[Bug 767574] New: ClamAV 0.97.5 addresses possible evasion cases in some archive formats and stability issues in bytecode engine
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c0 Summary: ClamAV 0.97.5 addresses possible evasion cases in some archive formats and stability issues in bytecode engine Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: All OS/Version: openSUSE 12.1 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: Andreas.Stieger@gmx.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
From http://lurker.clamav.net/message/20120613.184156.a6c0b933.en.html
ClamAV 0.97.5 addresses possible evasion cases in some archive formats (CVE-2012-1457, CVE-2012-1458, CVE-2012-1459). It also addresses stability issues in portions of the bytecode engine. This release is recommended for all users. openSUSE 11.4 and 12.1 have 0.97.3. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c1 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |max@suse.com, | |toganm@dinamizm.com --- Comment #1 from Andreas Stieger <Andreas.Stieger@gmx.de> 2012-06-18 22:34:25 UTC --- Cc package maintainers from OBS. I might send a SR and OBS maintenance request soon. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c2 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED AssignedTo|security-team@suse.de |Andreas.Stieger@gmx.de --- Comment #2 from Andreas Stieger <Andreas.Stieger@gmx.de> 2012-06-19 00:56:43 UTC --- Fix to secutity / clamav here: https://build.opensuse.org/request/show/125380 Will follow up with OBS maintenance request. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c3 Reinhard Max <max@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de --- Comment #3 from Reinhard Max <max@suse.com> 2012-06-19 09:22:40 CEST --- Thanks for taking care of the update. Last night I noticed that the virus database was finally removed from the upstream tarball. I had been suggesting that for the last eight years and upstream always rejected it. I think I'll drop the clamav-db package completely now, because in most cases the data either is already there (when updating) or outdated (when installing ClamAV for the first time). The init script already prints out a warning when the files aren't there, and we could get a step further and run freshclam in one-shot mode at that point. Another option would be to make clamav-db a separate source package that gets rebuilt on a daily basis and uses a source service to keep the database files up to date. Opinions? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c4 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:47919:moderat | |e --- Comment #4 from Swamp Workflow Management <swamp@suse.de> 2012-06-19 08:10:17 UTC --- The SWAMPID for this issue is 47919. This issue was rated as moderate. Please submit fixed packages until 2012-07-03. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c5 Andreas Stieger <Andreas.Stieger@gmx.de> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|Andreas.Stieger@gmx.de |security-team@suse.de --- Comment #5 from Andreas Stieger <Andreas.Stieger@gmx.de> 2012-06-19 08:22:51 UTC --- Here we go then: maintenance request against 11.4 and 12.1, with patchinfo prepared: https://build.opensuse.org/request/show/125394 I think for the release update, adding the .cvd files is more succinct. The -db package may be reviewed or split to be built separately. I could imagine a use-case for users that want to have definitions for a device that is offline otherwise, e.g. sneaker-net or where old definitions are better than none. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:47919:moderat |maint:running:47919:moderat |e |e obs:running:560:important -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c6 --- Comment #6 from Reinhard Max <max@suse.com> 2012-06-19 11:00:46 CEST --- (In reply to comment #5)
Here we go then: maintenance request against 11.4 and 12.1,
Thanks.
with patchinfo prepared:
FYI: for security updates, the security team takes care of the patchinfo.
I think for the release update, adding the .cvd files is more succinct.
That doesn't make much sense to me, because usually newer virus definitions are already in place at the time when the update arrives. AFAIK we even skipped the -db package from updates in the past and only released the new binaries.
I could imagine a use-case for users that want to have definitions for a device that is offline otherwise, e.g. sneaker-net
I guess that case is so rare that I'd rather bother such users with having to get the files manually than bothering all others with huge RPMs that they don't really need. Security team, what do you think? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c7 --- Comment #7 from Ludwig Nussel <lnussel@suse.com> 2012-06-19 11:05:17 CEST --- I don't really have an opinion. I'm not sure whether it's technically feasible to drop subpackages in an update. It may make sense to have clamav-db empty except for some %ghost entries that cause removal of the db on package removal. Calling freshclam _by default_ in the initscript probably isn't such a good idea though as it requires network access which might not be available. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c8 --- Comment #8 from Andreas Stieger <Andreas.Stieger@gmx.de> 2012-06-19 09:12:35 UTC ---
I think for the release update, adding the .cvd files is more succinct.
That doesn't make much sense to me, because usually newer virus definitions are already in place at the time when the update arrives. AFAIK we even skipped the -db package from updates in the past and only released the new binaries.
I agree that updated definitions will aready be in place in most cases. However adding the files makes the package behave like the one initially released which is desirable for a released openSUSE version. (It also makes the spec file change easier to review.) I would be concerned about changing the behaviour of a package in a non-trivial way. For the update, the -db subpackage is not required and I agree that it should be left out. I think the only place where the -db should be removed is Factory / clamav and secutity / clamav. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c9 --- Comment #9 from Reinhard Max <max@suse.com> 2012-06-19 11:36:56 CEST --- (In reply to comment #7)
I'm not sure whether it's technically feasible to drop subpackages in an update.
Should need more than adding "Obsoletes: clamav-db" to the main package.
It may make sense to have clamav-db empty except for some %ghost entries that cause removal of the db on package removal.
That's not an issue, because the files that are contained in clamav-db never get used directly. The -db package contains them with .dist appended to the file name and copies them to their canonical location in %post. The main package contains %ghost entries for those names, so the database already goes away with the main package regardless whether it was installed with the -db package, with freshclam or manually.
Calling freshclam _by default_ in the initscript probably isn't such a good idea though as it requires network access which might not be available.
Well, I guess in most cases we can expect network access to be available, so why not try to fetch the files and only complain to the user if it fails instead of always complaining even if auto-fetching would be possible. (In reply to comment #8)
I agree that updated definitions will aready be in place in most cases. However adding the files makes the package behave like the one initially released which is desirable for a released openSUSE version.
The behaviour of the main package won't change, just the -db package would cease to exist.
(It also makes the spec file change easier to review.)
For me it is more important to keep the spec file identical across all products for which I have to prepare ClamAV updates. That's how I did it for the last years.
I would be concerned about changing the behaviour of a package in a non-trivial way.
The only change that I think would qualify as non-trivial wold be the auto-fetching in the init script, and I don't insist on that one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c10 --- Comment #10 from Reinhard Max <max@suse.com> 2012-06-19 11:38:05 CEST --- (In reply to comment #9)
Should need more than adding "Obsoletes: clamav-db" to the main package.
s/Should/Shouldn't/ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c11 --- Comment #11 from Bernhard Wiedemann <bwiedemann@suse.com> 2012-06-19 23:00:08 CEST --- This is an autogenerated message for OBS integration: This bug (767574) was mentioned in https://build.opensuse.org/request/show/125471 Factory / clamav -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c14 --- Comment #14 from Bernhard Wiedemann <bwiedemann@suse.com> 2012-07-02 12:00:09 CEST --- This is an autogenerated message for OBS integration: This bug (767574) was mentioned in https://build.opensuse.org/request/show/126882 Evergreen:11.2 / clamav -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:47919:moderat |maint:running:47919:moderat |e obs:running:560:important |e -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c15 --- Comment #15 from Swamp Workflow Management <swamp@suse.de> 2012-07-04 07:10:31 UTC --- openSUSE-SU-2012:0833-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 767574 CVE References: CVE-2012-1457,CVE-2012-1458,CVE-2012-1459 Sources used: openSUSE 12.1 (src): clamav-0.97.5-4.1 openSUSE 11.4 (src): clamav-0.97.5-10.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c16 --- Comment #16 from Bernhard Wiedemann <bwiedemann@suse.com> 2012-07-05 17:00:08 CEST --- This is an autogenerated message for OBS integration: This bug (767574) was mentioned in https://build.opensuse.org/request/show/127196 Evergreen:11.2 / clamav -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c17 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #17 from Sebastian Krahmer <krahmer@suse.com> 2012-07-10 12:03:29 UTC --- done -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c18 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:47919:moderat |maint:running:47919:moderat |e |e | |maint:released:sle10-sp3:47 | |922 --- Comment #18 from Swamp Workflow Management <swamp@suse.de> 2012-07-10 15:08:42 UTC --- Update released for: clamav, clamav-db, clamav-debuginfo Products: SLE-SERVER 10-SP3-TERADATA (x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c19 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:47919:moderat |maint:running:47919:moderat |e |e |maint:released:sle10-sp3:47 |maint:released:sle10-sp3:47 |922 |922 | |maint:released:sle11-sp1:47 | |921 --- Comment #19 from Swamp Workflow Management <swamp@suse.de> 2012-07-10 15:33:00 UTC --- Update released for: clamav, clamav-db, clamav-debuginfo, clamav-debugsource Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-DESKTOP 11-SP1-FOR-SP2 (i386, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1-TERADATA (x86_64) SLES4VMWARE 11-SP1 (i386, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c20 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:47919:moderat |maint:running:47919:moderat |e |e |maint:released:sle10-sp3:47 |maint:released:sle10-sp3:47 |922 |922 |maint:released:sle11-sp1:47 |maint:released:sle11-sp1:47 |921 |921 | |maint:released:sles9-sp3-te | |radata:47920 --- Comment #20 from Swamp Workflow Management <swamp@suse.de> 2012-07-10 16:09:14 UTC --- Update released for: clamav, clamav-db Products: SUSE-CORE 9-SP3-TERADATA (x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c21 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:47919:moderat |maint:running:47919:moderat |e |e |maint:released:sle10-sp3:47 |maint:released:sle10-sp3:47 |922 |922 |maint:released:sle11-sp1:47 |maint:released:sle11-sp1:47 |921 |921 |maint:released:sles9-sp3-te |maint:released:sle10-sp4:47 |radata:47920 |923 --- Comment #21 from Swamp Workflow Management <swamp@suse.de> 2012-07-10 16:09:25 UTC --- Update released for: clamav, clamav-db, clamav-debuginfo Products: SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:47919:moderat |maint:released:sle10-sp3:47 |e |922 |maint:released:sle10-sp3:47 |maint:released:sle11-sp1:47 |922 |921 |maint:released:sle11-sp1:47 |maint:released:sle10-sp4:47 |921 |923 |maint:released:sle10-sp4:47 | |923 | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com