[Bug 767574] New: ClamAV 0.97.5 addresses possible evasion cases in some archive formats and stability issues in bytecode engine
https://bugzilla.novell.com/show_bug.cgi?id=767574 https://bugzilla.novell.com/show_bug.cgi?id=767574#c0 Summary: ClamAV 0.97.5 addresses possible evasion cases in some archive formats and stability issues in bytecode engine Classification: openSUSE Product: openSUSE 12.1 Version: Final Platform: All OS/Version: openSUSE 12.1 Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: Andreas.Stieger@gmx.de QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
From http://lurker.clamav.net/message/20120613.184156.a6c0b933.en.html
ClamAV 0.97.5 addresses possible evasion cases in some archive formats (CVE-2012-1457, CVE-2012-1458, CVE-2012-1459). It also addresses stability issues in portions of the bytecode engine. This release is recommended for all users. openSUSE 11.4 and 12.1 have 0.97.3. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c1
Andreas Stieger
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c2
Andreas Stieger
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c3
Reinhard Max
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c4
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c5
Andreas Stieger
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c6
--- Comment #6 from Reinhard Max
Here we go then: maintenance request against 11.4 and 12.1,
Thanks.
with patchinfo prepared:
FYI: for security updates, the security team takes care of the patchinfo.
I think for the release update, adding the .cvd files is more succinct.
That doesn't make much sense to me, because usually newer virus definitions are already in place at the time when the update arrives. AFAIK we even skipped the -db package from updates in the past and only released the new binaries.
I could imagine a use-case for users that want to have definitions for a device that is offline otherwise, e.g. sneaker-net
I guess that case is so rare that I'd rather bother such users with having to get the files manually than bothering all others with huge RPMs that they don't really need. Security team, what do you think? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c7
--- Comment #7 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c8
--- Comment #8 from Andreas Stieger
I think for the release update, adding the .cvd files is more succinct.
That doesn't make much sense to me, because usually newer virus definitions are already in place at the time when the update arrives. AFAIK we even skipped the -db package from updates in the past and only released the new binaries.
I agree that updated definitions will aready be in place in most cases. However adding the files makes the package behave like the one initially released which is desirable for a released openSUSE version. (It also makes the spec file change easier to review.) I would be concerned about changing the behaviour of a package in a non-trivial way. For the update, the -db subpackage is not required and I agree that it should be left out. I think the only place where the -db should be removed is Factory / clamav and secutity / clamav. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c9
--- Comment #9 from Reinhard Max
I'm not sure whether it's technically feasible to drop subpackages in an update.
Should need more than adding "Obsoletes: clamav-db" to the main package.
It may make sense to have clamav-db empty except for some %ghost entries that cause removal of the db on package removal.
That's not an issue, because the files that are contained in clamav-db never get used directly. The -db package contains them with .dist appended to the file name and copies them to their canonical location in %post. The main package contains %ghost entries for those names, so the database already goes away with the main package regardless whether it was installed with the -db package, with freshclam or manually.
Calling freshclam _by default_ in the initscript probably isn't such a good idea though as it requires network access which might not be available.
Well, I guess in most cases we can expect network access to be available, so why not try to fetch the files and only complain to the user if it fails instead of always complaining even if auto-fetching would be possible. (In reply to comment #8)
I agree that updated definitions will aready be in place in most cases. However adding the files makes the package behave like the one initially released which is desirable for a released openSUSE version.
The behaviour of the main package won't change, just the -db package would cease to exist.
(It also makes the spec file change easier to review.)
For me it is more important to keep the spec file identical across all products for which I have to prepare ClamAV updates. That's how I did it for the last years.
I would be concerned about changing the behaviour of a package in a non-trivial way.
The only change that I think would qualify as non-trivial wold be the auto-fetching in the init script, and I don't insist on that one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c10
--- Comment #10 from Reinhard Max
Should need more than adding "Obsoletes: clamav-db" to the main package.
s/Should/Shouldn't/ -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c11
--- Comment #11 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c14
--- Comment #14 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c15
--- Comment #15 from Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c16
--- Comment #16 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c17
Sebastian Krahmer
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c18
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c19
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c20
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c21
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=767574
https://bugzilla.novell.com/show_bug.cgi?id=767574#c
Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com