Accepting request 1239891 from security

Add missing bug and CVE references

- New version 1.4.2:
  * CVE-2025-20128, bsc#1236307: Fixed a possible buffer overflow
    read bug in the OLE2 file parser that could cause a
    denial-of-service (DoS) condition.  

    (bsc#1103032: CVE-2018-14679)
- Update to 0.103.7 (bsc#1202986)
    (the clamscan --gen-json option) is enabled. (bsc#1194731)
    clamdscan, and clamonacc. (bsc#1174255)
    parser in versions affected by the vulnerability. (bsc#1174250)
    a crash. (bsc#1171981)
  * CVE-2012-6706 (bsc#1045315)
  * CVE-2017-6419 (bsc#1052449)
  * CVE-2017-11423 (bsc#1049423)
  * CVE-2018-0202 (bsc#1083915)
- Update to version 0.99.1 (bsc#969814)
    (bnc#906770, CVE-2014-9050)

OBS-URL: https://build.opensuse.org/request/show/1239891
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/clamav?expand=0&rev=129

clamav-1.4.1.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a318e780ac39a6b3d6c46971382f96edde97ce48b8e361eb80e63415ed416ad8
-size 50078871

clamav-1.4.1.tar.gz.sig

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIcBAABAgAGBQJm12IWAAoJEMzg39Iewam/rIQQAKv+zANPKfIta+VJRKkD0Wxa
-LJGDBKKifqyM1HiR+YxGMUuElgmpRvozfZ7ifBGvz/IxjPmUag/BNfOl4JVsSAnL
-WsOhUMSEYxLtpJUywFakI58O/yDSvYlpzfcks0nAIjfeQkhTz0vqqYlyEXR7aDCe
-G/5yOGJtuwAiKclgLCTwqlevZ15ff+3z/UIJ9yAfqM9WPXPQA/lJk1Mp1FmIwVfw
-T/0p8kJJj4Z8aH+jXqOXrKnw9L4Acig3axSneN8QcL5tNosMAQOxhkQuYc6g4V+h
-vDX7N3G5UdPo6jpGoF8NmLu2VFGfWEymBzftMqYZ84Jli9t9RGN8UBEueGERjMsh
-9/3NSAdxeDlR5ELB565a+x/pIOOjovERZdXs9UW8U8NXPeDnIuTTFnqip3e21OGY
-WP3ioP85ixzLFDfZVTaLN97ym2+STiPt+KN7QBEUW0cP/wJFlEcXgRHyY3uQ/iET
-grCTApBuNdOzzgm9lSka653AexhaFTAXtp4NJ5xXThQcFzJ+urDAc6LfPzyknHDx
-+lfI5bMeW9I6E7CbkFOELqInzAk6uMZFxbp4Qte8so3GFdCTPtFVTbS4v+Ctx3oi
-r6oIEFLzhbbNz8lX4JrmXTO1WLiy8uoS4xCEEpITAG9iDvPZ2N7iaTiBgI1B4jNN
-W/t/iIUkO7udL0eyZBzF
-=6wKd
------END PGP SIGNATURE-----

clamav-1.4.2.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8c92f8ade2a8f2c9d6688d1d63ee57f6caf965d74dce06d0971c6709c8e6c04c
+size 50096874

clamav-1.4.2.tar.gz.sig

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABAgAGBQJnkAuXAAoJEMzg39Iewam/iYcP/RqYKxmYSbtVwDVSwWrzOHdr
+yMuwD63vKE4WjtqELwbCn2jEif0IGtVaZPGe+oEE1e53laSqRrsiJYJEMzl6Vg6i
+Q9CI2IXOvJUnPxzAZqnAi2vK5+c6s6oZDOsRGxRFCt5WvihbhzYNdiw2wuQKgHkx
+cPkLQYflq4FnkxOWKpn8YhD73W1ulT1/WdV9YGo5I1ni5jBVH+hPYS+/weqLOBtt
+TSzuypJG2TqYhjAWLnkrwwsVtMJYliYLpE/+u5enT4fpo5yvEqY5ozglLhYMUe8B
+77731e8T9i8Z7o7c46MjmtfVD1jqBcnE3oKhumT30yBEVoC09A5NnKGmNZGroh4Y
+Z4lRgEM3TqjFAj3X8mkOvUj3geMlN5o3omFAKtra2zzoHo4PxU1b3waU7NUqHu+n
+zLfEZTv9obRsD+Bk8xJCrDHHN+BptjDItsu36i69uPSLjE5vIik9q5wIz7Il/YqB
+tmLHnkTYiqs788vgVd8hNCKc9uT7GsCSrw0pbs3RlJDD+r+xoM20jgxU/1S1VoT7
+VFq1CBp04Tp+nrm6SfDzo9I1WNoPwJsSvaqdE+QyX/q0oveofNQ1hoLCj0JvSvdf
+oBYmVNhDoMmQoM59/wt5mtv3PJu55TGYvS7h1jkFEQbM9JFy8U94ULJSDXzwRcXl
+fFWGJjJ2kfpT6IZIpGMj
+=o+0+
+-----END PGP SIGNATURE-----

clamav.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Jan 22 17:50:49 UTC 2025 - Reinhard Max <max@suse.com>
+
+- New version 1.4.2:
+  * CVE-2025-20128, bsc#1236307: Fixed a possible buffer overflow
+    read bug in the OLE2 file parser that could cause a
+    denial-of-service (DoS) condition.  
+
 -------------------------------------------------------------------
 Fri Jan 10 13:00:11 UTC 2025 - Reinhard Max <max@suse.com>
 
@@ -197,12 +205,13 @@ Wed Feb 15 17:26:43 UTC 2023 - Arjen de Korte <suse+build@de-korte.org>
     and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.
     (bsc#1208365)
   * Update vendored libmspack library to version 0.11alpha.
+    (bsc#1103032: CVE-2018-14679)
 - Package huge .html documentation in a separate subpackage.
 
 -------------------------------------------------------------------
 Fri Aug  5 06:42:21 UTC 2022 - ecsos <ecsos@opensuse.org>
 
-- Update to 0.103.7
+- Update to 0.103.7 (bsc#1202986)
   - Zip parser: tolerate 2-byte overlap in file entries
   - Fix bug with logical signature Intermediates feature
   - Update to UnRAR v6.1.7
@@ -255,7 +264,7 @@ Wed Jan 12 21:04:58 UTC 2022 - Arjen de Korte <suse+build@de-korte.org>
   * CVE-2022-20698: Fix for invalid pointer read that may cause a crash.
     This issue affects 0.104.1, 0.103.4 and prior when ClamAV is compiled
     with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option
-    (the clamscan --gen-json option) is enabled.
+    (the clamscan --gen-json option) is enabled. (bsc#1194731)
   * Fixed ability to disable the file size limit with libclamav C API,
     like this:
 
@@ -522,7 +531,7 @@ Thu Jul 16 20:02:03 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
     to trick clamscan, clamdscan, or clamonacc into removing or moving
     a different file (eg. a critical system file). The issue would
     affect users that use the --move or --remove options for clamscan,
-    clamdscan, and clamonacc.
+    clamdscan, and clamonacc. (bsc#1174255)
   * CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing
     module in ClamAV 0.102.3 that could cause a Denial-of-Service
     (DoS) condition. Improper bounds checking results in an
@@ -535,7 +544,7 @@ Thu Jul 16 20:02:03 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
     NULL pointer dereference. This vulnerability is mitigated for
     those using the official ClamAV signature databases because the
     file type signatures in daily.cvd will not enable the EGG archive
-    parser in versions affected by the vulnerability.
+    parser in versions affected by the vulnerability. (bsc#1174250)
 
 -------------------------------------------------------------------
 Tue May 12 17:31:15 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
@@ -549,7 +558,7 @@ Tue May 12 17:31:15 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
     ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS)
     condition. Improper size checking of a buffer used to initialize AES
     decryption routines results in an out-of-bounds read which may cause
-    a crash.
+    a crash. (bsc#1171981)
   * Fix "Attempt to allocate 0 bytes" error when parsing some PDF
     documents.
   * Fix a couple of minor memory leaks.
@@ -830,11 +839,11 @@ Thu Apr 26 15:35:15 UTC 2018 - max@suse.com
 Wed Mar  7 13:15:11 UTC 2018 - max@suse.com
 
 - Update to security release 0.99.4 (bsc#1083915):
-  * CVE-2012-6706
+  * CVE-2012-6706 (bsc#1045315)
-  * CVE-2017-6419
+  * CVE-2017-6419 (bsc#1052449)
-  * CVE-2017-11423
+  * CVE-2017-11423 (bsc#1049423)
   * CVE-2018-1000085 (bsc#1082858)
-  * CVE-2018-0202
+  * CVE-2018-0202 (bsc#1083915)
 - Obsolete patches:
   * clamav-CVE-2012-6706.patch
   * clamav-gcc47.patch
@@ -998,7 +1007,7 @@ Fri Jun 17 10:07:51 UTC 2016 - martin.liska@suse.com
 -------------------------------------------------------------------
 Thu Mar  3 11:30:10 UTC 2016 - ecsos@opensuse.org
 
-- Update to version 0.99.1
+- Update to version 0.99.1 (bsc#969814)
  * hwp5.x: fix for streams without names
  * libclamav: yara: avoid unaliged access to 64bit variable
  * patch by Mark Allan to add show-progress option to freshclam.
@@ -1181,6 +1190,7 @@ Wed Nov 19 14:54:58 UTC 2014 - max@suse.com
   * Resolution of many of the warning messages from ClamAV
     compilation.
   * Improved detection of malicious PE files.
+    (bnc#906770, CVE-2014-9050)
   * Security fix for ClamAV crash when using 'clamscan -a'.
   * Security fix for ClamAV crash when scanning maliciously
     crafted yoda's crypter files (bnc#906077, CVE-2013-6497).

clamav.spec

@@ -33,7 +33,7 @@
 %global confdir %_prefix%_sysconfdir
 
 Name:           clamav
-Version:        1.4.1
+Version:        1.4.2
 Release:        0
 Summary:        Antivirus Toolkit
 License:        GPL-2.0-only