Hello community, here is the log from the commit of package clamav.4646 for openSUSE:13.1:Update checked in at 2016-06-28 23:20:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.1:Update/clamav.4646 (Old) and /work/SRC/openSUSE:13.1:Update/.clamav.4646.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "clamav.4646" Changes: -------- New Changes file: --- /dev/null 2016-06-25 11:41:22.768041005 +0200 +++ /work/SRC/openSUSE:13.1:Update/.clamav.4646.new/clamav.changes 2016-06-28 23:22:10.000000000 +0200 @@ -0,0 +1,1370 @@ +------------------------------------------------------------------- +Thu May 12 09:54:14 UTC 2016 - fweiss@suse.com + +- Update to version 0.99.2 (bsc#978459) + * 7z: fix for FolderStartPackStreamIndex array index heck + * print all CDBNAME entries for a zip file when using the -z + flag. + * try to minimize the err cleanup path + * clamunrar: notice if unpacking comment failed + * signature manual update. + * use temp var for realloc to prevent pointer loss. + * fix debug VI hex truncation + * freshclam: avoid random data in mirrors.dat. + * libclamav: print raw certificate metadata + * freshclam manager check return code of strdup. + * additional suppress IP notification when using proxy + * fix download and verification of *.cld through PrivateMirrors + * suppress IP notification when using proxy + * remove redundant mempool assignment + * divide out dumpcerts output for better readability + * fix dconf and option handling for nocert and dumpcert + * patch by Jim Morris to increase clamd's soft file descriptor to + its potential maximum on 64-bit systems + * Move libfreshclam config to m4/reorganization. + * adding libfreshclam + * Add 'cdb' datafile to sigtools list of datafile types. + * NULL pointer check. + * malloc() NULL pointer check. + * clamscan 'block-macros' option. + * initialize cpio name buffer + * initialize mspack decompression buffers + * prevent memory allocations on used pointers (folder objects) + * prevent memory allocations on used pointers (boolvectors) + * initialize ARJ metadata structures + * change cli_malloc with cli_calloc + * check packSizes prior to dereference + * fixed inconsistent folder state on failure + * pre-check on (*unpackSizes) dereference + * fix on pre-checks on dereferenced array + * pre-checks on dereferenced array size values (not =0) + * adding sanity checks to 7z header parsing + * fixed mew source read issue + * documentation update on targets + * filetype consistency + * move llvm option flag handling to new m4 file + * hwp5.x: fix for streams without names + +------------------------------------------------------------------- +Mon Mar 21 17:46:51 UTC 2016 - max@suse.com + +- Update to version 0.99.1 (bsc#969814) + * Add support for parsing Hancom Office files including + extracting and scanning embedded objects. + * Several bug fixes. For details, see + http://blog.clamav.net/2016/03/clamav-0991-has-been-released.html + /usr/share/doc/packages/clamav/ChangeLog + +- bsc#958451: Remove updateclamconf, because it breaks + configurations that have multiple occurances of the same keyword. + + Henceforth the configuration files have to be merged maually, if + a ClamAV update adds or removs options. + +------------------------------------------------------------------- +Thu Feb 11 11:08:01 UTC 2016 - max@suse.com + +- Buildrequire pcre-devel for the new regexp signatures + (bsc#960237). + +------------------------------------------------------------------- +Thu Dec 3 14:17:02 UTC 2015 - max@suse.com + +- Version 0.99 fixes bsc#957728. + +------------------------------------------------------------------- +Wed Dec 2 13:23:40 UTC 2015 - p.drouand@gmail.com + +- Update to version 0.99 + * Processing of YARA rules(some limitations- see signatures.pdf). + * Support in ClamAV logical signatures for many of the features + added for YARA, such as Perl Compatible Regular Expressions, + alternate strings, and YARA string attributes. See signatures.pdf + for full details. + * New and improved on-access scanning for Linux. See the recent blog + post and clamdoc.pdf for details on the new on-access capabilities. + * A new ClamAV API callback function that is invoked when a virus + is found. This is intended primarily for applications running in + all-match mode. Any applications using all-match mode must use + the new callback function to record and report detected viruses. + * Configurable default password list to attempt zip file decryption. + * TIFF file support. + * Upgrade Windows pthread library to 2.9.1. + * A new signature target type for designating signatures to run + against files with unknown file types. + * Improved fidelity of the "data loss prevention" heuristic + algorithm. Code supplied by Bill Parker. + * Support for LZMA decompression within Adobe Flash files. + * Support for MSO attachments within Microsoft Office 2003 XML files. + * A new sigtool option(--ascii-normalize) allowing signature authors + to more easily generate normalized versions of ascii files. + * Windows installation directories changed from \Program Files\Sourcefire\ + ClamAV to \Program Files\ClamAV or \Program Files\ClamAV-x64. +- Refactor a little the specfile; remove some obsolete conditional + macros, as clamav doesn't build for SLE11 anyway +- Remove clamav-sles9.patch; sles9 is not supported for a while + +------------------------------------------------------------------- +Wed Jul 1 12:17:04 UTC 2015 - mpluskal@suse.com + +- Make clamd and clamav-milter services depend on freshclam as + they need it + +------------------------------------------------------------------- +Mon May 4 13:39:49 UTC 2015 - max@suse.com + +- Version 0.98.7 fixes several security issues (bsc#929192) and + other bug fixes/improvements: + * Fix crash in upx decoder with crafted file. Discovered and + patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. + * Fix infinite loop condition on crafted y0da cryptor + file. Identified and patch suggested by Sebastian Andrzej + Siewior. CVE-2015-2221. + * Fix crash on crafted petite packed file. Reported and patch + supplied by Sebastian Andrzej Siewior. CVE-2015-2222. + * Fix an infinite loop condition on a crafted "xz" archive file. + This was reported by Dimitri Kirchner and Goulven Guiheux. + CVE-2015-2668. + * Apply upstream patch for possible heap overflow in Henry + Spencer's regex library. CVE-2015-2305. + * Fix false negatives on files within iso9660 containers. This + issue was reported by Minzhuan Gong. + * Fix a couple crashes on crafted upack packed file. Identified + and patches supplied by Sebastian Andrzej Siewior. + * Fix a crash during algorithmic detection on crafted PE file. + Identified and patch supplied by Sebastian Andrzej Siewior. + * Fix compilation error after ./configure --disable-pthreads. + Reported and fix suggested by John E. Krokes. + * Fix segfault scanning certain HTML files. Reported with sample + by Kai Risku. + * Improve detections within xar/pkg files. + * Improvements to PDF processing: decryption, escape sequence + handling, and file property collection. + * Scanning/analysis of additional Microsoft Office 2003 XML + format. + +------------------------------------------------------------------- +Thu Feb 5 10:29:02 UTC 2015 - max@suse.com + +- Version 0.98.6 fixes several security issues: + * bsc#916217, CVE-2015-1461: Remote attackers can have + unspecified impact via Yoda's crypter or mew packer files. + * bsc#916214, CVE-2015-1462: Unspecified impact via acrafted upx + packer file. + * bsc#916215, CVE-2015-1463: Remote attackers can cause a denial + of service via a crafted petite packer file. + * bsc#915512, CVE-2014-9328: heap out of bounds condition with + crafted upack packer files. +- Obsoletes clamav-soname.patch + +------------------------------------------------------------------- +Fri Jan 30 15:19:34 UTC 2015 - max@suse.com + +- Don't need sendmail for building clamav-milter anymore, + sendmail-devel is enough (bnc#915414). + +------------------------------------------------------------------- +Fri Jan 23 14:03:18 UTC 2015 - max@suse.com + +- bnc#914505: Config file merging and temp file creation got moved + to %pre by mistake. Put them back to %post. +- Restore the updateclamconf script (bnc#908731). +- Fix a step backwards in the soname version from 0.98.4 to 0.98.5 + (https://bugzilla.clamav.net/show_bug.cgi?id=11193, + clamav-soname.patch). + +------------------------------------------------------------------- +Thu Jan 1 21:34:01 UTC 2015 - meissner@suse.com + +- build with PIE + +------------------------------------------------------------------- +Wed Nov 19 14:54:58 UTC 2014 - max@suse.com + +- Version 0.98.5: + * Support for the XDP file format and extracting, decoding, and + scanning PDF files within XDP files. + * Addition of shared library support for LLVM versions 3.1 - 3.5 + for the purpose of just-in-time(JIT) compilation of ClamAV + bytecode signatures. + * Enhancements to the clambc command line utility to assist + ClamAV bytecode signature authors by providing introspection + into compiled bytecode programs. + * Resolution of many of the warning messages from ClamAV + compilation. + * Improved detection of malicious PE files. + * Security fix for ClamAV crash when using 'clamscan -a'. + * Security fix for ClamAV crash when scanning maliciously ++++ 1173 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.1:Update/.clamav.4646.new/clamav.changes New: ---- clamav-0.99.2.tar.gz clamav-conf.patch clamav-gcc47.patch clamav-rpmlintrc clamav-tmpfiles.conf clamav.changes clamav.keyring clamav.spec service.clamav-milter service.clamd service.freshclam ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ clamav.spec ++++++ # # spec file for package clamav # # Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: clamav BuildRequires: ncurses-devel BuildRequires: sed BuildRequires: sendmail-devel %define llvm --disable-llvm BuildRequires: bc BuildRequires: pkgconfig BuildRequires: zlib-devel %ifarch %ix86 x86_64 %define llvm --enable-llvm # Needed for compiling LLVM. BuildRequires: gcc-c++ %endif BuildRequires: check-devel BuildRequires: libbz2-devel BuildRequires: libopenssl-devel BuildRequires: libxml2-devel BuildRequires: pcre-devel BuildRequires: pwdutils BuildRequires: python-devel %define clamav_check --enable-check Summary: Antivirus Toolkit License: GPL-2.0 Group: Productivity/Security Version: 0.99.2 Release: 0 Url: http://www.clamav.net Requires: latex2html-pngicons Obsoletes: clamav-db < 0.88.3 Requires(pre): %_sbindir/groupadd %_sbindir/useradd %_sbindir/usermod Requires(pre): /usr/bin/awk /bin/sed /bin/tar Source0: http://www.clamav.net/downloads/%{name}-%{version}.tar.gz Source11: clamav.keyring Source4: clamav-rpmlintrc Source6: clamav-tmpfiles.conf Source7: service.clamd Source8: service.freshclam Source9: service.clamav-milter Patch1: clamav-conf.patch Patch3: clamav-gcc47.patch BuildRequires: systemd %systemd_requires %description ClamAV is an open source (GPL) antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats. It is the de facto standard for mail gateway scanning. It provides a high performance mutli-threaded scanning daemon, command line utilities for on demand file scanning, and an intelligent tool for automatic signature updates. The core ClamAV library provides numerous file format detection mechanisms, file unpacking support, archive support, and multiple signature languages for detecting threats. %prep %setup -q %patch1 -p1 %patch3 -p1 %build CFLAGS="-fstack-protector" CXXFLAGS="-fstack-protector" export CFLAGS="%optflags $CFLAGS -fPIE -fno-strict-aliasing" export CXXFLAGS="%optflags $CXXFLAGS -fPIE -fno-strict-aliasing" export LDFLAGS="-pie" %if "%_lib" == "lib64" # tomsfastmath needs this for correct operation on 64-bit platforms CFLAGS="$CFLAGS -DFP_64BIT" %endif %configure \ --disable-clamav \ --disable-static \ --with-dbdir=/var/lib/clamav \ --with-user=vscan \ --with-group=vscan \ --enable-milter \ %clamav_check \ %llvm \ --enable-clamdtop \ --disable-timestamps make V=1 %{?jobs:-j%jobs} %install %makeinstall install -d -m755 %buildroot/var/lib/clamav install -d -m755 %buildroot/%_tmpfilesdir install -m644 %SOURCE6 %buildroot%_tmpfilesdir/clamav.conf mkdir -p %buildroot/var/spool/amavis rm %buildroot/%_libdir/*.la # Remove bogus dependencies from libclamav.pc sed -i 's/^Libs: .*/Libs: -lclamav/' %buildroot%_libdir/pkgconfig/libclamav.pc # fix the new config file names pushd %buildroot/etc mv clamd.conf.sample clamd.conf mv clamav-milter.conf.sample clamav-milter.conf mv freshclam.conf.sample freshclam.conf popd # Systemd... install -d -m 0755 %buildroot/%{_unitdir} install -m 0644 %{SOURCE7} %buildroot/%{_unitdir}/clamd.service install -m 0644 %{SOURCE8} %buildroot/%{_unitdir}/freshclam.service install -m 0644 %{SOURCE9} %buildroot/%{_unitdir}/clamav-milter.service # this is broken if system does not have systemd so don't # use it at all on systems without mandatory systemd for srvname in clamd freshclam clamav-milter;do (export PATH=/usr/sbin:/sbin:$PATH ;ln -sf $(which service) %{buildroot}/%{_sbindir}/rc${srvname}) done %check # regression tests %if !0%{?qemu_user_space_build:1} VALGRIND_GENSUP=1 make check || cat unit_tests/test-suite.log %endif %files %defattr(-,root,root,-) %config(noreplace) %_sysconfdir/*.conf #systemd... %{_unitdir}/clamd.service %{_unitdir}/freshclam.service %{_unitdir}/clamav-milter.service %_tmpfilesdir %doc AUTHORS BUGS ChangeLog COPYING FAQ NEWS README UPGRADE %doc docs/*.pdf docs/html %doc %_mandir/*/* %_bindir/* %_sbindir/* %_includedir/* %_libdir/lib* %_libdir/pkgconfig/libclamav.pc %defattr(-,vscan,vscan) %dir %attr(750,vscan,vscan) /var/spool/amavis %dir /var/lib/clamav %pre %_sbindir/groupadd -r vscan 2> /dev/null || : %_sbindir/useradd -r -o -g vscan -u 65 -s /bin/false -c "Vscan account" -d /var/spool/amavis vscan 2> /dev/null || : %_sbindir/usermod vscan -g vscan 2> /dev/null || : %service_add_pre clamd.service freshclam.service clamav-milter.service %post /sbin/ldconfig systemd-tmpfiles --create %_tmpfilesdir/clamav.conf %service_add_post clamd.service freshclam.service clamav-milter.service %preun %service_del_preun clamd.service freshclam.service clamav-milter.service %postun /sbin/ldconfig %service_del_postun clamd.service freshclam.service clamav-milter.service %changelog ++++++ clamav-conf.patch ++++++ Index: clamav-0.98.3/etc/clamav-milter.conf.sample =================================================================== --- clamav-0.98.3.orig/etc/clamav-milter.conf.sample 2014-05-06 20:39:56.000000000 +0200 +++ clamav-0.98.3/etc/clamav-milter.conf.sample 2014-05-08 16:42:14.865949467 +0200 @@ -2,10 +2,6 @@ ## Example config file for clamav-milter ## -# Comment or remove the line below. -Example - - ## ## Main options ## @@ -17,8 +13,7 @@ # inet6:port@[hostname|ip-address] - to specify an ipv6 socket # # Default: no default -#MilterSocket /tmp/clamav-milter.socket -#MilterSocket inet:7357 +MilterSocket /var/run/clamav/clamav-milter-socket # Define the group ownership for the (unix) milter socket. # Default: disabled (the primary group of the user running clamd) @@ -36,7 +31,7 @@ # Run as another user (clamav-milter must be started by root for this option to work) # # Default: unset (don't drop privileges) -#User clamav +User vscan # Initialize supplementary group access (clamav-milter must be started by root). # @@ -64,7 +59,7 @@ # daemon (main thread). # # Default: disabled -#PidFile /var/run/clamav-milter.pid +PidFile /var/run/clamav/clamav-milter.pid # Optional path to the global temporary directory. # Default: system specific (usually /tmp or /var/tmp). @@ -90,7 +85,7 @@ # with the same socket: clamd servers will be selected in a round-robin fashion. # # Default: no default -#ClamdSocket tcp:scanner.mydomain:7357 +ClamdSocket unix:/var/run/clamav/clamd-socket ## @@ -239,13 +234,13 @@ # Use system logger (can work together with LogFile). # # Default: no -#LogSyslog yes +LogSyslog yes # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. # # Default: LOG_LOCAL6 -#LogFacility LOG_MAIL +LogFacility LOG_MAIL # Enable verbose logging. # Index: clamav-0.98.3/etc/clamd.conf.sample =================================================================== --- clamav-0.98.3.orig/etc/clamd.conf.sample 2014-05-08 16:42:07.318862339 +0200 +++ clamav-0.98.3/etc/clamd.conf.sample 2014-05-08 16:45:03.177891683 +0200 @@ -1,12 +1,8 @@ ## -## Example config file for the Clam AV daemon +## Config file for the Clam AV daemon ## Please read the clamd.conf(5) manual before editing this file. ## - -# Comment or remove the line below. -Example - # Uncomment this option to enable logging. # LogFile must be writable for the user running daemon. # A full path is required. @@ -41,12 +37,12 @@ # Use system logger (can work together with LogFile). # Default: no -#LogSyslog yes +LogSyslog yes # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. # Default: LOG_LOCAL6 -#LogFacility LOG_MAIL +LogFacility LOG_MAIL # Enable verbose logging. # Default: no @@ -63,7 +59,7 @@ # This option allows you to save a process identifier of the listening # daemon (main thread). # Default: disabled -#PidFile /var/run/clamd.pid +PidFile /var/run/clamav/clamd.pid # Optional path to the global temporary directory. # Default: system specific (usually /tmp or /var/tmp). @@ -82,7 +78,7 @@ # Path to a local socket file the daemon will listen on. # Default: disabled (must be specified by a user) -#LocalSocket /tmp/clamd.socket +LocalSocket /var/run/clamav/clamd-socket # Sets the group ownership on the unix socket. # Default: disabled (the primary group of the user running clamd) @@ -98,7 +94,7 @@ # TCP port address. # Default: no -#TCPSocket 3310 +TCPSocket 3310 # TCP address. # By default we bind to INADDR_ANY, probably not wise. @@ -106,7 +102,7 @@ # from the outside world. This option can be specified multiple # times if you want to listen on multiple IPs. IPv6 is now supported. # Default: no -#TCPAddr 127.0.0.1 +TCPAddr 127.0.0.1 # Maximum length the queue of pending connections may grow to. # Default: 200 @@ -192,7 +188,7 @@ # Run as another user (clamd must be started by root for this option to work) # Default: don't drop privileges -#User clamav +User vscan # Initialize supplementary group access (clamd must be started by root). # Default: no @@ -525,6 +521,10 @@ ## ## On-access Scan Settings ## +# +# When enabling this, you most probably have to set "User root" above, +# so that clamav can access the files to be scanned. +# # Enable on-access scanning. Currently, this is supported via fanotify. # Clamuko/Dazuko support has been deprecated. Index: clamav-0.98.3/etc/freshclam.conf.sample =================================================================== --- clamav-0.98.3.orig/etc/freshclam.conf.sample 2014-05-08 16:42:07.349862696 +0200 +++ clamav-0.98.3/etc/freshclam.conf.sample 2014-05-08 16:42:14.866949479 +0200 @@ -1,12 +1,8 @@ ## -## Example config file for freshclam +## Config file for freshclam ## Please read the freshclam.conf(5) manual before editing this file. ## - -# Comment or remove the line below. -Example - # Path to the database directory. # WARNING: It must match clamd.conf's directive! # Default: hardcoded (depends on installation options) @@ -35,12 +31,12 @@ # Use system logger (can work together with UpdateLogFile). # Default: no -#LogSyslog yes +LogSyslog yes # Specify the type of syslog messages - please refer to 'man syslog' # for facility names. # Default: LOG_LOCAL6 -#LogFacility LOG_MAIL +LogFacility LOG_MAIL # Enable log rotation. Always enabled when LogFileMaxSize is enabled. # Default: no @@ -48,12 +44,12 @@ # This option allows you to save the process identifier of the daemon # Default: disabled -#PidFile /var/run/freshclam.pid +PidFile /var/run/clamav/freshclam.pid # By default when started freshclam drops privileges and switches to the # "clamav" user. This directive allows you to change the database owner. # Default: clamav (may depend on installation options) -#DatabaseOwner clamav +DatabaseOwner vscan # Initialize supplementary group access (freshclam must be started by root). # Default: no @@ -136,7 +132,7 @@ # Send the RELOAD command to clamd. # Default: no -#NotifyClamd /path/to/clamd.conf +NotifyClamd /etc/clamd.conf # Run command after successful database update. # Default: disabled @@ -179,7 +175,7 @@ # detected in the field and in what geographic area they are. # Freshclam will connect to clamd in order to get recent statistics. # Default: no -#SubmitDetectionStats /path/to/clamd.conf +#SubmitDetectionStats /etc/clamd.conf # Country of origin of malware/detection statistics (for statistical # purposes only). The statistics collector at ClamAV.net will look up ++++++ clamav-gcc47.patch ++++++ Index: clamav-0.97.3/libclamav/c++/llvm/lib/ExecutionEngine/JIT/Intercept.cpp =================================================================== --- clamav-0.97.3.orig/libclamav/c++/llvm/lib/ExecutionEngine/JIT/Intercept.cpp +++ clamav-0.97.3/libclamav/c++/llvm/lib/ExecutionEngine/JIT/Intercept.cpp @@ -15,6 +15,7 @@ // //===----------------------------------------------------------------------===// +#include <unistd.h> #include "JIT.h" #include "llvm/Support/ErrorHandling.h" #include "llvm/System/DynamicLibrary.h" ++++++ clamav-rpmlintrc ++++++ addFilter("non-standard-uid.*") addFilter("devel-file-in-non-devel-package.*") addFilter("obsolete-not-provided") ++++++ clamav-tmpfiles.conf ++++++ # clamav needs a directory in /var/run: d /var/run/clamav 0755 vscan vscan - ++++++ service.clamav-milter ++++++ [Unit] Description=Clamav antivirus milter daemon After=syslog.target network.target freshclam.service Requires=freshclam.service [Service] Type=forking ExecStart=/usr/sbin/clamav-milter ; it will switch to vscan user ;User=vscan ;Group=vscan ;PrivateTmp=yes [Install] WantedBy=multi-user.target ++++++ service.clamd ++++++ [Unit] Description=Clamav antivirus Deamon After=syslog.target network.target freshclam.service Requires=freshclam.service [Service] Type=forking ExecStart=/usr/sbin/clamd ;User=vscan ;Group=vscan ;PrivateTmp=yes [Install] WantedBy=multi-user.target ++++++ service.freshclam ++++++ [Unit] Description=Freshclam virus definitions downloader After=syslog.target network.target [Service] Type=forking ExecStart=/usr/bin/freshclam -d ;User=vscan ;Group=vscan ;PrivateTmp=yes [Install] WantedBy=multi-user.target