From d2b70b567ce3bd11fe4afa5ab475bcaefe0252a98dcd74b23a37838ef828485c Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Tue, 9 Feb 2021 14:32:05 +0000 Subject: [PATCH] Accepting request 869944 from home:adkorte:branches:security - Update to 0.103.1 * Added a new scan option to alert on broken media (graphics) file formats. This feature mitigates the risk of malformed media files intended to exploit vulnerabilities in other software. At present media validation exists for JPEG, TIFF, PNG, and GIF files. To enable this feature, set AlertBrokenMedia yes in clamd.conf, or use the --alert-broken-media option when using clamscan. These options are disabled by default in this patch release, but may be enabled in a subsequent release. Application developers may enable this scan option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field. * Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG typing behavior. BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG 2000 format checking capabilities. * Fixed PNG parser logic bugs that caused an excess of parsing errors and fixed a stack exhaustion issue affecting some systems when scanning PNG files. PNG file type detection was disabled via signature database update for ClamAV version 0.103.0 to mitigate the effects from these bugs. * Fixed an issue where PNG and GIF files no longer work with Target:5 graphics signatures if detected as CL_TYPE_PNG/GIF rather than as CL_TYPE_GRAPHICS. Target types now support up to 10 possible file types to make way for additional graphics types in future releases. * Fixed clamonacc's --fdpass option. - Interprocess file descriptor passing for clamonacc was broken since version 0.102.0 due to a bug introduced by the switch to curl for communicating with clamd. On Linux, passing file descriptors from one process to another is handled by the kernel, so we reverted clamonacc to use standard system calls for socket communication when fd passing is enabled. * Fixed a clamonacc stack corruption issue on some systems when using an older version of libcurl. * Allow clamscan and clamdscan scans to proceed even if the realpath lookup failed. This alleviates an issue on Windows scanning files hosted on file- systems that do not support the GetMappedFileNameW() API such as on ImDisk RAM-disks. * Fixed freshclam --on-update-execute=EXIT_1 temporary directory cleanup issue. * clamd's log output and VirusEvent now provide the scan target's file path instead of a file descriptor. The clamd socket API for submitting a scan by FD-passing doesn't include a file path, this feature works by looking up the file path by file descriptor. This feature works on Mac and Linux but is not yet implemented for other UNIX operating systems. FD-passing is not available for Windows. * Fixed an issue where freshclam database validation didn't work correctly when run in daemon mode on Linux/Unix. OBS-URL: https://build.opensuse.org/request/show/869944 OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=216 --- clamav-0.103.0.tar.gz | 3 -- clamav-0.103.0.tar.gz.sig | 16 ---------- clamav-0.103.1.tar.gz | 3 ++ clamav-0.103.1.tar.gz.sig | 16 ++++++++++ clamav-conf.patch | 2 +- clamav-disable-timestamps.patch | 2 +- clamav.changes | 53 +++++++++++++++++++++++++++++++++ clamav.spec | 4 +-- 8 files changed, 76 insertions(+), 23 deletions(-) delete mode 100644 clamav-0.103.0.tar.gz delete mode 100644 clamav-0.103.0.tar.gz.sig create mode 100644 clamav-0.103.1.tar.gz create mode 100644 clamav-0.103.1.tar.gz.sig diff --git a/clamav-0.103.0.tar.gz b/clamav-0.103.0.tar.gz deleted file mode 100644 index d52a3b2..0000000 --- a/clamav-0.103.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:32a9745277bfdda80e77ac9ca2f5990897418e9416880f3c31553ca673e80546 -size 13357078 diff --git a/clamav-0.103.0.tar.gz.sig b/clamav-0.103.0.tar.gz.sig deleted file mode 100644 index cb4c913..0000000 --- a/clamav-0.103.0.tar.gz.sig +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIcBAABAgAGBQJfXhjDAAoJEPE/nha8pb+t6REP/3zOJuiijx9luneQ89YJbKa1 -F7FDGzmqm26B/jAeAZIrS8rRrpUHaKs9qI7vLgkX1gG5QJFrnDy1Lj26rJ82YZ08 -3HCkAScmxNqE7unI0Azyd034oYY/1+nWBipnrQe5oRVDuPF0EFxFrjqVSkXEJ264 -kZR/jXk+8ktLXKAjTw4B4Furmr8iWlRcrrDzISjZKIQtq7SkveiIbvhK98UcQKhK -KF4XhuPfw+qkUZTz6ImJTK9rO705E1wgKthyqE06ZIt858RtXyshE3SVHjZKdxFi -h1TxliYr5UxXVauJu7hjw5fwQFyE44QGK/PAFnOt7+aIE6ucQ3ErR6LAjz9xH3Xn -MK1yRmXql72IhB8b+JG6c8VneljqAqBg36Hh5G+qv0Yk90bUWE8aSxQ4MIljB3aU -OAl9+g6S+48W+v9z0cTzgS3FxHcFl18ulLEK4/ox8TJuq2XBKZZ8H5f2i59Ub2BJ -PDYrlTTamj+s/axRqATyHeqdfZB+11idZiLl+WauVl75NEwefVwZAa+Lv6cF6Poz -Wo28vPe2yyUu/RKUcMTNGD4KwUxC7oiY8vNEXje4tZop8QIzFQ6+F7VtlydA7eEj -GWr4+S8BZoudAlA11AE5ipI9ghsGQIONf+mn+e6/liVYeDI3nZlg4SP+25+ZKmWk -kDkn6ZmWUQaVScd5AFPy -=bhFw ------END PGP SIGNATURE----- diff --git a/clamav-0.103.1.tar.gz b/clamav-0.103.1.tar.gz new file mode 100644 index 0000000..d85cfbe --- /dev/null +++ b/clamav-0.103.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7308c47b89b268af3b9f36140528927a49ff3e633a9c9c0aac2712d81056e257 +size 13369791 diff --git a/clamav-0.103.1.tar.gz.sig b/clamav-0.103.1.tar.gz.sig new file mode 100644 index 0000000..0f3947a --- /dev/null +++ b/clamav-0.103.1.tar.gz.sig @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIcBAABAgAGBQJgGVyXAAoJEPE/nha8pb+tmvIP/2eluegyIzQ88Q0LJv/WTPpF +t02op8hnzbM/79gglU1bCdfuXLS9/OkT1QBM71xjndn/qN4/9gp7E3nd4dX+6MJB +YnfUx5atx6faxFs10hfVYrZBD/AYwtXlAAJpuEwB6iyJtDEUgBapQNGkeULuw2iO +gvuxDc7U8Tu+BjyDgPESxRtd6p5/3tMoXGhKTnYaOILEwveLgKvSJLv47d/Ew4EW +NU6m9erw4jumCm2qvkIyziZcjMSORiCGoyI9fXBWDADbXVTIYsOqSknshP3Om6He +lqNdrkok7pk6AsSY1PAepsPt6BT6n3MuZJKFU3/iHZLqqyL97Y/IaqzvSJj5q0++ +sy0ljsU88YIdV7bhJnN7khkpkq3DYsrZVg+nCyIoQ9iErNdwBWXGsgcclBSrwzDy +5UUz3MJvliqG9FKC5Va3BiHvK35d41Q99jZG0X9huSs+Atj0t1FkrOScnj+ZZd1E +OJKUYn7Pnb7asacJLOeCqCVuJaOsNSjidv1jtdwAEcOMbnwatHU0WVYlzqaxMpBh +WXXy0tR2Bpv7SjejV4F4LMNOux0v1gTogQ0iKRIk2FUtRpeLAXvnm3UrqB/bJyc+ +nx1s4+kUJo2PLhJN8XzbPpMEm5fymnPnuVQH5qjmJ6/WPxws+tKi0b4DuWOnlzxQ +r8r7QDor+YJ3F7BTPPay +=5QiJ +-----END PGP SIGNATURE----- diff --git a/clamav-conf.patch b/clamav-conf.patch index 5868d87..9d3cd3e 100644 --- a/clamav-conf.patch +++ b/clamav-conf.patch @@ -194,4 +194,4 @@ +NotifyClamd /etc/clamd.conf # Run command after successful database update. - # Default: disabled + # Use EXIT_1 to return 1 after successful database update. diff --git a/clamav-disable-timestamps.patch b/clamav-disable-timestamps.patch index 2038764..847ea86 100644 --- a/clamav-disable-timestamps.patch +++ b/clamav-disable-timestamps.patch @@ -82,4 +82,4 @@ Index: configure +_ACEOF - VERSION="0.103.0" + VERSION="0.103.1" diff --git a/clamav.changes b/clamav.changes index 5eb72f5..cac2ae7 100644 --- a/clamav.changes +++ b/clamav.changes @@ -1,3 +1,56 @@ +------------------------------------------------------------------- +Sat Feb 6 11:20:37 UTC 2021 - Arjen de Korte + +- Update to 0.103.1 + * Added a new scan option to alert on broken media (graphics) file + formats. This feature mitigates the risk of malformed media files + intended to exploit vulnerabilities in other software. At present + media validation exists for JPEG, TIFF, PNG, and GIF files. To + enable this feature, set AlertBrokenMedia yes in clamd.conf, or + use the --alert-broken-media option when using clamscan. These + options are disabled by default in this patch release, but may be + enabled in a subsequent release. Application developers may enable + this scan option by enabling CL_SCAN_HEURISTIC_BROKEN_MEDIA for + the heuristic scan option bit field. + * Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG typing + behavior. BMP and JPEG 2000 files will continue to detect as + CL_TYPE_GRAPHICS because ClamAV does not yet have BMP or JPEG + 2000 format checking capabilities. + * Fixed PNG parser logic bugs that caused an excess of parsing + errors and fixed a stack exhaustion issue affecting some systems + when scanning PNG files. PNG file type detection was disabled via + signature database update for ClamAV version 0.103.0 to mitigate + the effects from these bugs. + * Fixed an issue where PNG and GIF files no longer work with + Target:5 graphics signatures if detected as CL_TYPE_PNG/GIF rather + than as CL_TYPE_GRAPHICS. Target types now support up to 10 + possible file types to make way for additional graphics types in + future releases. + * Fixed clamonacc's --fdpass option. + - Interprocess file descriptor passing for clamonacc was broken + since version 0.102.0 due to a bug introduced by the switch to + curl for communicating with clamd. On Linux, passing file + descriptors from one process to another is handled by the + kernel, so we reverted clamonacc to use standard system calls + for socket communication when fd passing is enabled. + * Fixed a clamonacc stack corruption issue on some systems when + using an older version of libcurl. + * Allow clamscan and clamdscan scans to proceed even if the + realpath lookup failed. This alleviates an issue on Windows + scanning files hosted on file- systems that do not support the + GetMappedFileNameW() API such as on ImDisk RAM-disks. + * Fixed freshclam --on-update-execute=EXIT_1 temporary directory + cleanup issue. + * clamd's log output and VirusEvent now provide the scan target's + file path instead of a file descriptor. The clamd socket API for + submitting a scan by FD-passing doesn't include a file path, this + feature works by looking up the file path by file descriptor. + This feature works on Mac and Linux but is not yet implemented + for other UNIX operating systems. FD-passing is not available for + Windows. + * Fixed an issue where freshclam database validation didn't work + correctly when run in daemon mode on Linux/Unix. + ------------------------------------------------------------------- Thu Nov 12 11:02:09 UTC 2020 - Dominique Leuenberger diff --git a/clamav.spec b/clamav.spec index 9746d6a..77237a1 100644 --- a/clamav.spec +++ b/clamav.spec @@ -1,7 +1,7 @@ # # spec file for package clamav # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -19,7 +19,7 @@ %define clamav_check --enable-check %bcond_with clammspack Name: clamav -Version: 0.103.0 +Version: 0.103.1 Release: 0 Summary: Antivirus Toolkit License: GPL-2.0-only