Hello community, here is the log from the commit of package clamav for openSUSE:Factory checked in at 2020-07-17 20:54:14 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/clamav (Old) and /work/SRC/openSUSE:Factory/.clamav.new.3592 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "clamav" Fri Jul 17 20:54:14 2020 rev:108 rq:821532 version:0.102.4 Changes: -------- --- /work/SRC/openSUSE:Factory/clamav/clamav.changes 2020-05-12 22:39:37.132781774 +0200 +++ /work/SRC/openSUSE:Factory/.clamav.new.3592/clamav.changes 2020-07-17 20:54:52.901172603 +0200 @@ -1,0 +2,24 @@ +Thu Jul 16 20:02:03 UTC 2020 - Arjen de Korte <[email protected]> + +- Update to 0.102.4 + * CVE-2020-3350: Fix a vulnerability wherein a malicious user could + replace a scan target's directory with a symlink to another path + to trick clamscan, clamdscan, or clamonacc into removing or moving + a different file (eg. a critical system file). The issue would + affect users that use the --move or --remove options for clamscan, + clamdscan, and clamonacc. + * CVE-2020-3327: Fix a vulnerability in the ARJ archive parsing + module in ClamAV 0.102.3 that could cause a Denial-of-Service + (DoS) condition. Improper bounds checking results in an + out-of-bounds read which could cause a crash. The previous fix for + this CVE in 0.102.3 was incomplete. This fix correctly resolves + the issue. + * CVE-2020-3481: Fix a vulnerability in the EGG archive module in + ClamAV 0.102.0 - 0.102.3 could cause a Denial-of-Service (DoS) + condition. Improper error handling may result in a crash due to a + NULL pointer dereference. This vulnerability is mitigated for + those using the official ClamAV signature databases because the + file type signatures in daily.cvd will not enable the EGG archive + parser in versions affected by the vulnerability. + +------------------------------------------------------------------- Old: ---- clamav-0.102.3.tar.gz clamav-0.102.3.tar.gz.sig New: ---- clamav-0.102.4.tar.gz clamav-0.102.4.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ clamav.spec ++++++ --- /var/tmp/diff_new_pack.LwE1tu/_old 2020-07-17 20:54:54.125173880 +0200 +++ /var/tmp/diff_new_pack.LwE1tu/_new 2020-07-17 20:54:54.125173880 +0200 @@ -19,7 +19,7 @@ %define clamav_check --enable-check %bcond_with clammspack Name: clamav -Version: 0.102.3 +Version: 0.102.4 Release: 0 Summary: Antivirus Toolkit License: GPL-2.0-only @@ -153,7 +153,7 @@ --with-system-libmspack %endif -make V=1 %?_smp_mflags +%make_build %install %make_install @@ -247,7 +247,7 @@ %service_add_pre clamd.service freshclam.service clamav-milter.service %post -systemd-tmpfiles --create %_tmpfilesdir/clamav.conf +%tmpfiles_create %_tmpfilesdir/clamav.conf %service_add_post clamd.service freshclam.service clamav-milter.service %preun ++++++ clamav-0.102.3.tar.gz -> clamav-0.102.4.tar.gz ++++++ /work/SRC/openSUSE:Factory/clamav/clamav-0.102.3.tar.gz /work/SRC/openSUSE:Factory/.clamav.new.3592/clamav-0.102.4.tar.gz differ: char 5, line 1 ++++++ clamav-disable-timestamps.patch ++++++ --- /var/tmp/diff_new_pack.LwE1tu/_old 2020-07-17 20:54:54.181173939 +0200 +++ /var/tmp/diff_new_pack.LwE1tu/_new 2020-07-17 20:54:54.181173939 +0200 @@ -82,4 +82,4 @@ +_ACEOF - VERSION="0.102.3" + VERSION="0.102.4"
