %endif @@ -125,6 +133,7 @@ that want to make use of libclamav. %patch4 %patch5 %patch6 +%patch12 %build CFLAGS="-fstack-protector"