Hello community,
here is the log from the commit of package clamav for openSUSE:Factory
checked in at Tue Apr 7 12:45:22 CEST 2009.
--------
--- clamav/clamav.changes 2008-12-01 16:45:40.000000000 +0100
+++ /mounts/work_src_done/STABLE/clamav/clamav.changes 2009-04-06 18:22:28.000000000 +0200
@@ -1,0 +2,35 @@
+Mon Apr 6 17:14:47 CEST 2009 - max@suse.de
+
+- Version 0.95 also fixes two security issues:
+ bnc#491935 and bnc#491938.
+- Removed unneeded tcpd build dependency.
+- Removed obsolete configure switches.
+- ncurses-devel is needed for building clamtop.
+- Patched clamav-milter up to the latest upstream version to fix
+ the non-detection of virus code outside of attachments.
+ (bnc#445137)
+- Improved rcclamd to print a more instructive message when the
+ virus database files are missing.
+
+-------------------------------------------------------------------
+Tue Mar 24 18:33:34 CET 2009 - max@suse.de
+
+- New version 0.95 (bnc#488317):
+
+ * clamav-milter got rewritten. Standalone mode got dropped and
+ using multiple instances of clamd in parallel got added for
+ load sharing and fail-safety. The command lin
+
+ * Changes to the libclamav API will make future changes less
+ likely, but require adjustment of applications linking to
+ libclamav.
+
+ * Numerous other bug fixes and improvements.
+
+ * libGMP is no longer needed.
+
+- Drop support for versions older than 9.1/SLES9.
+
+- Improve init script of clamav-milter (bnc#445137).
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
clamav-0.94.2.tar.bz2
clamav-milter-sysconfig
New:
----
clamav-0.95.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ clamav.spec ++++++
--- /var/tmp/diff_new_pack.K26668/_old 2009-04-07 12:45:05.000000000 +0200
+++ /var/tmp/diff_new_pack.K26668/_new 2009-04-07 12:45:05.000000000 +0200
@@ -1,7 +1,7 @@
#
-# spec file for package clamav (Version 0.94.2)
+# spec file for package clamav (Version 0.95)
#
-# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -19,11 +19,9 @@
Name: clamav
-%if 0%{?suse_version} >= 0910
-BuildRequires: sed sendmail sendmail-devel tcpd-devel
-%endif
+BuildRequires: ncurses-devel sed sendmail sendmail-devel
%if 0%{?suse_version} >= 1010
-BuildRequires: bc gmp-devel pkgconfig zlib-devel
+BuildRequires: bc pkgconfig zlib-devel
%endif
%if 0%{?suse_version} >= 1030
BuildRequires: check-devel pwdutils
@@ -32,7 +30,7 @@
%define clamav_check --disable-check
%endif
Summary: Antivirus Toolkit
-Version: 0.94.2
+Version: 0.95
Release: 1
License: GPL v2 or later
Group: Productivity/Security
@@ -41,14 +39,13 @@
Obsoletes: clamav-db < 0.88.3
PreReq: %_sbindir/groupadd %_sbindir/useradd %_sbindir/usermod
PreReq: /usr/bin/awk /bin/sed /bin/tar
-PreReq: %insserv_prereq %fillup_prereq
+PreReq: %insserv_prereq
Source0: %{name}-%{version}.tar.bz2
Source1: clamav-rcclamd
Source2: clamav-rcfreshclam
Source3: clamav-updateclamconf
Source4: clamav-rpmlintrc
Source5: clamav-rcmilter
-Source6: clamav-milter-sysconfig
Patch1: clamav-conf.patch
Patch2: clamav-milter.patch
Patch3: clamav-valgrind.patch
@@ -98,6 +95,10 @@
CFLAGS="-fstack-protector"
%endif
export CFLAGS="%optflags -fno-strict-aliasing $CFLAGS"
+%if 0%{?suse_version} == 0910
+# SLES9 needs this macro to enable the quarantine feature in libmilter
+CFLAGS="$CFLAGS -D_FFR_QUARANTINE"
+%endif
./configure \
--prefix=%_prefix \
--libdir=%_libdir \
@@ -108,19 +109,12 @@
--with-dbdir=/var/lib/clamav \
--with-user=vscan \
--with-group=vscan \
- --with-tcpwrappers \
- --with-libcurl \
-%if 0%{?suse_version} >= 0910
--enable-milter \
-%endif
%clamav_check \
--disable-zlib-vcheck
make %{?jobs:-j%jobs}
-# SLES8 does not support %check
-%if 0%{?suse_version} > 810 || 0%{!?suse_version:1}
%check
-%endif
VALGRIND_GENSUP=1 make check
%install
@@ -133,8 +127,6 @@
ln -s /etc/init.d/freshclam %buildroot%_sbindir/rcfreshclam
install -m755 %SOURCE5 %buildroot/etc/init.d/clamav-milter
ln -s /etc/init.d/clamav-milter %buildroot%_sbindir/rcclamav-milter
-mkdir -p %buildroot/var/adm/fillup-templates
-install -m644 %SOURCE6 %buildroot/var/adm/fillup-templates/sysconfig.clamav-milter
install -m755 %SOURCE3 %buildroot%_sbindir/updateclamconf
touch %buildroot/var/lib/clamav/{clamd,freshclam}.pid
for f in %buildroot/var/lib/clamav/*.cvd; do
@@ -146,10 +138,8 @@
%if 0%{?suse_version} > 1020
rm %buildroot/%_libdir/*.la
%endif
-%if 0%{?suse_version} > 0810
# Remove bogus dependencies from libclamav.pc
sed -i 's/^Libs: .*/Libs: -lclamav/' %buildroot%_libdir/pkgconfig/libclamav.pc
-%endif
%clean
rm -rf %buildroot
@@ -172,7 +162,6 @@
%ghost /var/lib/clamav/*.pid
%ghost /var/lib/clamav/*.cld
%ghost /var/lib/clamav/*.cvd
-/var/adm/fillup-templates/*
%files db
%defattr(-,vscan,vscan)
@@ -186,11 +175,10 @@
%post
/sbin/ldconfig
-%{?fillup_only:%fillup_only -n clamav-milter}
# merge config files on update
test "0$1" -lt 2 && exit 0
umask 022
-for f in /etc/clamd.conf /etc/freshclam.conf; do
+for f in /etc/clamd.conf /etc/freshclam.conf /etc/clamav-milter.conf; do
if test -e $f.rpmnew; then
echo "Merging $f and $f.rpmnew"
%_sbindir/updateclamconf -v override="$OVERRIDE" $f $f.rpmnew > $f.tmp
@@ -273,6 +261,29 @@
done
%changelog
+* Mon Apr 06 2009 max@suse.de
+- Version 0.95 also fixes two security issues:
+ bnc#491935 and bnc#491938.
+- Removed unneeded tcpd build dependency.
+- Removed obsolete configure switches.
+- ncurses-devel is needed for building clamtop.
+- Patched clamav-milter up to the latest upstream version to fix
+ the non-detection of virus code outside of attachments.
+ (bnc#445137)
+- Improved rcclamd to print a more instructive message when the
+ virus database files are missing.
+* Tue Mar 24 2009 max@suse.de
+- New version 0.95 (bnc#488317):
+ * clamav-milter got rewritten. Standalone mode got dropped and
+ using multiple instances of clamd in parallel got added for
+ load sharing and fail-safety. The command lin
+ * Changes to the libclamav API will make future changes less
+ likely, but require adjustment of applications linking to
+ libclamav.
+ * Numerous other bug fixes and improvements.
+ * libGMP is no longer needed.
+- Drop support for versions older than 9.1/SLES9.
+- Improve init script of clamav-milter (bnc#445137).
* Mon Dec 01 2008 max@suse.de
- New version 0.94.2 fixes recursion limits in JPEG scanning code
(bnc#450207).
@@ -381,7 +392,7 @@
- Stability and bugfix update: 0.91.1 (#292297)
- Run ldconfig on (un)installation.
- Make %%check conditional to fix building on SLES8.
-* Sat Jul 14 2007 lrupp@suse.de
+* Sun Jul 15 2007 lrupp@suse.de
- add zlib-devel to build requires
- suppress some false positives from rpmlint
- added %%check section and remove unneeded INSTALL file from %%doc
++++++ clamav-0.94.2.tar.bz2 -> clamav-0.95.tar.bz2 ++++++
clamav/clamav-0.94.2.tar.bz2 /mounts/work_src_done/STABLE/clamav/clamav-0.95.tar.bz2 differ: byte 11, line 1
++++++ clamav-conf.patch ++++++
--- /var/tmp/diff_new_pack.K26668/_old 2009-04-07 12:45:05.000000000 +0200
+++ /var/tmp/diff_new_pack.K26668/_new 2009-04-07 12:45:05.000000000 +0200
@@ -1,3 +1,69 @@
+--- etc/clamav-milter.conf
++++ etc/clamav-milter.conf
+@@ -2,10 +2,6 @@
+ ## Example config file for clamav-milter
+ ##
+
+-# Comment or remove the line below.
+-Example
+-
+-
+ ##
+ ## Main options
+ ##
+@@ -17,8 +13,7 @@
+ # inet6:port@[hostname|ip-address] - to specify an ipv6 socket
+ #
+ # Default: no default
+-#MilterSocket /tmp/clamav-milter.socket
+-#MilterSocket inet:7357
++MilterSocket /var/lib/clamav/clamav-milter-socket
+
+ # Remove stale socket after unclean shutdown.
+ #
+@@ -28,7 +23,7 @@
+ # Run as another user (clamav-milter must be started by root for this option to work)
+ #
+ # Default: unset (don't drop privileges)
+-#User clamav
++User vscan
+
+ # Initialize supplementary group access (clamav-milter must be started by root).
+ #
+@@ -56,7 +51,7 @@
+ # daemon (main thread).
+ #
+ # Default: disabled
+-#PidFile /var/run/clamav-milter.pid
++PidFile /var/lib/clamav/clamav-milter.pid
+
+ # Optional path to the global temporary directory.
+ # Default: system specific (usually /tmp or /var/tmp).
+@@ -82,7 +77,7 @@
+ # with the same socket: clamd servers will be selected in a round-robin fashion.
+ #
+ # Default: no default
+-#ClamdSocket tcp:scanner.mydomain:7357
++ClamdSocket unix:/var/lib/clamav/clamd-socket
+
+
+ ##
+@@ -193,13 +188,13 @@
+ # Use system logger (can work together with LogFile).
+ #
+ # Default: no
+-#LogSyslog yes
++LogSyslog yes
+
+ # Specify the type of syslog messages - please refer to 'man syslog'
+ # for facility names.
+ #
+ # Default: LOG_LOCAL6
+-#LogFacility LOG_MAIL
++LogFacility LOG_MAIL
+
+ # Enable verbose logging.
+ #
--- etc/clamd.conf
+++ etc/clamd.conf
@@ -1,12 +1,8 @@
++++++ clamav-milter.patch ++++++
--- /var/tmp/diff_new_pack.K26668/_old 2009-04-07 12:45:05.000000000 +0200
+++ /var/tmp/diff_new_pack.K26668/_new 2009-04-07 12:45:05.000000000 +0200
@@ -1,15 +1,397 @@
+--- clamav-milter/Makefile.in
++++ clamav-milter/Makefile.in
+@@ -58,10 +58,11 @@
+ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+ am__aclocal_m4_deps = $(top_srcdir)/m4/acinclude.m4 \
+ $(top_srcdir)/m4/argz.m4 $(top_srcdir)/m4/fdpassing.m4 \
+- $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \
+- $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltdl.m4 \
+- $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
+- $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \
++ $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
++ $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libtool.m4 \
++ $(top_srcdir)/m4/ltdl.m4 $(top_srcdir)/m4/ltoptions.m4 \
++ $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \
++ $(top_srcdir)/m4/lt~obsolete.m4 \
+ $(top_srcdir)/m4/mmap_private.m4 $(top_srcdir)/m4/resolv.m4 \
+ $(top_srcdir)/configure.in
+ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
--- clamav-milter/clamav-milter.c
+++ clamav-milter/clamav-milter.c
-@@ -2085,12 +2085,7 @@
- logg(_("!Can't save PID in file %s\n"), pidfile);
- return EX_CONFIG;
+@@ -211,6 +211,14 @@
+ return 1;
+ }
+
++ if((opt = optget(opts, "SkipAuthenticated"))->enabled && smtpauth_init(opt->strarg)) {
++ localnets_free();
++ whitelist_free();
++ logg_close();
++ optfree(opts);
++ return 1;
++ }
++
+ if(optget(opts, "AddHeader")->enabled) {
+ char myname[255];
+
+--- clamav-milter/clamfi.c
++++ clamav-milter/clamfi.c
+@@ -61,6 +61,7 @@
+ } loginfected;
+
+ #define CLAMFIBUFSZ 1424
++static const char *HDR_UNAVAIL = "UNKNOWN";
+
+ struct CLAMFI {
+ char buffer[CLAMFIBUFSZ];
+@@ -74,6 +75,7 @@
+ unsigned int totsz;
+ unsigned int bufsz;
+ unsigned int all_whitelisted;
++ unsigned int gotbody;
+ };
+
+
+@@ -91,12 +93,15 @@
+ };
+
+
+-void makesanehdr(char *hdr) {
++static const char *makesanehdr(char *hdr) {
++ char *ret = hdr;
++ if(!hdr) return HDR_UNAVAIL;
+ while(*hdr) {
+ if(*hdr=='\'' || *hdr=='\t' || *hdr=='\r' || *hdr=='\n' || !isprint(*hdr))
+ *hdr = ' ';
+ hdr++;
+ }
++ return ret;
+ }
+
+ static void nullify(SMFICTX *ctx, struct CLAMFI *cf, enum CFWHAT closewhat) {
+@@ -113,9 +118,22 @@
+
+
+ static sfsistat sendchunk(struct CLAMFI *cf, unsigned char *bodyp, size_t len, SMFICTX *ctx) {
+- if(cf->totsz >= maxfilesize)
++ if(cf->totsz >= maxfilesize || len == 0)
+ return SMFIS_CONTINUE;
+
++ if(!cf->totsz) {
++ sfsistat ret;
++ if(nc_connect_rand(&cf->main, &cf->alt, &cf->local)) {
++ logg("!Failed to initiate streaming/fdpassing\n");
++ nullify(ctx, cf, CF_NONE);
++ return FailAction;
++ }
++ cf->totsz = 1; /* do not infloop */
++ if((ret = sendchunk(cf, (unsigned char *)"From clamav-milter\n", 19, ctx)) != SMFIS_CONTINUE)
++ return ret;
++ cf->totsz -= 1;
++ }
++
+ if(cf->totsz + len > maxfilesize)
+ len = maxfilesize - cf->totsz;
+
+@@ -166,35 +184,28 @@
+ if(!(cf = (struct CLAMFI *)smfi_getpriv(ctx)))
+ return SMFIS_CONTINUE; /* whatever */
+
+- if(loginfected == LOGINF_FULL) {
+- if(headerf && !strcasecmp(headerf, "Subject") && !cf->msg_subj)
+- cf->msg_subj = strdup(headerv);
+- if(headerf && !strcasecmp(headerf, "Date") && !cf->msg_date)
+- cf->msg_date = strdup(headerv);
+- if(headerf && !strcasecmp(headerf, "Message-ID") && !cf->msg_id)
+- cf->msg_id = strdup(headerv);
++ if(!cf->totsz && cf->all_whitelisted) {
++ logg("*Skipping scan (all destinations whitelisted)\n");
++ nullify(ctx, cf, CF_NONE);
++ return SMFIS_ACCEPT;
+ }
+
+- if(!cf->totsz) {
+- if(cf->all_whitelisted) {
+- logg("*Skipping scan (all destinations whitelisted)\n");
+- nullify(ctx, cf, CF_NONE);
+- return SMFIS_ACCEPT;
+- }
+- if(nc_connect_rand(&cf->main, &cf->alt, &cf->local)) {
+- logg("!Failed to initiate streaming/fdpassing\n");
+- nullify(ctx, cf, CF_NONE);
+- return FailAction;
+- }
+- if((ret = sendchunk(cf, (unsigned char *)"From clamav-milter\n", 19, ctx)) != SMFIS_CONTINUE)
+- return ret;
++ if(!headerf) return SMFIS_CONTINUE; /* just in case */
++
++ if(loginfected == LOGINF_FULL) {
++ if(!cf->msg_subj && !strcasecmp(headerf, "Subject"))
++ cf->msg_subj = strdup(headerv ? headerv : "");
++ if(!cf->msg_date && !strcasecmp(headerf, "Date"))
++ cf->msg_date = strdup(headerv ? headerv : "");
++ if(!cf->msg_id && !strcasecmp(headerf, "Message-ID"))
++ cf->msg_id = strdup(headerv ? headerv : "");
+ }
+
+ if((ret = sendchunk(cf, (unsigned char *)headerf, strlen(headerf), ctx)) != SMFIS_CONTINUE)
+ return ret;
+ if((ret = sendchunk(cf, (unsigned char *)": ", 2, ctx)) != SMFIS_CONTINUE)
+ return ret;
+- if((ret = sendchunk(cf, (unsigned char *)headerv, strlen(headerv), ctx)) != SMFIS_CONTINUE)
++ if(headerv && (ret = sendchunk(cf, (unsigned char *)headerv, strlen(headerv), ctx)) != SMFIS_CONTINUE)
+ return ret;
+ return sendchunk(cf, (unsigned char *)"\r\n", 2, ctx);
+ }
+@@ -205,6 +216,14 @@
+
+ if(!(cf = (struct CLAMFI *)smfi_getpriv(ctx)))
+ return SMFIS_CONTINUE; /* whatever */
++
++ if(!cf->gotbody) {
++ sfsistat ret = sendchunk(cf, (unsigned char *)"\r\n", 2, ctx);
++ if(ret != SMFIS_CONTINUE)
++ return ret;
++ cf->gotbody = 1;
++ }
++
+ return sendchunk(cf, bodyp, len, ctx);
+ }
+
+@@ -225,6 +244,14 @@
+ if(!(cf = (struct CLAMFI *)smfi_getpriv(ctx)))
+ return SMFIS_CONTINUE; /* whatever */
+
++ if(!cf->totsz) {
++ /* got no headers and no body */
++ logg("*Not scanning an empty message\n");
++ ret = CleanAction(ctx);
++ nullify(ctx, cf, CF_NONE);
++ return ret;
++ }
++
+ if(cf->local) {
+ if(nc_send(cf->main, "nFILDES\n", 8)) {
+ logg("!FD scan request failed\n");
+@@ -286,18 +313,19 @@
}
--#ifdef C_LINUX
-- /* Ensure that all threads are kill()ed */
-- fprintf(fd, "-%d\n", (int)getpgrp());
--#else
- fprintf(fd, "%d\n", (int)getpid());
--#endif
- fclose(fd);
- umask(old_umask);
- } else if(tmpdir) {
+
+ if(loginfected) {
+- const char *from = smfi_getsymval(ctx, "{mail_addr}"), *to = smfi_getsymval(ctx, "{rcpt_addr}");
+-
+- if(!from) from = "UNKNOWN";
+- if(!to) to = "UNKNOWN";
+-
++ const char *from = smfi_getsymval(ctx, "{mail_addr}");
++ const char *to = smfi_getsymval(ctx, "{rcpt_addr}");
++
++ if(!from) from = HDR_UNAVAIL;
++ if(!to) to = HDR_UNAVAIL;
+ if(loginfected == LOGINF_FULL) {
+ const char *id = smfi_getsymval(ctx, "{i}");
++ const char *msg_subj = makesanehdr(cf->msg_subj);
++ const char *msg_date = makesanehdr(cf->msg_date);
++ const char *msg_id = makesanehdr(cf->msg_id);
+
+- makesanehdr(cf->msg_subj);
+- makesanehdr(cf->msg_date);
+- makesanehdr(cf->msg_id);
+- logg("~Message %s from <%s> to <%s> with subject '%s' message-id '%s' date '%s' infected by %s\n", id ? id : "UNKNOWN", from, to, cf->msg_subj, cf->msg_id, cf->msg_date, vir);
++ if(!id) id = HDR_UNAVAIL;
++ logg("~Message %s from <%s> to <%s> with subject '%s' message-id '%s' date '%s' infected by %s\n", id, from, to, msg_subj, msg_id, msg_date, vir);
+ } else logg("~Message from <%s> to <%s> infected by %s\n", from, to, vir);
+ }
+ }
+@@ -504,12 +532,18 @@
+
+ sfsistat clamfi_envfrom(SMFICTX *ctx, char **argv) {
+ struct CLAMFI *cf;
++ const char *login = smfi_getsymval(ctx, "{auth_authen}");
++
++ if(login && smtpauthed(login)) {
++ logg("*Skipping scan for authenticated user %s\n", login);
++ return SMFIS_ACCEPT;
++ }
+
+ if(whitelisted(argv[0], 1)) {
+ logg("*Skipping scan for %s (whitelisted from)\n", argv[0]);
+ return SMFIS_ACCEPT;
+ }
+-
++
+ if(!(cf = (struct CLAMFI *)malloc(sizeof(*cf)))) {
+ logg("!Failed to allocate CLAMFI struct\n");
+ return FailAction;
+@@ -518,6 +552,7 @@
+ cf->bufsz = 0;
+ cf->main = cf->alt = -1;
+ cf->all_whitelisted = 1;
++ cf->gotbody = 0;
+ cf->msg_subj = cf->msg_date = cf->msg_id = NULL;
+ smfi_setpriv(ctx, (void *)cf);
+
+--- clamav-milter/netcode.c
++++ clamav-milter/netcode.c
+@@ -129,7 +129,7 @@
+ close(s);
+ return -1;
+ }
+- if (getsockopt(s, SOL_SOCKET, SO_ERROR, &s_err, &s_len) || s_err) {
++ if(getsockopt(s, SOL_SOCKET, SO_ERROR, &s_err, &s_len) || s_err) {
+ logg("*Failed to establish a connection to clamd\n");
+ close(s);
+ return -1;
+@@ -163,8 +163,6 @@
+ tv.tv_usec = 0;
+ while(1) {
+ fd_set fds;
+- int s_err;
+- socklen_t s_len = sizeof(s_err);
+
+ FD_ZERO(&fds);
+ FD_SET(s, &fds);
+@@ -177,12 +175,10 @@
+ tv.tv_usec = 0;
+ continue;
+ }
+- logg("!Failed stream to clamd\n");
++ logg("!Failed to stream to clamd\n");
+ close(s);
+ return 1;
+ }
+- len-=s_len;
+- buf+=s_len;
+ break;
+ }
+ }
+--- clamav-milter/whitelist.c
++++ clamav-milter/whitelist.c
+@@ -25,8 +25,8 @@
+ #include