Accepting request 689824 from security

- Update to version 0.101.2 (bsc#1130721)
  * CVE-2019-1787:
    An out-of-bounds heap read condition may occur when scanning PDF
    documents. The defect is a failure to correctly keep track of the number
    of bytes remaining in a buffer when indexing file data.
  * CVE-2019-1789:
    An out-of-bounds heap read condition may occur when scanning PE files
    (i.e. Windows EXE and DLL files) that have been packed using Aspack as a
    result of inadequate bound-checking.
  * CVE-2019-1788:
    An out-of-bounds heap write condition may occur when scanning OLE2 files
    such as Microsoft Office 97-2003 documents. The invalid write happens when
    an invalid pointer is mistakenly used to initialize a 32bit integer to
    zero. This is likely to crash the application.
  * CVE-2019-1786:
    An out-of-bounds heap read condition may occur when scanning malformed
    PDF documents as a result of improper bounds-checking.
  * CVE-2019-1785:
    A path-traversal write condition may occur as a result of improper
    input validation when scanning RAR archives.
  * CVE-2019-1798:
    A use-after-free condition may occur as a result of improper error
    handling when scanning nested RAR archives.
- added clamav-max_patch.patch to fix build
- dropped clamav-freshclam-exit.patch

- Update to version 0.101.1:
  * Add missing headers to fix build of packages against libclamav.
- Add missing include for str.h to libclamav/others_common.c
  (clamav-str-h.patch)

OBS-URL: https://build.opensuse.org/request/show/689824
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/clamav?expand=0&rev=97

clamav-0.100.2.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:4a2e4f0cd41e62adb5a713b4a1857c49145cd09a69957e6d946ecad575206dd6
-size 15926420

clamav-0.100.2.tar.gz.sig

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIcBAABAgAGBQJbq9rVAAoJEPE/nha8pb+tWtAQAIoac5u7/0ys8qxcVvE/e2R/
-JCZOkCc1BoVonc8yV9z/cn9/CFMoWq/n/pDZyCDKHU5x4rU+FuC1YolaoAyrF1Qi
-bx6byEg36+EPj/bz9Gp7C13oPAnNSN5vNU1Tpdgz57zxTZ+91aO9SWWiQuIRHZxa
-uNgjvUt55bhIRl6RggrCl1nmvL9OOyA0Vco0BdPZMUj/+hHMfmFHCWLwVzg8LbGq
-DJEKDkxoHXXg77zOAb49VozRKcfLtIPKwpu1JD6HxQwEhPvadc+PyVRbmfhhfrfx
-uFX/HXXSTo23zlgPFXG5K/GPhss8yUbviDZfduxXJENJwuHYvflMPZ5PMyECpTIR
-Kd3Kg6UkFyfUg1AsKx141cRyA8xI+pSCnjHee0rMDRifdCChwMFVrEG/YDmgxA3a
-ehrljZylEaTiT71LwA3RIB8DvTvCfBtRU7HgWsY5+fytPmf3XvugzI/A6c1rPcWs
-nmmvVwc6LInSqFqdEOOqxyOnKNgt+0qmLWHtM0g7Uqo/jfTZGMy1tdMfhSAtER7L
-oqL/r8Ul+/UfbGvbIpS8tWE/KAzQyCJ4wUjyHEGmbWgn1OTyFB8M7EJVXRbrECAP
-cMB6tpORPzNt4ReAsEHhHLE0d4GWuuG29HF8qH+wWspEWCSzXbGZ6zNrGkhFqDvN
-ae/hne2V6DXACNdcQWpG
-=ah8h
------END PGP SIGNATURE-----

clamav-0.101.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0a12ebdf6ff7a74c0bde2bdc2b55cae33449e6dd953ec90824a9e01291277634
+size 21722932

clamav-0.101.2.tar.gz.sig

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABAgAGBQJcinEPAAoJEPE/nha8pb+t9c8P/RD394ZqBL+EcSSG/XTEq8pm
+pKUl70vDDOXbJuTUjxONFO60JcPK2uVrvBlWUsQejH7636ruuslHqwNjloBuKxkb
+j7SCFO7dVW7doi9p4eiItBk0KroJvzsTU2k3IojeeJRDfKU6eVhtSwjMWVbHs5XY
+UaRekwzrJl0K0xO/6TPDAt9K2bLsdXTCQwVCGyxDhtrAP90fpLeIR50EpVPs+a1/
+3xfLjdcJthszTtm4CefPhhQ6jkT/qg8ZAhVMoR+sUf83x2CncouV61A7FzpWmoZj
+WLHddHl8v68K8As/PNQwoA/YkPBqugLM8VsUaR2nBzmQVO+Gk9wY9m7LCPux1fWc
+3WVDhhVSUry7UgtY1J/8kYioShnX4I1ohWm6rEzCoWJFQmfQoDnp2wfTtz8fsq1x
+2JkwKNgj/rt/y04rgFLnouZGLfz1UMaaUYsWF0cCsr2r42DoWkq976cxM+KnTxna
+dgZkzudqmi1ph9OAu+cHnlmzMVeet7S3mKCMT/mACpAUGwE/xlAFv2L/6bm5yKtP
+I5sEyAvOfEb5NnrIcmR/SJAT3PQnqEPrDUNY8M+rAn9vXKTl+nhlcp14ZYh4ZMQL
+1uzMsK2HlnNUMHwTCj64Exvq22wwHqL4zuEQvFr4w0s8peY8BHw3S3mxxLABg1b0
+Fj0HUMDjH3TALfIXf80m
+=lLJG
+-----END PGP SIGNATURE-----

clamav-conf.patch

@@ -140,7 +140,7 @@
  
  # Stop daemon when libclamav reports out of memory condition.
  #ExitOnOOM yes
-@@ -598,6 +594,10 @@ Example
+@@ -613,6 +609,10 @@ Example
  ##
  ## On-access Scan Settings
  ##
@@ -197,7 +197,7 @@
  
  # Use DNS to verify virus database version. Freshclam uses DNS TXT records
  # to verify database and software versions. With this directive you can change
-@@ -132,7 +128,7 @@ DatabaseMirror database.clamav.net
+@@ -127,7 +123,7 @@ DatabaseMirror database.clamav.net
  
  # Send the RELOAD command to clamd.
  # Default: no

clamav-disable-timestamps.patch

@@ -27,7 +27,7 @@
        strncat(buf, "WARNING: sizeof(fp_digit) == sizeof(fp_word), this build is likely to not work properly.\n", 
 --- configure.orig
 +++ configure
-@@ -801,6 +801,7 @@ FGREP
+@@ -812,6 +812,7 @@ FGREP
  SED
  LIBTOOL
  LIBCLAMAV_VERSION
@@ -35,24 +35,24 @@
  EGREP
  GREP
  CPP
-@@ -903,6 +904,7 @@ ac_user_opts='
+@@ -922,6 +923,7 @@ ac_user_opts='
  enable_option_checking
- enable_silent_rules
  enable_dependency_tracking
+ enable_silent_rules
 +enable_timestamps
  enable_static
  enable_shared
  with_pic
-@@ -1619,6 +1621,8 @@ Optional Features:
-   --disable-dependency-tracking
-                           speeds up one-time build
+@@ -1641,6 +1643,8 @@ Optional Features:
+   --enable-silent-rules   less verbose build output (undo: "make V=1")
+   --disable-silent-rules  verbose build output (undo: "make V=0")
    --enable-static[=PKGS]  build static libraries [default=no]
 +  --enable-timestamps     Enable embedding timestamp information in build
 +                          (default is YES)
    --enable-shared[=PKGS]  build shared libraries [default=yes]
    --enable-fast-install[=PKGS]
                            optimize for fast installation [default=yes]
-@@ -5219,6 +5223,26 @@ $as_echo "$ac_cv_safe_to_define___extens
+@@ -5923,6 +5927,26 @@ $as_echo "$ac_cv_safe_to_define___extens
  
    $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h
  
@@ -78,4 +78,4 @@
 +_ACEOF
  
  
- VERSION="0.100.2"
+ VERSION="0.101.2"

clamav-disable-yara.patch

@@ -29,7 +29,7 @@
  # ----------- clamd tests --------------------------------------------------------
 --- configure.orig
 +++ configure
-@@ -24324,6 +24324,7 @@ if test "$enable_yara" = "yes"; then
+@@ -28446,6 +28446,7 @@ if test "$enable_yara" = "yes"; then
  
  $as_echo "#define HAVE_YARA 1" >>confdefs.h
  

clamav-freshclam-exit.patch

@@ -1,15 +0,0 @@
---- freshclam/freshclam.c.orig
-+++ freshclam/freshclam.c
-@@ -714,6 +714,12 @@ main (int argc, char **argv)
-             execute ("OnErrorExecute", opt->strarg, opts);
-     }
- 
-+    if (ret == FC_UPTODATE)
-+    {
-+	/* Restore exit code compatibility with ClamAV < 0.100.0 */
-+	ret = 0;
-+    }
-+
-     if (pidfile)
-     {
-         unlink (pidfile);

clamav-max_patch.patch

@@ -0,0 +1,11 @@
+--- libclamav/others_common.c.orig
++++ libclamav/others_common.c
+@@ -855,7 +855,7 @@
+     size_t sanitized_index   = 0;
+     char* sanitized_filepath = NULL;
+ 
+-    if((NULL == filepath) || (0 == filepath_len) || (MAX_PATH < filepath_len)) {
++    if((NULL == filepath) || (0 == filepath_len) || (PATH_MAX < filepath_len)) {
+         goto done;
+     }
+ 

clamav-obsolete-config.patch

@@ -1,6 +1,6 @@
 --- shared/optparser.c.orig
 +++ shared/optparser.c
-@@ -505,6 +505,13 @@ const struct clam_option __clam_options[
+@@ -517,6 +517,13 @@ const struct clam_option __clam_options[
      { "ClamukoExcludeUID", NULL, 0, CLOPT_TYPE_NUMBER, MATCH_NUMBER, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_DEPRECATED, "", "" },
      { "ClamukoMaxFileSize", NULL, 0, CLOPT_TYPE_SIZE, MATCH_SIZE, 5242880, NULL, 0, OPT_CLAMD | OPT_DEPRECATED, "", "" },
      { "AllowSupplementaryGroups", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER | OPT_DEPRECATED, "Initialize a supplementary group access (the process must be started by root).", "no" },

clamav-str-h.patch

@@ -0,0 +1,10 @@
+--- libclamav/others_common.c.orig
++++ libclamav/others_common.c
+@@ -54,6 +54,7 @@
+ #endif
+ 
+ #include "clamav.h"
++#include "str.h"
+ #include "others.h"
+ #include "platform.h"
+ #include "regex/regex.h"

clamav.changes

@@ -1,3 +1,41 @@
+-------------------------------------------------------------------
+Wed Mar 27 17:30:05 UTC 2019 - Andrey Karepin <egdfree@opensuse.org>
+
+- Update to version 0.101.2 (bsc#1130721)
+  * CVE-2019-1787:
+    An out-of-bounds heap read condition may occur when scanning PDF
+    documents. The defect is a failure to correctly keep track of the number
+    of bytes remaining in a buffer when indexing file data.
+  * CVE-2019-1789:
+    An out-of-bounds heap read condition may occur when scanning PE files
+    (i.e. Windows EXE and DLL files) that have been packed using Aspack as a
+    result of inadequate bound-checking.
+  * CVE-2019-1788:
+    An out-of-bounds heap write condition may occur when scanning OLE2 files
+    such as Microsoft Office 97-2003 documents. The invalid write happens when
+    an invalid pointer is mistakenly used to initialize a 32bit integer to
+    zero. This is likely to crash the application.
+  * CVE-2019-1786:
+    An out-of-bounds heap read condition may occur when scanning malformed
+    PDF documents as a result of improper bounds-checking.
+  * CVE-2019-1785:
+    A path-traversal write condition may occur as a result of improper
+    input validation when scanning RAR archives.
+  * CVE-2019-1798:
+    A use-after-free condition may occur as a result of improper error
+    handling when scanning nested RAR archives.
+
+- added clamav-max_patch.patch to fix build
+- dropped clamav-freshclam-exit.patch
+
+-------------------------------------------------------------------
+Mon Jan 21 17:30:15 UTC 2019 - Reinhard Max <max@suse.com>
+
+- Update to version 0.101.1:
+  * Add missing headers to fix build of packages against libclamav.
+- Add missing include for str.h to libclamav/others_common.c
+  (clamav-str-h.patch)
+
 -------------------------------------------------------------------
 Thu Oct  4 09:04:01 UTC 2018 - Reinhard Max <max@suse.com>
 

clamav.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package clamav
 #
-# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,14 +16,16 @@
 #
 
 
+%bcond_with clammspack
+
 %define clamav_check --enable-check
 Name:           clamav
-Version:        0.100.2
+Version:        0.101.2
 Release:        0
 Summary:        Antivirus Toolkit
 License:        GPL-2.0-only
 Group:          Productivity/Security
-URL:            http://www.clamav.net
+Url:            http://www.clamav.net
 Source0:        http://www.clamav.net/downloads/production/%name-%version.tar.gz
 Source1:        http://www.clamav.net/downloads/production/%name-%version.tar.gz.sig
 Source4:        clamav-rpmlintrc
@@ -36,14 +38,20 @@ Patch1:         clamav-conf.patch
 Patch4:         clamav-disable-timestamps.patch
 Patch5:         clamav-obsolete-config.patch
 Patch6:         clamav-disable-yara.patch
-Patch7:         clamav-freshclam-exit.patch
+Patch7:         clamav-str-h.patch
+#PATCH-FIX-UPSTREAM clamav-max_patch.patch
+Patch8:         clamav-max_patch.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  bc
 BuildRequires:  check-devel
+BuildRequires:  gcc-c++
 BuildRequires:  libbz2-devel
 BuildRequires:  libcurl-devel
 BuildRequires:  libjson-c-devel
+%if %{without clammspack}
+BuildRequires:  libmspack-devel
+%endif
 BuildRequires:  libopenssl-devel
 BuildRequires:  libtool
 BuildRequires:  libxml2-devel
@@ -78,11 +86,11 @@ provides numerous file format detection mechanisms, file unpacking
 support, archive support, and multiple signature languages for
 detecting threats.
 
-%package -n libclamav7
+%package -n libclamav9
 Summary:        ClamAV antivirus engine runtime
 Group:          System/Libraries
 
-%description -n libclamav7
+%description -n libclamav9
 ClamAV is an antivirus engine designed for detecting trojans,
 viruses, malware and other malicious threats.
 
@@ -97,7 +105,7 @@ viruses, malware and other malicious threats.
 %package devel
 Summary:        Development files for libclamav, an antivirus engine
 Group:          Development/Libraries/C and C++
-Requires:       libclamav7 = %version
+Requires:       libclamav9 = %version
 
 %description devel
 ClamAV is an antivirus engine designed for detecting trojans,
@@ -113,6 +121,7 @@ that want to make use of libclamav.
 %patch5
 %patch6
 %patch7
+%patch8
 
 %build
 CFLAGS="-fstack-protector"
@@ -135,7 +144,10 @@ CFLAGS="$CFLAGS -DFP_64BIT"
 	--enable-clamdtop \
 	--disable-zlib-vcheck \
 	--disable-timestamps \
-	--disable-yara
+	--disable-yara \
+%if %{without clammspack}
+	--with-system-libmspack
+%endif
 
 make V=1 %?_smp_mflags
 
@@ -150,8 +162,8 @@ find %buildroot -type f -name "*.la" -delete -print
 
 # libclammspack is not meant to be linked against by anything but
 # libclamav
-rm %buildroot%_libdir/pkgconfig/libclammspack.pc
-rm %buildroot%_libdir/libclammspack.so
+rm -f %buildroot%_libdir/pkgconfig/libclammspack.pc
+rm -f %buildroot%_libdir/libclammspack.so
 
 # fix the new config file names
 pushd %buildroot%_sysconfdir
@@ -181,8 +193,8 @@ done
 VALGRIND_GENSUP=1 make check
 %endif
 
-%post   -n libclamav7 -p /sbin/ldconfig
-%postun -n libclamav7 -p /sbin/ldconfig
+%post   -n libclamav9 -p /sbin/ldconfig
+%postun -n libclamav9 -p /sbin/ldconfig
 %post -n libclammspack0 -p /sbin/ldconfig
 %postun -n libclammspack0 -p /sbin/ldconfig
 
@@ -194,7 +206,7 @@ VALGRIND_GENSUP=1 make check
 %_unitdir/clamav-milter.service
 %_tmpfilesdir
 %license COPYING*
-%doc docs/*.pdf docs/html
+%doc docs/html/*
 %_mandir/*/*
 %_bindir/*
 %_sbindir/*
@@ -203,11 +215,13 @@ VALGRIND_GENSUP=1 make check
 %dir /var/lib/clamav
 %ghost %attr(755,vscan,vscan) /run/clamav
 
-%files -n libclamav7
-%_libdir/libclam*.so.7*
+%files -n libclamav9
+%_libdir/libclam*.so.9*
 
+%if %{with clammspack}
 %files -n libclammspack0
 %_libdir/libclammspack.so.0*
+%endif
 
 %files devel
 %_libdir/pkgconfig/*