- Update to version 0.101.2
* CVE-2019-1787:
An out-of-bounds heap read condition may occur when scanning PDF
documents. The defect is a failure to correctly keep track of the number
of bytes remaining in a buffer when indexing file data.
* CVE-2019-1789:
An out-of-bounds heap read condition may occur when scanning PE files
(i.e. Windows EXE and DLL files) that have been packed using Aspack as a
result of inadequate bound-checking.
* CVE-2019-1788:
An out-of-bounds heap write condition may occur when scanning OLE2 files
such as Microsoft Office 97-2003 documents. The invalid write happens when
an invalid pointer is mistakenly used to initialize a 32bit integer to
zero. This is likely to crash the application.
- added clamav-max_patch.patch to fix build
OBS-URL: https://build.opensuse.org/request/show/689169
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=181
* bsc#1110723, CVE-2018-15378: Vulnerability in ClamAV's MEW
unpacking feature that could allow an unauthenticated, remote
attacker to cause a denial of service (DoS) condition on an
affected device.
* bsc#1103040, CVE-2018-14680, CVE-2018-14681, CVE-2018-14682:
more fixes for embedded libmspack.
* Make freshclam more robust against lagging signature mirrors.
* On-Access "Extra Scanning", an opt-in minor feature of
OnAccess scanning on Linux systems, has been disabled due to a
known issue with resource cleanup OnAccessExtraScanning will
be re-enabled in a future release when the issue is
resolved. In the mean-time, users who enabled the feature in
clamd.conf will see a warning informing them that the feature
is not active. For details, see:
https://bugzilla.clamav.net/show_bug.cgi?id=12048
- Restore exit code compatibility of freshclam with versions before
0.100.0 when the virus database is already up to date
(bsc#1104457, clamav-freshclam-exit.patch).
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=177
- Update to version 0.100.1
* CVE-2017-16932: Vulnerability in libxml2 dependency (affects
ClamAV on Windows only).
* CVE-2018-0360: HWP integer overflow, infinite loop
vulnerability. Reported by Secunia Research at Flexera.
* CVE-2018-0361: ClamAV PDF object length check, unreasonably
long time to parse relatively small file. Reported by aCaB.
* Buffer over-read in unRAR code due to missing max value checks
in table initialization. Reported by Rui Reis.
* Libmspack heap buffer over-read in CHM parser. Reported by
Hanno Böck.
* Buffer length checks when reading integers from non-NULL
terminated strings.
* Buffer length tracking when reading strings from dictionary
objects.
* HTTPS support for clamsubmit.
* Fix for DNS resolution for users on IPv4-only machines where
IPv6 is not available or is link-local only. Patch provided by
Guilherme Benkenstein.
OBS-URL: https://build.opensuse.org/request/show/622505
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=168
the versions we have are too new and the performance gain over
the byte code interpreter are negligable, according to upstream.
- Put libclammspack0 into its own subpackage to follow the letter
of the shlib packaging policy, even though it really makes no
sense here.
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=166
* FIXME: Add upstream changes here before submitting to Factory.
* Obsoletes clamav-fix_newer_zlib.patch
- Update key ring and add signature file.
- Remove the logic around building the embedded llvm as the
system-wide llvm is now auto-detected and used.
- Move pc files from the main to the devel package.
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=161
- Update to security release 0.99.3 (bsc#1077732)
* CVE-2017-12376 (ClamAV Buffer Overflow in handle_pdfname Vulnerability)
* CVE-2017-12377 (ClamAV Mew Packet Heap Overflow Vulnerability)
* CVE-2017-12379 (ClamAV Buffer Overflow in messageAddArgument Vulnerability)
- these vulnerabilities could have allowed an unauthenticated,
remote attacker to cause a denial of service (DoS) condition
or potentially execute arbitrary code on an affected device.
* CVE-2017-12374 (ClamAV use-after-free Vulnerabilities)
* CVE-2017-12375 (ClamAV Buffer Overflow Vulnerability)
* CVE-2017-12378 (ClamAV Buffer Over Read Vulnerability)
* CVE-2017-12380 (ClamAV Null Dereference Vulnerability)
- these vulnerabilities could have allowed an unauthenticated,
remote attacker to cause a denial of service (DoS) condition on an affected device.
* CVE-2017-6420 (bsc#1052448)
- this vulnerability allowed remote attackers to cause a denial of service
(use-after-free) via a crafted PE file with WWPack compression.
* CVE-2017-6419 (bsc#1052449)
- ClamAV allowed remote attackers to cause a denial of service
(heap-based buffer overflow and application crash) or possibly
have unspecified other impact via a crafted CHM file.
* CVE-2017-11423 (bsc#1049423)
- The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha
allowed remote attackers to cause a denial of service
(stack-based buffer over-read and application crash) via a crafted CAB file.
* CVE-2017-6418 (bsc#1052466)
- ClamAV 0.99.2 allowed remote attackers to cause a denial
of service (out-of-bounds read) via a crafted e-mail message.
- drop clamav-0.99.2-openssl-1.1.patch (upstream)
OBS-URL: https://build.opensuse.org/request/show/569976
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=151
other bug fixes/improvements:
* Fix crash in upx decoder with crafted file. Discovered and
patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170.
* Fix infinite loop condition on crafted y0da cryptor
file. Identified and patch suggested by Sebastian Andrzej
Siewior. CVE-2015-2221.
* Fix crash on crafted petite packed file. Reported and patch
supplied by Sebastian Andrzej Siewior. CVE-2015-2222.
* Fix an infinite loop condition on a crafted "xz" archive file.
This was reported by Dimitri Kirchner and Goulven Guiheux.
CVE-2015-2668.
* Apply upstream patch for possible heap overflow in Henry
Spencer's regex library. CVE-2015-2305.
* Fix false negatives on files within iso9660 containers. This
issue was reported by Minzhuan Gong.
* Fix a couple crashes on crafted upack packed file. Identified
and patches supplied by Sebastian Andrzej Siewior.
* Fix a crash during algorithmic detection on crafted PE file.
Identified and patch supplied by Sebastian Andrzej Siewior.
* Fix compilation error after ./configure --disable-pthreads.
Reported and fix suggested by John E. Krokes.
* Fix segfault scanning certain HTML files. Reported with sample
by Kai Risku.
* Improve detections within xar/pkg files.
* Improvements to PDF processing: decryption, escape sequence
handling, and file property collection.
* Scanning/analysis of additional Microsoft Office 2003 XML
format.
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=117
* bsc#916217, CVE-2015-1461: Remote attackers can have
unspecified impact via Yoda's crypter or mew packer files.
* bsc#916214, CVE-2015-1462: Unspecified impact via acrafted upx
packer file.
* bsc#916215, CVE-2015-1463: Remote attackers can cause a denial
of service via a crafted petite packer file.
* bsc#915512, CVE-2014-9328: heap out of bounds condition with
crafted upack packer files.
- Obsoletes clamav-soname.patch
OBS-URL: https://build.opensuse.org/package/show/security/clamav?expand=0&rev=115
