Hello community, here is the log from the commit of package clamav for openSUSE:Factory checked in at 2018-01-28 20:32:09 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/clamav (Old) and /work/SRC/openSUSE:Factory/.clamav.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "clamav" Sun Jan 28 20:32:09 2018 rev:90 rq:569980 version:0.99.3 Changes: -------- --- /work/SRC/openSUSE:Factory/clamav/clamav.changes 2017-11-29 10:54:23.332886685 +0100 +++ /work/SRC/openSUSE:Factory/.clamav.new/clamav.changes 2018-01-28 20:33:26.978815999 +0100 @@ -1,0 +2,32 @@ +Fri Jan 26 15:19:33 UTC 2018 - [email protected] + +- Update to security release 0.99.3 (bsc#1077732) + * CVE-2017-12376 (ClamAV Buffer Overflow in handle_pdfname Vulnerability) + * CVE-2017-12377 (ClamAV Mew Packet Heap Overflow Vulnerability) + * CVE-2017-12379 (ClamAV Buffer Overflow in messageAddArgument Vulnerability) + - these vulnerabilities could have allowed an unauthenticated, + remote attacker to cause a denial of service (DoS) condition + or potentially execute arbitrary code on an affected device. + * CVE-2017-12374 (ClamAV use-after-free Vulnerabilities) + * CVE-2017-12375 (ClamAV Buffer Overflow Vulnerability) + * CVE-2017-12378 (ClamAV Buffer Over Read Vulnerability) + * CVE-2017-12380 (ClamAV Null Dereference Vulnerability) + - these vulnerabilities could have allowed an unauthenticated, + remote attacker to cause a denial of service (DoS) condition on an affected device. + * CVE-2017-6420 (bsc#1052448) + - this vulnerability allowed remote attackers to cause a denial of service + (use-after-free) via a crafted PE file with WWPack compression. + * CVE-2017-6419 (bsc#1052449) + - ClamAV allowed remote attackers to cause a denial of service + (heap-based buffer overflow and application crash) or possibly + have unspecified other impact via a crafted CHM file. + * CVE-2017-11423 (bsc#1049423) + - The cabd_read_string function in mspack/cabd.c in libmspack 0.5alpha + allowed remote attackers to cause a denial of service + (stack-based buffer over-read and application crash) via a crafted CAB file. + * CVE-2017-6418 (bsc#1052466) + - ClamAV 0.99.2 allowed remote attackers to cause a denial + of service (out-of-bounds read) via a crafted e-mail message. +- drop clamav-0.99.2-openssl-1.1.patch (upstream) + +------------------------------------------------------------------- Old: ---- clamav-0.99.2-openssl-1.1.patch clamav-0.99.2.tar.gz New: ---- clamav-0.99.3.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ clamav.spec ++++++ --- /var/tmp/diff_new_pack.t4kjQj/_old 2018-01-28 20:33:27.914772280 +0100 +++ /var/tmp/diff_new_pack.t4kjQj/_new 2018-01-28 20:33:27.918772093 +0100 @@ -1,7 +1,7 @@ # # spec file for package clamav # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -43,7 +43,7 @@ Summary: Antivirus Toolkit License: GPL-2.0 Group: Productivity/Security -Version: 0.99.2 +Version: 0.99.3 Release: 0 Url: http://www.clamav.net Obsoletes: clamav-db < 0.88.3 @@ -62,8 +62,6 @@ Patch3: clamav-gcc47.patch Patch4: clamav-disable-timestamps.patch Patch5: clamav-fix_newer_zlib.patch -# https://raw.githubusercontent.com/patch-exchange/openssl-1.1-transition/master/clamav/clamav-0.99.2-openssl-1.1.patch -Patch6: clamav-0.99.2-openssl-1.1.patch BuildRequires: systemd BuildRequires: systemd-rpm-macros %systemd_requires @@ -104,10 +102,6 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 -if pkg-config --atleast-version=1.1.0 libssl; then -%patch6 -p1 -autoreconf -i -f -fi %build CFLAGS="-fstack-protector" ++++++ clamav-0.99.2.tar.gz -> clamav-0.99.3.tar.gz ++++++ /work/SRC/openSUSE:Factory/clamav/clamav-0.99.2.tar.gz /work/SRC/openSUSE:Factory/.clamav.new/clamav-0.99.3.tar.gz differ: char 5, line 1 ++++++ clamav-disable-timestamps.patch ++++++ --- /var/tmp/diff_new_pack.t4kjQj/_old 2018-01-28 20:33:27.962770038 +0100 +++ /var/tmp/diff_new_pack.t4kjQj/_new 2018-01-28 20:33:27.962770038 +0100 @@ -1,7 +1,7 @@ -Index: clamav-0.99.2/libclamav/tomsfastmath/misc/fp_ident.c +Index: clamav-0.99.3/libclamav/tomsfastmath/misc/fp_ident.c =================================================================== ---- clamav-0.99.2.orig/libclamav/tomsfastmath/misc/fp_ident.c -+++ clamav-0.99.2/libclamav/tomsfastmath/misc/fp_ident.c +--- clamav-0.99.3.orig/libclamav/tomsfastmath/misc/fp_ident.c 2018-01-26 16:31:35.516009696 +0100 ++++ clamav-0.99.3/libclamav/tomsfastmath/misc/fp_ident.c 2018-01-26 16:31:36.912029598 +0100 @@ -15,7 +15,11 @@ const char *fp_ident(void) memset(buf, 0, sizeof(buf)); @@ -27,10 +27,10 @@ if (sizeof(fp_digit) == sizeof(fp_word)) { strncat(buf, "WARNING: sizeof(fp_digit) == sizeof(fp_word), this build is likely to not work properly.\n", -Index: clamav-0.99.2/configure +Index: clamav-0.99.3/configure =================================================================== ---- clamav-0.99.2.orig/configure -+++ clamav-0.99.2/configure +--- clamav-0.99.3.orig/configure 2018-01-26 16:31:35.532009924 +0100 ++++ clamav-0.99.3/configure 2018-01-26 16:32:20.112645407 +0100 @@ -783,6 +783,7 @@ FGREP SED LIBTOOL @@ -47,16 +47,16 @@ enable_static enable_shared with_pic -@@ -1592,6 +1594,8 @@ Optional Features: - do not reject slow dependency extractors - --disable-dependency-tracking - speeds up one-time build +@@ -1591,6 +1593,8 @@ Optional Features: + --disable-dependency-tracking speeds up one-time build + --enable-dependency-tracking do not reject slow dependency extractors + --enable-static[=PKGS] build static libraries [default=no] + --enable-timestamps Enable embedding timestamp information in build + (default is YES) - --enable-static[=PKGS] build static libraries [default=no] --enable-shared[=PKGS] build shared libraries [default=yes] --enable-fast-install[=PKGS] -@@ -5163,6 +5167,26 @@ $as_echo "$ac_cv_safe_to_define___extens + optimize for fast installation [default=yes] +@@ -4967,6 +4971,26 @@ $as_echo "$ac_cv_safe_to_define___extens $as_echo "#define _TANDEM_SOURCE 1" >>confdefs.h @@ -82,4 +82,4 @@ +_ACEOF - VERSION="0.99.2" + VERSION="0.99.3"
