Hello Anjana, Ged, I'm both grateful and embarrassed that you tracked this down. I believe the fault is mine.
We built 0.105.1-2, tested it, signed it, and even staged it on the website in preparations for release on Monday. However, the tiff project released an update on Saturday so we rebuilt/tested/signed the release files for 0.105.1-2 on Monday to get the tiff fixes in. I removed the old 0.105.1-2 release files from the website and uploaded the new ones*. *I think this is where things went wrong. I double-checked my local files. The second set of packages for 0.105.1-2 does have the newer image-tiff version, but the one on the website does not. My best guess is that I simply re-uploaded the first set packages from Friday instead of the ones from Monday. With regards to the jpeg-decoder version update, it seems that the image library and image-tiff libraries still the minimum required jpeg-decoder release set to the previous version. I am working with them now to update that so we can include the latest jpeg-decoder version. I apologize for the mistake. We will publish another update to the 0.105.1 packages as soon as we're able to include the updates to both the tiff and jpeg libraries. Regards, Micah Micah Snyder ClamAV Development Talos Cisco Systems, Inc. ________________________________ From: clamav-users <[email protected]> on behalf of G.W. Haywood via clamav-users <[email protected]> Sent: Wednesday, November 2, 2022 6:03 AM To: Anjana Patel via clamav-users <[email protected]> Cc: G.W. Haywood <[email protected]> Subject: Re: [clamav-users] version numbers of updated libraries in 0.105.1-2 Hi there, On Wed, 2 Nov 2022, Anjana Patel via clamav-users wrote: > During the build process of 0.105.1-2 on a RHEL7 system (installing > from source) I noticed the following scroll up (I've only listed the > two that are relevant) : > > Compiling jpeg-decoder v0.2.6 > Compiling tiff v0.7.3 > > The email announcement said that the issues in the JPEG and TIFF > libraries were resolved in image-tiff version 0.7.4 and jpeg-decoder > version 0.3.0. I have double-checked that I had downloaded the > correct tar file (clamav-0.105.1-2.tar.gz). Should I be seeing the > later version numbers during the build? Yes, I'd have thought so. Micah says in his announcement that critical vulnerabilities exist in the 'jpeg-decoder' and 'tiff' rust libraries which are bundled with the source tarball for 0.105.1. He further says that these have been addressed in 0.105.1-2, and 1.0.0-rc. I'm still unfamiliar with the new build system but so far I've found no evidence that the packages for the libraries in the tarballs have changed since 0.105.1: 8<---------------------------------------------------------------------- $ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/jpeg-decoder/ clamav-0.105.1-2/libclamav_rust/.cargo/vendor/jpeg-decoder/ $ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/ clamav-0.105.1-2/libclamav_rust/.cargo/vendor/tiff/ $ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/jpeg-decoder/ clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/jpeg-decoder/ $ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/ clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/tiff/ $ 8<---------------------------------------------------------------------- Here's the change log for example for jpeg-decoder bundled in 0.105.1-2: 8<---------------------------------------------------------------------- $ head clamav-0.105.1-2/libclamav_rust/.cargo/vendor/jpeg-decoder/CHANGELOG.md # Change Log All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](http://semver.org/). ## v0.2.6 (2022-05-09) - Another fix to allow usage in WASM target. - Decoding in the WASM target is now actively tested in CI. ## v0.2.5 (2022-05-02) 8<---------------------------------------------------------------------- As you can see it's still at 0.2.6. Maybe we're missing something? -- 73, Ged. _______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________ Manage your clamav-users mailing list subscription / unsubscribe: https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
