Accepting request 1239891 from security

Add missing bug and CVE references - New version 1.4.2: * CVE-2025-20128, bsc#1236307: Fixed a possible buffer overflow read bug in the OLE2 file parser that could cause a denial-of-service (DoS) condition. (bsc#1103032: CVE-2018-14679) - Update to 0.103.7 (bsc#1202986) (the clamscan --gen-json option) is enabled. (bsc#1194731) clamdscan, and clamonacc. (bsc#1174255) parser in versions affected by the vulnerability. (bsc#1174250) a crash. (bsc#1171981) * CVE-2012-6706 (bsc#1045315) * CVE-2017-6419 (bsc#1052449) * CVE-2017-11423 (bsc#1049423) * CVE-2018-0202 (bsc#1083915) - Update to version 0.99.1 (bsc#969814) (bnc#906770, CVE-2014-9050) OBS-URL: https://build.opensuse.org/request/show/1239891 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/clamav?expand=0&rev=129
2025-01-23 17:03:00 +00:00 · 2025-01-23 17:03:00 +00:00 · fb4c75ee8e
commit fb4c75ee8e
parent f48e5bb1af 51084af50e
6 changed files with 40 additions and 30 deletions
--- a/clamav-1.4.1.tar.gz
+++ b/clamav-1.4.1.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a318e780ac39a6b3d6c46971382f96edde97ce48b8e361eb80e63415ed416ad8
-size 50078871
--- a/clamav-1.4.1.tar.gz.sig
+++ b/clamav-1.4.1.tar.gz.sig
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIcBAABAgAGBQJm12IWAAoJEMzg39Iewam/rIQQAKv+zANPKfIta+VJRKkD0Wxa
-LJGDBKKifqyM1HiR+YxGMUuElgmpRvozfZ7ifBGvz/IxjPmUag/BNfOl4JVsSAnL
-WsOhUMSEYxLtpJUywFakI58O/yDSvYlpzfcks0nAIjfeQkhTz0vqqYlyEXR7aDCe
-G/5yOGJtuwAiKclgLCTwqlevZ15ff+3z/UIJ9yAfqM9WPXPQA/lJk1Mp1FmIwVfw
-T/0p8kJJj4Z8aH+jXqOXrKnw9L4Acig3axSneN8QcL5tNosMAQOxhkQuYc6g4V+h
-vDX7N3G5UdPo6jpGoF8NmLu2VFGfWEymBzftMqYZ84Jli9t9RGN8UBEueGERjMsh
-9/3NSAdxeDlR5ELB565a+x/pIOOjovERZdXs9UW8U8NXPeDnIuTTFnqip3e21OGY
-WP3ioP85ixzLFDfZVTaLN97ym2+STiPt+KN7QBEUW0cP/wJFlEcXgRHyY3uQ/iET
-grCTApBuNdOzzgm9lSka653AexhaFTAXtp4NJ5xXThQcFzJ+urDAc6LfPzyknHDx
-+lfI5bMeW9I6E7CbkFOELqInzAk6uMZFxbp4Qte8so3GFdCTPtFVTbS4v+Ctx3oi
-r6oIEFLzhbbNz8lX4JrmXTO1WLiy8uoS4xCEEpITAG9iDvPZ2N7iaTiBgI1B4jNN
-W/t/iIUkO7udL0eyZBzF
-=6wKd
-----END PGP SIGNATURE-----
--- a/clamav-1.4.2.tar.gz
+++ b/clamav-1.4.2.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8c92f8ade2a8f2c9d6688d1d63ee57f6caf965d74dce06d0971c6709c8e6c04c
+size 50096874
--- a/clamav-1.4.2.tar.gz.sig
+++ b/clamav-1.4.2.tar.gz.sig
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIcBAABAgAGBQJnkAuXAAoJEMzg39Iewam/iYcP/RqYKxmYSbtVwDVSwWrzOHdr
+yMuwD63vKE4WjtqELwbCn2jEif0IGtVaZPGe+oEE1e53laSqRrsiJYJEMzl6Vg6i
+Q9CI2IXOvJUnPxzAZqnAi2vK5+c6s6oZDOsRGxRFCt5WvihbhzYNdiw2wuQKgHkx
+cPkLQYflq4FnkxOWKpn8YhD73W1ulT1/WdV9YGo5I1ni5jBVH+hPYS+/weqLOBtt
+TSzuypJG2TqYhjAWLnkrwwsVtMJYliYLpE/+u5enT4fpo5yvEqY5ozglLhYMUe8B
+77731e8T9i8Z7o7c46MjmtfVD1jqBcnE3oKhumT30yBEVoC09A5NnKGmNZGroh4Y
+Z4lRgEM3TqjFAj3X8mkOvUj3geMlN5o3omFAKtra2zzoHo4PxU1b3waU7NUqHu+n
+zLfEZTv9obRsD+Bk8xJCrDHHN+BptjDItsu36i69uPSLjE5vIik9q5wIz7Il/YqB
+tmLHnkTYiqs788vgVd8hNCKc9uT7GsCSrw0pbs3RlJDD+r+xoM20jgxU/1S1VoT7
+VFq1CBp04Tp+nrm6SfDzo9I1WNoPwJsSvaqdE+QyX/q0oveofNQ1hoLCj0JvSvdf
+oBYmVNhDoMmQoM59/wt5mtv3PJu55TGYvS7h1jkFEQbM9JFy8U94ULJSDXzwRcXl
+fFWGJjJ2kfpT6IZIpGMj
+=o+0+
+-----END PGP SIGNATURE-----
--- a/clamav.changes
+++ b/clamav.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Jan 22 17:50:49 UTC 2025 - Reinhard Max <max@suse.com>
+
+- New version 1.4.2:
+  * CVE-2025-20128, bsc#1236307: Fixed a possible buffer overflow
+    read bug in the OLE2 file parser that could cause a
+    denial-of-service (DoS) condition.  
+
 -------------------------------------------------------------------
 Fri Jan 10 13:00:11 UTC 2025 - Reinhard Max <max@suse.com>

@ -197,12 +205,13 @@ Wed Feb 15 17:26:43 UTC 2023 - Arjen de Korte <suse+build@de-korte.org>
    and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.
    (bsc#1208365)
  * Update vendored libmspack library to version 0.11alpha.
+    (bsc#1103032: CVE-2018-14679)
 - Package huge .html documentation in a separate subpackage.

 -------------------------------------------------------------------
 Fri Aug  5 06:42:21 UTC 2022 - ecsos <ecsos@opensuse.org>

- Update to 0.103.7
+- Update to 0.103.7 (bsc#1202986)
  - Zip parser: tolerate 2-byte overlap in file entries
  - Fix bug with logical signature Intermediates feature
  - Update to UnRAR v6.1.7
@ -255,7 +264,7 @@ Wed Jan 12 21:04:58 UTC 2022 - Arjen de Korte <suse+build@de-korte.org>
  * CVE-2022-20698: Fix for invalid pointer read that may cause a crash.
    This issue affects 0.104.1, 0.103.4 and prior when ClamAV is compiled
    with libjson-c and the CL_SCAN_GENERAL_COLLECT_METADATA scan option
-    (the clamscan --gen-json option) is enabled.
+    (the clamscan --gen-json option) is enabled. (bsc#1194731)
  * Fixed ability to disable the file size limit with libclamav C API,
    like this:

@ -522,7 +531,7 @@ Thu Jul 16 20:02:03 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
    to trick clamscan, clamdscan, or clamonacc into removing or moving
    a different file (eg. a critical system file). The issue would
    affect users that use the --move or --remove options for clamscan,
-    clamdscan, and clamonacc.
+    clamdscan, and clamonacc. (bsc#1174255)
  * CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing
    module in ClamAV 0.102.3 that could cause a Denial-of-Service
    (DoS) condition. Improper bounds checking results in an
@ -535,7 +544,7 @@ Thu Jul 16 20:02:03 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
    NULL pointer dereference. This vulnerability is mitigated for
    those using the official ClamAV signature databases because the
    file type signatures in daily.cvd will not enable the EGG archive
-    parser in versions affected by the vulnerability.
+    parser in versions affected by the vulnerability. (bsc#1174250)

 -------------------------------------------------------------------
 Tue May 12 17:31:15 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
@ -549,7 +558,7 @@ Tue May 12 17:31:15 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
    ClamAV 0.101 - 0.102.2 that could cause a Denial-of-Service (DoS)
    condition. Improper size checking of a buffer used to initialize AES
    decryption routines results in an out-of-bounds read which may cause
-    a crash.
+    a crash. (bsc#1171981)
  * Fix "Attempt to allocate 0 bytes" error when parsing some PDF
    documents.
  * Fix a couple of minor memory leaks.
@ -830,11 +839,11 @@ Thu Apr 26 15:35:15 UTC 2018 - max@suse.com
 Wed Mar  7 13:15:11 UTC 2018 - max@suse.com

 - Update to security release 0.99.4 (bsc#1083915):
-  * CVE-2012-6706
-  * CVE-2017-6419
-  * CVE-2017-11423
+  * CVE-2012-6706 (bsc#1045315)
+  * CVE-2017-6419 (bsc#1052449)
+  * CVE-2017-11423 (bsc#1049423)
  * CVE-2018-1000085 (bsc#1082858)
-  * CVE-2018-0202
+  * CVE-2018-0202 (bsc#1083915)
 - Obsolete patches:
  * clamav-CVE-2012-6706.patch
  * clamav-gcc47.patch
@ -998,7 +1007,7 @@ Fri Jun 17 10:07:51 UTC 2016 - martin.liska@suse.com
 -------------------------------------------------------------------
 Thu Mar  3 11:30:10 UTC 2016 - ecsos@opensuse.org

- Update to version 0.99.1
+- Update to version 0.99.1 (bsc#969814)
 * hwp5.x: fix for streams without names
 * libclamav: yara: avoid unaliged access to 64bit variable
 * patch by Mark Allan to add show-progress option to freshclam.
@ -1181,6 +1190,7 @@ Wed Nov 19 14:54:58 UTC 2014 - max@suse.com
  * Resolution of many of the warning messages from ClamAV
    compilation.
  * Improved detection of malicious PE files.
+    (bnc#906770, CVE-2014-9050)
  * Security fix for ClamAV crash when using 'clamscan -a'.
  * Security fix for ClamAV crash when scanning maliciously
    crafted yoda's crypter files (bnc#906077, CVE-2013-6497).
--- a/clamav.spec
+++ b/clamav.spec
@ -33,7 +33,7 @@
 %global confdir %_prefix%_sysconfdir

 Name:           clamav
-Version:        1.4.1
+Version:        1.4.2
 Release:        0
 Summary:        Antivirus Toolkit
 License:        GPL-2.0-only