[Pkg-clamav-devel] Accepted clamav 0.100.0~beta+dfsg-2 (source) into unstable

[Sebastian Andrzej Siewior]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 10 Mar 2018 14:43:43 +0100
Source: clamav
Binary: clamav-base clamav-docs clamav libclamav-dev libclamav7 clamav-daemon 
clamdscan clamav-testfiles clamav-freshclam clamav-milter
Architecture: source
Version: 0.100.0~beta+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: ClamAV Team 
Changed-By: Sebastian Andrzej Siewior 
Description:
 clamav - anti-virus utility for Unix - command-line interface
 clamav-base - anti-virus utility for Unix - base package
 clamav-daemon - anti-virus utility for Unix - scanner daemon
 clamav-docs - anti-virus utility for Unix - documentation
 clamav-freshclam - anti-virus utility for Unix - virus database update utility
 clamav-milter - anti-virus utility for Unix - sendmail integration
 clamav-testfiles - anti-virus utility for Unix - test files
 clamdscan  - anti-virus utility for Unix - scanner client
 libclamav-dev - anti-virus utility for Unix - development files
 libclamav7 - anti-virus utility for Unix - library
Closes: 891195
Changes:
 clamav (0.100.0~beta+dfsg-2) unstable; urgency=medium
 .
   * Switch to pcre2 which is newer (Closes: #891195).
   * Cherry pick patches referenced in bb#11973 and bb#11980 to fix
 CVE-2018-0202.
   * Use compat level 11.
Checksums-Sha1:
 8711a068114c804cc32e7eaf44c59a2816f78a54 2999 clamav_0.100.0~beta+dfsg-2.dsc
 1dda6d44ff9a9f418f4d4dfee1ae3eaf03cc91f0 218068 
clamav_0.100.0~beta+dfsg-2.debian.tar.xz
 d47fea54b7ab79e432596918ea12d317412b0fd1 7499 
clamav_0.100.0~beta+dfsg-2_source.buildinfo
Checksums-Sha256:
 0713a1bf3b849c102eb05943e92aebbf8bedd8ad53b103a7542d1bd0797ec167 2999 
clamav_0.100.0~beta+dfsg-2.dsc
 64990ba31819faa276d1d532991ce2c0ec60fae5d80689c31ced15e4f4c8d28f 218068 
clamav_0.100.0~beta+dfsg-2.debian.tar.xz
 04677f76f5be7702de8eb25b91a5551debfb6f466b4f403bf926a7a6e2754b1d 7499 
clamav_0.100.0~beta+dfsg-2_source.buildinfo
Files:
 8491143c0a2249e4f48735c089b95251 2999 utils optional 
clamav_0.100.0~beta+dfsg-2.dsc
 9ec7c869ce66830f0d5fa625f0b37613 218068 utils optional 
clamav_0.100.0~beta+dfsg-2.debian.tar.xz
 dccde737173281f23aa5809a9c07b34f 7499 utils optional 
clamav_0.100.0~beta+dfsg-2_source.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEErHvQgQWZUb1RregAT+XjJihy5MwFAlqj5fEACgkQT+XjJihy
5Mz48RAAuXhAT5J2DCdlNkwdue3L8Q1lNFSs53yDHYh+yWZl32xR/S5bcFcpQ+wB
4+GUKDpC+GfqWtzJc7d9tdy4lfdl2GbVhukIvbUvx315IRVc4eRXmS2odnqP4HM7
uw0K9pz460XjpLeIqH6fcfsB7iIv1HZiPVaCxkXrxAXVFLQTYnkyaj/iznHvlC+2
3G+zao792v+baAWwU0Vck6XK1jmcmrtc8YvRf/cCHaPXBoDJDA8D3xuouYSoOGlo
KBJ8GKCS4av0MCJRaG8/a7+4kwdS+aDNYMqK/nI4eDJoVOV2mw3bOSokm7MFrKcs
kNilNFZhzzeBArvP2uqTpApPmjTXKVaGpIM7+JeSJEJsOffMAxDAhBaf0+VIwKWN
745gvKoRMJHIRhGsvvzBOQiDghtbZQufzCuZof8S/gZYpp6Ww8PWulVGyTwdt4l/
w9crsxzjvEHuVF3MqNivyNCkC9sL9Q5nACOYeUk7Yc+lF21mjC9hPFkQJMTnIsnB
TaBW1dzLnf6fDeJa4vZs7SGAaRpnZw+Fx/0VnJWLvqVWgo7ZKrCx7zQi2hOdZ46m
l3SFqTaTv2mPZAEPlOMd71n9rXhjKyPmZ9lmlEm+6AsKCEoreO2iq6xIfqUjSNPo
2JXLLZuhOsR7mW64aJwKQJ4gJTrNx2GMngKACXtm3BjAJoiLuH4=
=XE+p
-END PGP SIGNATURE-


___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Wheezy update of clamav?

[Sebastian Andrzej Siewior]

On 2018-03-09 11:45:58 [+0100], Santiago R.R. wrote:
> Hi,
> 
> El 02/03/18 a las 23:36, Sebastian Andrzej Siewior escribió:
> > On 2018-03-02 02:19:04 [+], Scott Kitterman wrote:
> > > Conveniently, upstream just released 0.99.4 that addresses this and some 
> > > other issues.  I'd suggest you let us get that into stable/oldstable 
> > > first.
> > 
> > I will try to get to this around SA/SO for Stretch/Jessie. There are 5
> > CVEs in total (not just the one you (the LTS team) mentioned).
> 
> Just to be sure, the new upstream release should be used to fix the
> issues in wheezy too?

We do this (update to current ClamAV version) for the supported Debian
releases. I recommend to do this for the LTS version, too. Besides clamav
you should have a look at libclamunrar which is non-free.
Upstream is historically seen bad at documenting security related fixes.
This may have improved now but I wouldn't take it for granted. In the
past the reporter had to ask for CVE numbers and do the process of
documenting. It was possible that the "fix" contained a follow-up fix
(or multiple) which were not documented in the bugzilla entry.
There were fixes of the same importance (found by a fuzzer and the
fuzzed file crashed clamav) but didn't get a CVE number assigned and
would have otherwise been ignored by your security upload. I could give
you examples of each kind (and I don't need to go far behind in history,
0.99.3 has a few examples already).
The part that the engine may ignore signatures because they require a
newer engine is just the tip of the ice berg :)

> Should I include a file in security-tracker's packages/ directory to
> describe that the way to address issues is by updating complete upstream
> releases?
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888484#80

Clamav was updated via volatile in the past. This moved to
stable/updates now. The security team is not comfortable with
security related changes and new features all-in-one release. Since I
am involved, the updates were always via stable which included a full
upstream release. There was one or two exceptions where we first picked
up a few security related fixes and then pushed the complete release.

> Cheers,
> 
> S

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Accepted clamav 0.99.4+dfsg-1+deb8u1 (source all) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates

[Sebastian Andrzej Siewior]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 03 Mar 2018 13:54:29 +0100
Source: clamav
Binary: clamav-base clamav-docs clamav-dbg clamav libclamav-dev libclamav7 
clamav-daemon clamdscan clamav-testfiles clamav-freshclam clamav-milter
Architecture: source all
Version: 0.99.4+dfsg-1+deb8u1
Distribution: jessie
Urgency: medium
Maintainer: ClamAV Team 
Changed-By: Sebastian Andrzej Siewior 
Description:
 clamav - anti-virus utility for Unix - command-line interface
 clamav-base - anti-virus utility for Unix - base package
 clamav-daemon - anti-virus utility for Unix - scanner daemon
 clamav-dbg - debug symbols for ClamAV
 clamav-docs - anti-virus utility for Unix - documentation
 clamav-freshclam - anti-virus utility for Unix - virus database update utility
 clamav-milter - anti-virus utility for Unix - sendmail integration
 clamav-testfiles - anti-virus utility for Unix - test files
 clamdscan  - anti-virus utility for Unix - scanner client
 libclamav-dev - anti-virus utility for Unix - development files
 libclamav7 - anti-virus utility for Unix - library
Changes:
 clamav (0.99.4+dfsg-1+deb8u1) jessie; urgency=medium
 .
   * Update to upstream 0.99.4:
 Fixes for CVE: CVE-2018-185, CVE-2018-0202.
   * Update the gpg signing key (the old DSA expired).
   * Update version of private symbols due to version change.
   * Bump symbol version of cl_retflevel because CL_FLEVEL changed.
Checksums-Sha1:
 5d9377edd513f3b7dfc70c076fe1790b1de23354 3138 clamav_0.99.4+dfsg-1+deb8u1.dsc
 23cadbfe81de0cf837260fa4492fdc05c01ec6ae 5676520 clamav_0.99.4+dfsg.orig.tar.xz
 cc8d9ce61cd720d1a7aefc9a2e7fcf5dfc9dd046 247620 
clamav_0.99.4+dfsg-1+deb8u1.debian.tar.xz
 aa18f907f197cebdba80ea8432505a14e36249df 294300 
clamav-base_0.99.4+dfsg-1+deb8u1_all.deb
 27f163b13e757ce64b4ebb1d5f960da36c7742be 1256234 
clamav-docs_0.99.4+dfsg-1+deb8u1_all.deb
 fe44737521dbb006e320bcb963f35c9b892da5bf 3110724 
clamav-testfiles_0.99.4+dfsg-1+deb8u1_all.deb
Checksums-Sha256:
 98ef5fa0ac900a2bf2ecb819e2cabc9c155b7e36a85086c0ab583ac8a942bff8 3138 
clamav_0.99.4+dfsg-1+deb8u1.dsc
 1d46d687aee7fd7cbbd578f06966444d9ddf918d79b14e3df743683b40522b19 5676520 
clamav_0.99.4+dfsg.orig.tar.xz
 9d3ebec5a1ae3140fa999d487c3a472201ef4b273b894d5d603d42fb82edc23f 247620 
clamav_0.99.4+dfsg-1+deb8u1.debian.tar.xz
 79f43e3a40cb5b3936888295135e2aee6cf21e30434d6a80cbef34ac27b07439 294300 
clamav-base_0.99.4+dfsg-1+deb8u1_all.deb
 ba2be8a93d4ab6a5ca960a91e6a88d18a84905a534a2f621ff09a2f122ecc4dd 1256234 
clamav-docs_0.99.4+dfsg-1+deb8u1_all.deb
 ed26d8cf55e4f2a71671dfb661f811eb5b3ba0158852a320cee9d36c3cae166a 3110724 
clamav-testfiles_0.99.4+dfsg-1+deb8u1_all.deb
Files:
 5a2e8f8b1f3e6a97a5b485ca56bf6220 3138 utils optional 
clamav_0.99.4+dfsg-1+deb8u1.dsc
 09554997c6480eeb1ef6f58a619b0a12 5676520 utils optional 
clamav_0.99.4+dfsg.orig.tar.xz
 9b765a20fa5d0b3db14daf75c0aa922f 247620 utils optional 
clamav_0.99.4+dfsg-1+deb8u1.debian.tar.xz
 14adc6dce7fccb08571c2b85d1bbfb1b 294300 utils optional 
clamav-base_0.99.4+dfsg-1+deb8u1_all.deb
 c974a944bb3ab307caf521b373a77ca5 1256234 doc optional 
clamav-docs_0.99.4+dfsg-1+deb8u1_all.deb
 63b21c5cf328992de00a912879f1595a 3110724 utils optional 
clamav-testfiles_0.99.4+dfsg-1+deb8u1_all.deb

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEErHvQgQWZUb1RregAT+XjJihy5MwFAlqa4UkACgkQT+XjJihy
5MyCiBAAj9w2UDIkiYB5TKJ+vB6o2oLTOSmI/mgEKiO3Y2oL91CEnWZ0DpRNgVY+
iqgzg8sKAAfQcx6sPLvXYB8cSnRNCimkm8j1Zrep3oV14FgBYGzB7kxYuS27DIEJ
61KXTatP2RYCiAzkvktZ5Vi6wpQQXyhQ9m1zzq9Ncp6YUYWe2LJmL8yRWP4QUQGl
jhNYh6DbrCXpbSHhUZKZzuhHAxCMsggmi9CyPR+L8CmbJ4NBAAiWeFJ5mifVkhEM
ze3e8IoOoammOV0YY1fETQDo4v76tthrOWExUAzGxII7Rky5NPcpL0i2cqLvYdon
i3lyJlgy+P6MlaaOmxAerqM0JUb9Ct8pDp6mws8A6DF6Mdyw5L02nhssbKXfp3Gt
koiZy3dTYse6PKhr6XSPCCBgwBHvuMlVwOXej+4Yy71optGzLfYvzIj5ziAlUnDJ
MOBGfzvGZMmG8EmJzP3P/3FDZGdlWeF1FpmYktiAXjIfG6cWbHHYqlWtu0bGkMGN
L01FTJNB33J2/IhwgUUHOjUyZW0mGuBPR3NMKls8eSwEbLkyGso2qZdbjCScN4v/
LsQgJV7T5YSGORHQX9Qno6L+dISV9Q8Z8hPctn4I2NYaYRxhsAkbirVhvocrMNyW
lYoJlk4/cTKTFTJ9sfkAwZ2OrQyvSHM/BM19Dp1x4CTRi40NRck=
=fmM4
-END PGP SIGNATURE-


___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Accepted clamav 0.99.4+dfsg-1+deb9u1 (source) into proposed-updates->stable-new, proposed-updates

[Sebastian Andrzej Siewior]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 03 Mar 2018 12:15:58 +0100
Source: clamav
Binary: clamav-base clamav-docs clamav libclamav-dev libclamav7 clamav-daemon 
clamdscan clamav-testfiles clamav-freshclam clamav-milter
Architecture: source
Version: 0.99.4+dfsg-1+deb9u1
Distribution: stretch
Urgency: medium
Maintainer: ClamAV Team 
Changed-By: Sebastian Andrzej Siewior 
Description:
 clamav - anti-virus utility for Unix - command-line interface
 clamav-base - anti-virus utility for Unix - base package
 clamav-daemon - anti-virus utility for Unix - scanner daemon
 clamav-docs - anti-virus utility for Unix - documentation
 clamav-freshclam - anti-virus utility for Unix - virus database update utility
 clamav-milter - anti-virus utility for Unix - sendmail integration
 clamav-testfiles - anti-virus utility for Unix - test files
 clamdscan  - anti-virus utility for Unix - scanner client
 libclamav-dev - anti-virus utility for Unix - development files
 libclamav7 - anti-virus utility for Unix - library
Changes:
 clamav (0.99.4+dfsg-1+deb9u1) stretch; urgency=medium
 .
   * Update to upstream 0.99.4:
 Fixes for CVE: CVE-2018-185, CVE-2018-0202.
   * Update the gpg signing key (the old DSA expired).
   * Update version of private symbols due to version change.
   * Bump symbol version of cl_retflevel because CL_FLEVEL changed.
Checksums-Sha1:
 5a971a343d4045769b8ce226d515328ed04535ed 3075 clamav_0.99.4+dfsg-1+deb9u1.dsc
 23cadbfe81de0cf837260fa4492fdc05c01ec6ae 5676520 clamav_0.99.4+dfsg.orig.tar.xz
 1c9a0f38a4b163bf89672a9898ec09798944ceb5 255924 
clamav_0.99.4+dfsg-1+deb9u1.debian.tar.xz
 caccc8c3ef86f690b0dd47db073539f6dc4bf4d0 11559 
clamav_0.99.4+dfsg-1+deb9u1_amd64.buildinfo
Checksums-Sha256:
 d194d6951486ef5d41562d2522ad8fd6267dff38d486111e47cf9ec07a82b3d1 3075 
clamav_0.99.4+dfsg-1+deb9u1.dsc
 1d46d687aee7fd7cbbd578f06966444d9ddf918d79b14e3df743683b40522b19 5676520 
clamav_0.99.4+dfsg.orig.tar.xz
 c92a4f56d52bd940a69de8d23436383fa552619c459e838ea7d6ad801926477f 255924 
clamav_0.99.4+dfsg-1+deb9u1.debian.tar.xz
 5639712483196fa48d55a0233ffbdfa2b640a19749fa882a6df93ed60437f81c 11559 
clamav_0.99.4+dfsg-1+deb9u1_amd64.buildinfo
Files:
 ac38081441f17dc70712f0f96282cd05 3075 utils optional 
clamav_0.99.4+dfsg-1+deb9u1.dsc
 09554997c6480eeb1ef6f58a619b0a12 5676520 utils optional 
clamav_0.99.4+dfsg.orig.tar.xz
 3df6d49fde7c5916e2abf39650f64a36 255924 utils optional 
clamav_0.99.4+dfsg-1+deb9u1.debian.tar.xz
 db43789941fdb842e0de49dd4a840e15 11559 utils optional 
clamav_0.99.4+dfsg-1+deb9u1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEErHvQgQWZUb1RregAT+XjJihy5MwFAlqa4LQACgkQT+XjJihy
5MwCkRAAuselOLd98WUd9/SPil/jmaf51DAdEGNXoM1RASI3vry3Z3qq50nmchSM
NhjaDa6+uUnpAdxeimJfrQv4N+txmQ/wlPBkMQ8hetje8svPo71WRTa4Xx5ErNw8
QwgXAX0pJCseO1Zspl30nHbX5KKxc9np+gQdThmXnAP6VM4pf9N/sJt/c+221Y9R
NqMZ4TRckW6kVAgNYydLNpEBS+yyQf/PIV3HE7Zjp3l+EAJ4EtqlMgE4nHTyA6qg
A3k5vUXdnyM+i8rjB6eLkbozjDF8OFczdMt4AwW0Laap+F2VhcakK83DItZN5Llc
AypDwA2RRSd6TiuNjnbVC0tTy/2dMidrUf9vtvR6j7SjGyZ0HXYN9lzOncKtK5QD
54NeND4YqDQR6+4MdHIY76bXREqu3duL4CZtg0Ubn6lTMC9B9v2ZISuLg9PQv+6z
rtbJg5lscXgsu+htu4Ix0/KGCme4fKUnE2BPCrlZIlrw9iUm+qw3eHtngaZBUjDX
jJd+0N75OYDpdKKtDsoHLlyvdlP2mpDAasLgDBqvJefBKZ//tvJIR2RFaP06K/wk
jteGBetOKXB1ECayyu/Oqzo0je1D2EP4hWWWtYLd3sEv4FSmCOpRmcL25ynIqu5H
GBBvQ/szFpHKHyoEkXy87Lou9KFfbR/RVvFKJmBp3uzfVGT1yXE=
=RQWW
-END PGP SIGNATURE-


___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Wheezy update of clamav?

[Sebastian Andrzej Siewior]

On 2018-03-02 02:19:04 [+], Scott Kitterman wrote:
> Conveniently, upstream just released 0.99.4 that addresses this and some 
> other issues.  I'd suggest you let us get that into stable/oldstable first.

I will try to get to this around SA/SO for Stretch/Jessie. There are 5
CVEs in total (not just the one you (the LTS team) mentioned).

> Scott K

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Wheezy update of clamav?

[Sebastian Andrzej Siewior]

On 2018-02-28 16:47:47 [-0500], Antoine Beaupre wrote:
> Dear maintainer(s),
Hi,

> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of clamav:
> 
> https://security-tracker.debian.org/tracker/CVE-2018-185

interresting. So that one is fixed in the beta but not in the stable
release including Stretch/Jessie.

> Would you like to take care of this yourself?
No but thank your for letting us know that this one is still missing. I
will try to take care of this Stretch/Jessie. Is this the only one
missing?

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#891195: Bug#891195: Please switch to pcre2

[Sebastian Andrzej Siewior]

On 2018-02-23 11:30:34 [+0100], Laurent Bigonville wrote:
> Hi,
> 
> It seems that clamav support both (old) pcre and (new) pcre2
> 
> Any reasons why clamav is still depending on this old version? Shouldn't
> it be switched to the new one?

I wanted to reply earler but didn't make it…
So clamav is using pcre and I wasn't aware of pcre2 until now. So if the
plan is a transition and pcre2 is working like pcre but is newer then
yes, I have no problem with switching to it.
I will try to test things first :)

> Kind regards,
> 
> Laurent Bigonville

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#888484: Bug#888484: Processed (with 1 error): Re: Bug#888484: clamav: Security release 0.99.3 available

[Sebastian Andrzej Siewior]

On 27 January 2018 15:30:45 CET, Salvatore Bonaccorso  wrote:
>So "the remaining CVEs were not address yet" part.
>
I was referring to the Stretch release. The fd bug is fixed but not the CVEs.
In the meantime I opened pu bugs for stable and oldstable.


Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#888553: jessie-pu: package clamav/0.99.2+dfsg-0+deb8u2

[Sebastian Andrzej Siewior]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

Clamav released 0.99.3. Recently upstream decided to release 0.99.2.1 as
a security hostfix release only. However they then decided not to use a
four digit version but three as usually and so the security hotfix is
now 0.99.3.
In unstable we have 0.99.3~beta2 which was a pre-release of the upcomming
0.99.3 before they decided to release a security fix. So in unstable we
have a "beta2" which contains all the security fixes which are part of
their final 0.99.3 release.
Instead reverting all that stuff I prepared for the 0.99.3 I backported
the delta from 0.99.2..0.99.3 and prepared an incremental 0.99.2 release
for Jessie [0]. Clamav itself identifies as 0.99.3 because otherwise it
will complain about being too old.
I synced the queue with Stretch. One patch (which is new) the one
addressing upstream bug#11549 [1] which triggered today. Upstream forgot
to include it in their 0.99.3 release and I had it already in
0.99.2+dfsg-5 (as of Stretch). While upstream claims that this won't
happen again with *their* signatures, it might happen with
others/community and it *did* trigger earlier [2].

Please find attached a debdiff. The official announcement is at [3].
If you prefer another way of dealing with this please let me know.

[0] A second pair of eyes wouldn't hurt, after all it is 2am here.
[1] http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html
[2] https://bugs.debian.org/824196
[3] http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

Sebastian
diff -Nru clamav-0.99.2+dfsg/debian/changelog clamav-0.99.2+dfsg/debian/changelog
--- clamav-0.99.2+dfsg/debian/changelog	2016-06-06 23:23:31.0 +0200
+++ clamav-0.99.2+dfsg/debian/changelog	2018-01-27 01:29:24.0 +0100
@@ -1,3 +1,15 @@
+clamav (0.99.2+dfsg-0+deb8u3) jessie; urgency=medium
+
+  * Apply security patches from 0.99.3 (Closes: #888484):
+- fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
+  CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
+  CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
+  * Bump symbol version of cl_retflevel because CL_FLEVEL changed.
+  * Cherry-pick patch from bb11549 to fix a temp file cleanup issue
+(Closes: #824196).
+
+ -- Sebastian Andrzej Siewior   Sat, 27 Jan 2018 01:29:24 +0100
+
 clamav (0.99.2+dfsg-0+deb8u2) stable; urgency=medium
 
   * Don't fail if AllowSupplementaryGroups is still set in the config file but
diff -Nru clamav-0.99.2+dfsg/debian/.git-dpm clamav-0.99.2+dfsg/debian/.git-dpm
--- clamav-0.99.2+dfsg/debian/.git-dpm	2016-06-06 22:10:43.0 +0200
+++ clamav-0.99.2+dfsg/debian/.git-dpm	2018-01-27 01:27:48.0 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-279c06a817c13eb22dc3ade949ea8b4a8aea9825
-279c06a817c13eb22dc3ade949ea8b4a8aea9825
+f77af4292400e7652f3cc358933d3b79adf9432e
+f77af4292400e7652f3cc358933d3b79adf9432e
 48a96d2a3f0f4aca12f39f62a53fe1671a6e15a2
 48a96d2a3f0f4aca12f39f62a53fe1671a6e15a2
 clamav_0.99.2+dfsg.orig.tar.xz
diff -Nru clamav-0.99.2+dfsg/debian/libclamav7.symbols clamav-0.99.2+dfsg/debian/libclamav7.symbols
--- clamav-0.99.2+dfsg/debian/libclamav7.symbols	2016-05-19 18:40:20.0 +0200
+++ clamav-0.99.2+dfsg/debian/libclamav7.symbols	2018-01-27 01:28:11.0 +0100
@@ -63,7 +63,7 @@
  cl_load_cert@CLAMAV_PRIVATE 0.99.2
  cl_load_crl@CLAMAV_PRIVATE 0.99.2
  cl_retdbdir@CLAMAV_PUBLIC 0.99~rc1
- cl_retflevel@CLAMAV_PUBLIC 0.99.1
+ cl_retflevel@CLAMAV_PUBLIC 0.99.2+dfsg-6+deb9u1
  cl_retver@CLAMAV_PUBLIC 0.99~rc1
  cl_scandesc@CLAMAV_PUBLIC 0.99~rc1
  cl_scandesc_callback@CLAMAV_PUBLIC 0.99~rc1
diff -Nru clamav-0.99.2+dfsg/debian/patches/b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch clamav-0.99.2+dfsg/debian/patches/b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch
--- clamav-0.99.2+dfsg/debian/patches/b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch	1970-01-01 01:00:00.0 +0100
+++ clamav-0.99.2+dfsg/debian/patches/b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch	2018-01-27 01:27:48.0 +0100
@@ -0,0 +1,75 @@
+From a0b8b7e0408029869fbb85353d9f53d3347e20e7 Mon Sep 17 00:00:00 2001
+From: Micah Snyder 
+Date: Sun, 29 Oct 2017 17:35:00 -0400
+Subject: b11939: adding fix as recommended by bug reporter along with a couple
+ extra lines to ensure freed pointers are set to NULL.
+
+Patch-Name: b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch
+---
+ libclamav/mbox.c|  2 +-
+ libclamav/message.c |  4 +++-
+ libclamav/text.c| 10 +++---
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/libclamav/mbox.c b/libclamav/mbox.c
+index 96bdbd2..8e48bb7 100644
+--- a/libclamav/mbox.c
 b/libclamav/mbox.c
+@@ -2067,7 +2067,7 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re
+  * bother saving to scan, it

[Pkg-clamav-devel] Bug#888552: stretch-pu: package clamav/0.99.2+dfsg-6+b1

[Sebastian Andrzej Siewior]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: stretch
Severity: normal

Clamav released 0.99.3. Recently upstream decided to release 0.99.2.1 as
a security hostfix release only. However they then decided not to use a
four digit version but three as usually and so the security hotfix is
now 0.99.3. 
In unstable we have 0.99.3~beta2 which was a pre-release of the upcomming
0.99.3 before they decided to release a security fix. So in unstable we
have a "beta2" which contains all the security fixes which are part of
their final 0.99.3 release.
Instead reverting all that stuff I prepared for the 0.99.3 I backported
the delta from 0.99.2..0.99.3 and prepared an incremental 0.99.2 release
for Stretch [0]. Clamav itself identifies as 0.99.3 because otherwise it
will complain about being too old.

Please find attached a debdiff. The official announcement is at [1].
If you prefer another way of dealing with this please let me know.

[0] A second pair of eyes wouldn't hurt, after all it is 2am here.
[1] http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html

Sebastian
diff -Nru clamav-0.99.2+dfsg/debian/changelog clamav-0.99.2+dfsg/debian/changelog
--- clamav-0.99.2+dfsg/debian/changelog	2017-02-04 21:54:51.0 +0100
+++ clamav-0.99.2+dfsg/debian/changelog	2018-01-27 00:33:28.0 +0100
@@ -1,3 +1,13 @@
+clamav (0.99.2+dfsg-6+deb9u1) stretch; urgency=medium
+
+  * Apply security patches from 0.99.3 (Closes: #888484):
+- fixes for the following CVE's: CVE-2017-6418, CVE-2017-6420,
+  CVE-2017-12374, CVE-2017-12375, CVE-2017-12376, CVE-2017-12377,
+  CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
+   * Bump symbol version of cl_retflevel because CL_FLEVEL changed.
+
+ -- Sebastian Andrzej Siewior   Sat, 27 Jan 2018 00:33:28 +0100
+
 clamav (0.99.2+dfsg-6) unstable; urgency=medium
 
   * Fix detection of curl. Patch by Reiner Herrmann 
diff -Nru clamav-0.99.2+dfsg/debian/.git-dpm clamav-0.99.2+dfsg/debian/.git-dpm
--- clamav-0.99.2+dfsg/debian/.git-dpm	2017-01-30 21:27:33.0 +0100
+++ clamav-0.99.2+dfsg/debian/.git-dpm	2018-01-27 00:30:29.0 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-4a07f7933aad6b3f3e533fa69e5401d82415b319
-4a07f7933aad6b3f3e533fa69e5401d82415b319
+6d775ed287a80b1a7e26cff79a2519982267c66f
+6d775ed287a80b1a7e26cff79a2519982267c66f
 48a96d2a3f0f4aca12f39f62a53fe1671a6e15a2
 48a96d2a3f0f4aca12f39f62a53fe1671a6e15a2
 clamav_0.99.2+dfsg.orig.tar.xz
diff -Nru clamav-0.99.2+dfsg/debian/libclamav7.symbols clamav-0.99.2+dfsg/debian/libclamav7.symbols
--- clamav-0.99.2+dfsg/debian/libclamav7.symbols	2017-01-30 21:27:31.0 +0100
+++ clamav-0.99.2+dfsg/debian/libclamav7.symbols	2018-01-27 00:33:28.0 +0100
@@ -63,7 +63,7 @@
  cl_load_cert@CLAMAV_PRIVATE 0.99.2
  cl_load_crl@CLAMAV_PRIVATE 0.99.2
  cl_retdbdir@CLAMAV_PUBLIC 0.99~rc1
- cl_retflevel@CLAMAV_PUBLIC 0.99.1
+ cl_retflevel@CLAMAV_PUBLIC 0.99.2+dfsg-6+deb9u1
  cl_retver@CLAMAV_PUBLIC 0.99~rc1
  cl_scandesc@CLAMAV_PUBLIC 0.99~rc1
  cl_scandesc_callback@CLAMAV_PUBLIC 0.99~rc1
diff -Nru clamav-0.99.2+dfsg/debian/patches/b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch clamav-0.99.2+dfsg/debian/patches/b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch
--- clamav-0.99.2+dfsg/debian/patches/b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch	1970-01-01 01:00:00.0 +0100
+++ clamav-0.99.2+dfsg/debian/patches/b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch	2018-01-27 00:30:30.0 +0100
@@ -0,0 +1,75 @@
+From c9bcbeb72bd8966bec18e5c3ad8efd0409e712c5 Mon Sep 17 00:00:00 2001
+From: Micah Snyder 
+Date: Sun, 29 Oct 2017 17:35:00 -0400
+Subject: b11939: adding fix as recommended by bug reporter along with a couple
+ extra lines to ensure freed pointers are set to NULL.
+
+Patch-Name: b11939-adding-fix-as-recommended-by-bug-reporter-alo.patch
+---
+ libclamav/mbox.c|  2 +-
+ libclamav/message.c |  4 +++-
+ libclamav/text.c| 10 +++---
+ 3 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/libclamav/mbox.c b/libclamav/mbox.c
+index 96bdbd2..8e48bb7 100644
+--- a/libclamav/mbox.c
 b/libclamav/mbox.c
+@@ -2067,7 +2067,7 @@ parseEmailBody(message *messageIn, text *textIn, mbox_ctx *mctx, unsigned int re
+  * bother saving to scan, it's safe
+  */
+ saveIt = (bool)(encodingLine(mainMessage) != NULL);
+-			else if((t_line = encodingLine(mainMessage)) != NULL) {
++			else if(mainMessage->body_last != NULL && (t_line = encodingLine(mainMessage)) != NULL) {
+ /*
+  * Some bounces include the message
+  * body without the headers.
+diff --git a/libclamav/message.c b/libclamav/message.c
+index 3856bfe..8afe800 100644
+--- a/libclamav/message.c
 b/libclamav/message.c
+@@ -1068,8 +1068,10 @@ messageMoveText(message *m, text *t, message *old_message)
+ 			for(u = old_message->body_first; u != t;) {
+ text *

[Pkg-clamav-devel] Bug#888484: clamav: Security release 0.99.3 available

[Sebastian Andrzej Siewior]

control: fixed -1  0.99.3~beta2+dfsg-1

On 2018-01-26 09:35:25 [+], Rob N wrote:
> Package: clamav
> Version: 0.99.2+dfsg-0+deb8u2
> Severity: important
> 
> 0.99.3 has been released, see 
> http://blog.clamav.net/2018/01/clamav-0993-has-been-released.html.
> 
> This fixed a number of overflow bugs, each of which has assigned CVE numbers
> due to the potential for denial of service.
> 
> We've have started seeing unexpected clamd crashes on a high-traffic mail
> system today, though I've been unable to isolate a test case. It's seems like
> too much of a coincidence that these crashes start happening the day after a
> security release was announced. We've implemented mitigations but an updated
> package would be even better.

I *think* the crashes you obsereved might be due to FD desc issue. This
was fixed in Stretch by chance but not in Jessie. However the remaining
CVEs were not addressed yet and I'm looking into it…

[0] http://blog.clamav.net/2018/01/update-on-recent-file-descriptors-issue.html

> Cheers!
> Rob N.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] [Clamav-binary] New ClamAV Package

[Sebastian Andrzej Siewior]

On 2018-01-22 13:40:52 [+], Joel Esler (jesler) wrote:
> Just a heads up to all binary maintainers.  We will be performing a security 
> release of ClamAV this week (planning for Wednesday at the latest).
> 
> Tentatively, unless decided otherwise between now and Wednesday, we are 
> planning on this release version being named 0.99.2.1. Please let us know if 
> this will cause any problems by writing back on the list.

Works here. I have the latest beta2 in Debian unstable. Are there any
security related fixes on top beta2 or is everything already somewhere
between 0.99.2 and 0.99.3-beta2 that is now cherry-picked into 0.99.2.1
?
> Thank you!

Sebastioan
___
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-binary
http://www.clamav.net/contact.html#ml

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#887273: Bug#887273: havp should depend on e2fsprogs explicitly

[Sebastian Andrzej Siewior]

On 19 January 2018 16:05:25 CET, Andreas Henriksson  wrote:
>Would be great to hear from
>the maintainer if complicating the config/templates part is worth
>it to avoid the Depends on e2fsprogs!

Nope,   I don't think so. I planned to add a depends on e2fsrogs.

>Regards,
>Andreas Henriksson


Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Bug#884707: apparmor breaks clamdscan

[Sebastian Andrzej Siewior]

On 2018-01-07 14:59:54 [+0100], intrigeri wrote:
> Hi,
Hi,

> Francois Gouget:
> /etc/apparmor.d/usr.sbin.clamd profile, then.
> 
> > So here is my feedback on the current configuration: […]
> 
> Thanks for thinking this through. I'm not knowledgeable with ClamAV so
> I'll stick to general comments and recommendations based on my
> experience maintaining AppArmor support in Debian and Tails.
> I'll leave it to the ClamAV maintainers to decide what they think is
> best for Debian and its users.
> 
> Some more data points for context:
> 
>  * Ubuntu has been shipping this AppArmor profile since April, 2009.

I think we included it on their request.

>  * In the Ubuntu bug tracker I see exactly one AppArmor-related bug:
>https://bugs.launchpad.net/ubuntu/+source/clamav/+bug/1659223

this does not look related to this bug.

>  * Since AppArmor has been enabled by default in Debian testing/sid
>(mid-November, 2017) one single user reported a regression caused
>by this change with clamd.
>
> So with my AppArmor in Debian maintainer hat, I would find it
> reasonable if the clamav-daemon maintainers decided to leave it as-is,
> possibly improving a little bit the existing documentation in
> README.Debian to provide better guidance to power-users whose use case
> is not supported by the current AppArmor policy. I'm happy to help
> with the latter part if needed.

So looking at this I think it is just fine. clamd should only access
specific files which includes files from postfix & exim spool
directories. By allowing accessing everything it kind of defeats its
purpose (however I am not sure how that $HOME rule works).
The rules file ends with
| # Site-specific additions and overrides. See local/README for details.
| #include 

Maybe if you could provide some info how to add a local rule to enable
clamd to read everything, that would be nice.

> > * Use 'clamdscan --fdpass'. This completely bypasses the apparmor profile. 
> >   What are the security implications of that? As far as I can tell it's 
It does not completely bypass the the profile because the profile does
not forbid fd-passing. It could :). So clamd it not allowed to open
random files on its own but it can open any file that the user (at the
other end of the socket) is able to.

> >   not possible to reopen an existing fd with different access bits so 
> >   if clamdscan opens the file to be scanned in read-only mode, then clamd 
> >   should not be able to write to it. So why not make --fdpass the default?
>
> I'm not knowledgeable enough wrt. ClamAV to have an informed opinion
> on this idea but I find it interesting :)

If you want to have it used / enabled by default then I could ask
upstream what they do think about it.
From the build logs, fdpassing is supported on linux & kfreebsd so it
should work everywhere within Debian.
 
> Cheers,

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#882323: Bug#882323: clamav-freshclam: fails to upgrade

[Sebastian Andrzej Siewior]

On 2017-11-21 14:21:32 [+0100], Christoph Anton Mitterer wrote:
> Hi.
Hi,

> With the lastest version the package fails to upgrade:
sorry for that. Not sure why I didn't catch this during testing. Fix is
comming… This is mostly a note to myself that I need to ping the systemd
people and figure out if this is a update-rc.d bug or not.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#873401: clamav: Please update to llvm-toolchain 4.0 or, better, 5.0

[Sebastian Andrzej Siewior]

control: tags -1 pending

On 2017-08-27 15:53:03 [+0200], Sylvestre Ledru wrote:
> Hello,
Hi,

> Currently, we have 6 versions of the llvm toolchain in the archive.
> I would like to move to 3 versions (4.0, 5.0 and snapshot, aka 6.0)
> 
> Could you please update your package to use 4.0 (or, better, 5.0 which will 
> be released very 
> soon)?
> 
> I will update the severity of this bug at the end of September

November is comming to an end and this bug was not upgraded yet. My llvm
skills are pretty much non-existing. I am going to drop llvm support in
clamav so you can move forward with your 3.8 removal.
Please let me know if your plans have changed and you intend to keep 3.8
for Buster so you I can re-enable the support here :)

> Thanks
> Sylvestre

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#881780: Bug#881780: clamav-freshclam: reconfiguring to manual update doesn't disable daemon

[Sebastian Andrzej Siewior]

On 2017-11-15 03:46:46 [+0200], Bob Bib wrote:
> Dear Maintainer,
Hi Bob,
> 
> I've tried reconfiguring clamav-freshclam,
> to disable the daemon:
> 
> # dpkg-reconfigure clamav-freshclam
> ...
> Virus database update method: manual
> ...
> 
> The reconfiguration process ends up with database update and stopped daemon;
> unfortunately, after reboot, the daemon starts again.
> 
> $ ps -ef | grep freshclam
> clamav 505 1  0 Nov14 ?00:00:10 /usr/bin/freshclam -d 
> --foreground=true
> 
> Workaround.
> Add the following line to "/etc/clamav/freshclam.conf":
> 
> Checks 0

During dpkg-reconfigure it asks you for checks and you probably had 24
as I did while I tried redo what you did.
If we switch to cron then there is a check for the cron file and
freshclam does not start. I have no idea why the daemon is not disabled
if switched to `manual'. I can't even tell why it is run once after
dpkg-reconfigure finishes.
That said
systemctl disable clamav-freshclam.service

should do the job without the "Checks 0" thingy. So might add it to the
script since it looks good atm.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#881634: Bug#881634: clamav: Exim4 configuration documentation is outdated (demine is deprecated)

[Sebastian Andrzej Siewior]

control: tags -1 pending

On 2017-11-13 20:35:29 [+0200], Vincas Dargis wrote:
> I have edited Exim4 configuration as READE.Debian.gz suggested:
> 
> 
> ```
>Then add the following to your data time acl:
> 
>deny  message = This message contains a virus: ($malware_name) please scan 
> your system.
>  demime = *
>  malware = *
…
>   error in ACL: unknown ACL condition/modifier in "demime = *"
> ```
> 
> Looks like `demime` is no longer supported [0].

as per [0] it looks like the "demime = *" needs to go. Everything else
(that "malware = *" line acl data) is okay. So I drop that line and we
are good again.

[0] 
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-content_scanning_at_acl_time.html

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#867877: clamav-daemon: please respect manual configuration

[Sebastian Andrzej Siewior]

On 2017-08-21 15:22:49 [+0200], Luca Capello wrote:
> Hi there,
Hi,

> Given that no documentation was available, not even in the upstream
> files, I was lost, so this would be the first improvement.
> 
> I was not aware that upstream chose the "full-systemd path", so I guess
> changing that is a no-op, so at least the documentation must be fixed.

Oh well. It was submitted upstream and accepted. And since then I
reverted a part of it because it caused trouble. Now that I look at this
again, I am kind of leaning towards removing the socket part as well.
I can't currently figure out a reason why the socket-support via/by
systemd is a good thing. The auto-activation thing was one thing but
this bit us at least once. So if nothing changes I probably submit a
patch upstream to remove the socket support and then we will be back to
one config file again.

> Thx, bye,
> Gismo / Luca
> 

Sebasian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#868766: clamav-freshclam: please update logcheck rules

[Sebastian Andrzej Siewior]

control: found -1 0.99.2+dfsg-0+deb7u2
control: found -1 0.99.2+dfsg-6
control: tags -1 pending

On 2017-07-18 13:08:19 [+0200], Václav Ovsík wrote:
> 
> Dear Maintainer,
> there is a tiny improvement to logcheck file please:

thanks.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824817: Bug#824817: Bug#824817: Please include bytecode.cvd in one .deb

[Sebastian Andrzej Siewior]

On 2016-08-09 21:58:50 [+0200], To Mathieu Parent (Debian) wrote:
> On 2016-05-22 12:14:29 [+0200], Sebastian Andrzej Siewior wrote:
> > Ah. You scan for the eicar sample. Okay. So you try to do something like
> > we do in [0] ? Because that shouldn't work:
> > |$ sigtool -lbytecode.cvd
> > |BC.Win32.Patched.User32
> > |BC.PDF.{JS.HighEntropy}
> > |BC.ClamAV-Test-File-detected-via-bytecode.{}
> > |ClamAV-Test-File
> > |Internal-Test-Signature
> > 
> > since I don't see the "Eicar-Test-Signature" in it. So if you use the
> > bytecode.cvd from the clamav test-repo you have to test against the files
> > in the testfiles package. 
> > If this is what you plan then I could a file like sample.cvd which is
> > the bytecode.cvd with the 5 signatures.
> 
> *ping*

no answer, closing. If still valid, please reopen.

> > [0] 
> > https://sources.debian.net/src/clamav/0.99.2%2Bdfsg-2/debian/tests/clamd/

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#870253: clamav-milter: disengaging debconf management destroys config

[Sebastian Andrzej Siewior]

On 2017-08-28 17:04:51 [+0900], Marc Dequènes (Duck) wrote:
> Quack,
Hi,

> Thanks.
> 
> I can help you test if you provide a test package.

as you wish. At
https://breakpoint.cc/clamav/

you can find a .dsc file of what we have currently in git on alioth and
a prebuilt binary for amd64.

> \_o<
> 


Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#870253: clamav-milter: disengaging debconf management destroys config

[Sebastian Andrzej Siewior]

On 2017-08-22 21:21:14 [+0200], To Marc Dequènes wrote:
> @team: any opinion here?

I am going to drop that part where the debconf created file gets
overwritten with the sample file. Need to test before I commit it…

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#868092: Acknowledgement (clamav-freshclam: clean up legacy conf files)

[Sebastian Andrzej Siewior]

On 2017-08-20 21:50:32 [+0200], Christoph Anton Mitterer wrote:
> Hey.
Hi,

> Nothing special, I never manually changed the config, only via debconf.
> 
> What seems to be the case here is the following:
> 
> /etc/logrotate.d/clamav-freshclam seems to have been once a "conffile"
> (i.e. a config file managed by dpkg).

How do you know that it is a conffile / config file managed by dpkg? We
use ucf to manage conf files. And this was the case since git remembers…

> Later however, this seems to have been changed, and while the file is
> still there (and used), it's no longer a dpkg-managed "conffile".
> However, when (at some version) the switch was done from dpkg-managed
> "conffile" to non-dpkg-managed configuration file,... dpkg wasn't told
> about this change, and still thinks (on legacy installations) that the
> file would be a "conffile".

Okay, so you are saying that there are side effects during upgrade.

> Not fully sure what is the "best" way to handle such cases,... perhaps
> you could ask at debian-devel?
> I think one could possible to something like:
> - backup the current file to some location
> - use dpkg-maintscript-helper rm_conffile to get the conffile
>   unregistered
> - move the backup to the original location
> => thus everything should stay as is, but the conffile be unregistered
> 
> But as I've said... rather ask some package maintenance experts for
> help on this.

Okay.

> 
> Thanks,
> Chris.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#870253: clamav-milter: disengaging debconf management destroys config

[Sebastian Andrzej Siewior]

On 2017-08-22 16:52:12 [+0900], Marc Dequènes (Duck) wrote:
> Quack,
Hi,

> This may be what people using ucf expect, and in this case you might
> probably close the bug, but I don't find this a nice behavior. To me
> disengaging debconf mean: leave as it is, I'll take care of it from now
> on. I should at least have a choice even if the file was not modified
> manually yet. The only change which I find legitimate is to remove the
> "managed by debconf" header.

@team: any opinion here?

> Hope this is clearer.
> 
> \_o<
> 


Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#868092: Acknowledgement (clamav-freshclam: clean up legacy conf files)

[Sebastian Andrzej Siewior]

On 2017-07-12 01:54:01 [+0200], Christoph Anton Mitterer wrote:
> On Wed, 2017-07-12 at 01:39 +0200, Christoph Anton Mitterer wrote:
> > Sorry, haven't seen it was created via debconf =)
> 
> Reverting this... it's still technically a bug, even though you create
> the file, as it's marked as a conffile in dpkg, which it no longer is.
> 
> So please clean up =)

I am confused. Could you describe step by step what happens and when it
got wrong? There is a postrm script for freshclam which (should) remove
the file in question.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#870253: clamav-milter: disengaging debconf management destroys config

[Sebastian Andrzej Siewior]

On 2017-07-31 19:38:58 [+0900], Marc Dequènes wrote:
> Quack,
Hi,

> I configured this package using debconf and it worked nicely. I then wanted
> to handle the file via configuration management and to do so I disengaged
> debconf, replying "no" to the question "Handle the configuration file
> automatically?" when doing a dpkg-reconfigure.
> 
> The resulting message was:
>   Replacing config file /etc/clamav/clamav-milter.conf with new version
> The configuration file previously created via debconf was simply replaced
> without any backup, so all my config was lost (thanks backup).

This should not happen. We use ucf for config file modification. I tried
to reproduce this today.
So if I modify the .conf file only with debconf and then (later) tell
debconf not to handle it then the "old" .conf file will be replaced with
upstream's default one.
If you switch back to debconf then it should create the same config file
(as it was before) because the settings stored in debconf are the same.

Now. If you change the file manually (with the configuration management)
and after that you tell debconf to not do anything then ucf should
complain that the file was modified.
I tried this scenario (make a local change, start debconf and answer
the first question with 'no') and ucf complained as it should:
|A new version
|(/usr/share/doc/clamav-milter/examples/clamav-milter.conf.sample) of
|configuration file /etc/clamav/clamav-milter.conf is available, but the
|version installed currently has been locally modified.

so that seems to work. You get
|Replacing config file /etc/clamav/clamav-milter.conf with new version
|Disabling old logrotate script for clamav-milter

if you select "install the package maintainer's version" and if decide
to select "keep the local version currently installed" then you only get
|Disabling old logrotate script for clamav-milter

So this what I had here. It seems to work as expected. Do you have some
ucf auto-magic or did I misunderstand something.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#867877: clamav-daemon: please respect manual configuration

[Sebastian Andrzej Siewior]

On 2017-07-10 23:39:53 [+0200], To Luca Capello wrote:
> On 2017-07-10 11:40:20 [+0200], Luca Capello wrote:
> > Hi there,
> Hi,
> 
> > while debugging why the TCP socket was not responding, I discovered that
> > everything was fine if clamd was manually started via the CLI.  And then
> > I found .
> > 
> > Please, this is becoming ridiculous:
> > 
> > - clamd works as expected with *its* own configuration
> > - there is no documentation in /usr/share/doc/clamav-daemon about the
> >   need to dpkg-reconfigure clamav-daemon to change parameters (and even
> >   worse behavior)
> > - non-Debian configuration via manual modifications or automatic tools
> >   (e.g. ) is not respected
> 
> so what is the problem? You want additional documentation or somehow
> changed behavior?
> You have systemd as init that means that systemd will open the
> TCP-socket. Initially we had socket activation but this was disabled -
> however it still has the socket configuration via systemd. Using
> dpkg-reconfigure will do the right thing and properly create
>   /etc/systemd/system/clamav-daemon.socket.d/extend.conf
> with the socket information. If you run under systemd then this part of
> clamd.conf will be ignored. If you start this via CLI then it won't run
> under systemd (same goes for systemV as init) and the arguments are
> parsed again.
> 
> > The combination of all the above factors suggests me that the severity
> > is higher than important, but leaving at it for now.
> 
> That systemd service file is part of upstream since a few releases. You
> could argue if systemd's socket "feature" should be used or not or third
> party tools extended to the extend.conf file in systemd's case. Or the
> documentation updated.

If there is no feedback, I have no idea what I can/should do.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#872594: clamav: please use system libmspack instead of embedded copy

[Sebastian Andrzej Siewior]

control: tags -1 pending

On 2017-08-19 07:48:28 [+0900], Marc Dequènes wrote:
> Quack,
Hi,

> I can see there was some work to use the library instead of the embedded
> code, and that upstream even added the changes, which is nice, unfortunately
> the resulting packages do not depend on it.
> 
> I think the missing piece would be to use the --with-system-libmspack
> configure flag.

Thanks for noticing it. This got changed by accident and yes we want to
use the system library.

> \_o<
> 

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Bug#868956: libmspack: CVE-2017-11423

[Sebastian Andrzej Siewior]

On 2017-08-15 05:55:49 [+0900], Marc Dequènes (Duck) wrote:
> Quack,
Hi,

> I was at DebConf in Canada, so I was busy meeting people :-).
> It should be done before or after flying back home.

No worries. We got the two CVEs sorted out and a release in the
meantime. I see an unstable upload almost made it (B-D doxygen missing).
And we need a security upload.
> \_o<
> 

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#871514: clamav: FTBFS on mips64el

[Sebastian Andrzej Siewior]

control: reassign -1 gcc-7 7.1.0-12
control: affects -1 clamav

On 2017-08-09 16:43:29 [+0200], Aurelien Jarno wrote:
> I got a quick look. It's indeed a regression introduced by GCC 7. It can
> be workarounded by building the file with -O0, but already appears with
> -O1 optimization.
> 
> I got a quick look with gdb and it seems that loading either the rc
> (enum) or infect (bool variable to test it against 0, the load is done 
> with the ld instruction instead of the lw instruction. It means garbage
> from another local variable is loaded into the high 32 bits, which
> causes the comparison against 0 to be false instead of true.

Thanks for looking at this. I reassinged this bug to gcc-7. Would
forwarding the bug gcc upstream with the mbox.i be any help? I could a
label around the check so the comparison could be located in .S easier,
just don't know if this helps.

> Aurelien
> 

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#871514: clamav: FTBFS on mips64el

[Sebastian Andrzej Siewior]

On 2017-08-08 20:34:37 [+0200], To sub...@bugs.debian.org wrote:
…
> returned (the important part):
> |LibClamAV debug: parseEmailBody() rc 1 infect 0
> |LibClamAV debug: parseEmailBody() returning 3
…
> The exp build passed with gcc-6_6.4.0-1 [0]. Is there an easy way to
> downgrade the compiler on eller/porterbox? Or could a porter double
> check this please?

on eller in a buster chroot:
|LibClamAV debug: parseEmailBody() rc 1 infect 0
|LibClamAV debug: parseEmailBody() returning 1

further suggestions?

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#871514: clamav: FTBFS on mips64el

[Sebastian Andrzej Siewior]

Package: clamav
Version: 0.99.2+dfsg-6
Severity: serious

The last build of clamav (0.99.3~beta1+dfsg-1) failed on mips64el.
However the build in experimtal (0.99.3~snapshot…) succeeded and code
change is very minimal (almost non-existing). The I tried 0.99.2+dfsg-6
on eller and it failed, too but passed in the past.

I looked slightly more closely on eller. After a complete build, the
command
|clamscan/clamscan --gen-json --quiet -dunit_tests/test-1/test-db \
|   unit_tests/input/phish-test-clean unit_tests/input/phish-test-cloak \
|   unit_tests/input/phish-test-ssl  --log=clamscan2.log --debug

returned (the important part):
|LibClamAV debug: parseEmailBody() rc 1 infect 0
|LibClamAV debug: parseEmailBody() returning 3

the matching C code by the end of parseEmailBody():
| cli_dbgmsg("parseEmailBody() rc %d infect %d\n", (int)rc, infected);
| if ((rc != FAIL) && infected)
| rc = VIRUS;
| 
| cli_dbgmsg("parseEmailBody() returning %d\n", (int)rc);
 
and rc is type mbox_status:
| typedef enum {
| FAIL,
| OK,
| OK_ATTACHMENTS_NOT_SAVED,
| VIRUS,
| MAXREC,
| MAXFILES
| } mbox_status;

So rc is != FAIL and infected is 0 but the compiler manages to set rc to
VIRUS / 3.

The exp build passed with gcc-6_6.4.0-1 [0]. Is there an easy way to
downgrade the compiler on eller/porterbox? Or could a porter double
check this please?

[0] 
https://buildd.debian.org/status/fetch.php?pkg=clamav&arch=mips64el&ver=0.99.3~snapshot20170704%2Bdfsg-1&stamp=1499981584&raw=0

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Bug#868956: libmspack: CVE-2017-11423

[Sebastian Andrzej Siewior]

On 2017-08-06 10:22:11 [+0100], Stuart Caie wrote:
> Commited a fix: 
> https://github.com/kyz/libmspack/commit/17038206fcc384dcee6dd9e3a75f08fd3ddc6a38
> 
> I'll put out a release in the near future.

thank you Stuart.
Marc do plan you upload something to unstable/security soon, wait for a
new release or would you prefer someone else to NMU it with this
change?

> Regards
> Stuart

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] libmspack / clamav issue in Wheezy

[Sebastian Andrzej Siewior]

On 2017-08-05 09:29:50 [-0400], Markus Koschany wrote:
> this yourself? I have just added clamav to dla-needed.txt, so a team member
> might start to work on it anytime if you are busy.
Yes, please.

> Regards,
> 
> Markus

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] libmspack / clamav issue in Wheezy

[Sebastian Andrzej Siewior]

Hi,

CVE-2017-11423 has been reported against libmspack. Clamav in Wheezy is
affected because it bundles the libmspack library. Clamav upstream fixed
it via

https://github.com/vrtadmin/clamav-devel/commit/ffa31264a657618a0e40c51c01e4bfc32e244d13

https://github.com/vrtadmin/clamav-devel/commit/ada5f94e5cfb04e1ac2a6f383f2184753f475b96
and I just updated the security-tracker to reflect this. Jessie+ is
using the libmspack in the archive so it will be fixed once libmspack is
updated.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Bug#868956: libmspack: CVE-2017-11423

[Sebastian Andrzej Siewior]

On 2017-07-23 16:52:16 [+0100], Stuart Caie wrote:
> Hello,
Hi Stuart,

> https://github.com/kyz/libmspack/commit/3e3436af6010ac245d7a390c6798e2b81ce09191
> > 2015-05-10  Stuart Caie 
> > * cabd_read_string(): correct rejection of empty strings. Thanks to
> > Hanno Böck for finding the issue and providing a sample file.
> 
> I had a philosophical discussion with Hanno Böck about it, I wasn't
> persuaded that it's a real vulnerability. If you craft a CAB file with an
> empty CAB string, one byte will be overread. You can't make it over-read an
> arbitrary number of bytes, just the empty string -> 1 byte overread.
> 
> This report says "and application crash" -- I still have no evidence this is
> true (unless you've instrumented your code to monitor all overreads and
> deliberately crash yourself when you see one). If you want me to release
> libmspack to address a CVE created for a non-vulnerability, please let me
> know.

let me try to bring some light into it. First clamav fixed the issue via:
  
https://github.com/vrtadmin/clamav-devel/commit/ffa31264a657618a0e40c51c01e4bfc32e244d13
  
https://github.com/vrtadmin/clamav-devel/commit/ada5f94e5cfb04e1ac2a6f383f2184753f475b96

and the read function was crafted by the author of this email and looks
like this:
  
https://sources.debian.net/src/clamav/0.99.2%2Bdfsg-6/libclamav/libmspack.c/#L125

The way I see it, the problem is that the read functions returns -1 on
error and libmspack
  https://sources.debian.net/src/libmspack/0.5-1/mspack/cabd.c/#L524

treats the return code as unsigned integer which makes the error (-1)
slightly large. The test files cabd_memory.c and multifh.c also return
-1 on error.

> Regards
> Stuart

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Install of ClamAV

[Sebastian Andrzej Siewior]

On 2017-07-27 15:18:34 [+0200], Mike Waid wrote:
> I tried to install the Debian ClamAV using apt-get install clamav but got
> an error of Segmentation faultsts... 0%
> 
> I have PHP 5.5.29 and Debian 7.11 running on Google Cloud Platform.

you need to provide more informations, than you just did, in order to
track down the issue. Other than that, I doubt that this is a clamav
issue. It looks more like apt segfaulted while trying to figure out the
dependency chain. Anyway, is this a one time flaw or are you able to
reproduce this?

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#867877: clamav-daemon: please respect manual configuration

[Sebastian Andrzej Siewior]

On 2017-07-10 11:40:20 [+0200], Luca Capello wrote:
> Hi there,
Hi,

> while debugging why the TCP socket was not responding, I discovered that
> everything was fine if clamd was manually started via the CLI.  And then
> I found .
> 
> Please, this is becoming ridiculous:
> 
> - clamd works as expected with *its* own configuration
> - there is no documentation in /usr/share/doc/clamav-daemon about the
>   need to dpkg-reconfigure clamav-daemon to change parameters (and even
>   worse behavior)
> - non-Debian configuration via manual modifications or automatic tools
>   (e.g. ) is not respected

so what is the problem? You want additional documentation or somehow
changed behavior?
You have systemd as init that means that systemd will open the
TCP-socket. Initially we had socket activation but this was disabled -
however it still has the socket configuration via systemd. Using
dpkg-reconfigure will do the right thing and properly create
  /etc/systemd/system/clamav-daemon.socket.d/extend.conf
with the socket information. If you run under systemd then this part of
clamd.conf will be ignored. If you start this via CLI then it won't run
under systemd (same goes for systemV as init) and the arguments are
parsed again.

> The combination of all the above factors suggests me that the severity
> is higher than important, but leaving at it for now.

That systemd service file is part of upstream since a few releases. You
could argue if systemd's socket "feature" should be used or not or third
party tools extended to the extend.conf file in systemd's case. Or the
documentation updated.

> Thx, bye,
> Gismo / Luca

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Wheezy update of libclamunrar?

[Sebastian Andrzej Siewior]

On 2017-07-05 08:36:28 [+0100], Chris Lamb wrote:
> Dear maintainer(s),
Hi,

> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of libclamunrar:
> https://security-tracker.debian.org/tracker/source-package/libclamunrar
> 
> Would you like to take care of this yourself?
No, sorry.

> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.

This
 
https://anonscm.debian.org/cgit/pkg-clamav/libclamunrar.git/tree/debian/patches?h=jessie

points to patches folder I intend to push for Jessie. Wheezy should be
the same thing. The thing in the tracker is
unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch

however I also recommend that you add the other four patches as well
(they are part of Jessie+). This fixes an out-of-band memory access and
upstream did not make a fuss about it.

> Chris Lamb,
>   on behalf of the Debian LTS team.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#867328: jessie-pu: package libclamunrar/0.99-0+deb8u3

[Sebastian Andrzej Siewior]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

This is an update to Jessie with a patch from git which fixes
CVE-2012-6706. The final clamav release is planned for the end of July,
this is the only commit in the libclamunrar part so far.

Sebastian
diff -Nru libclamunrar-0.99/debian/changelog libclamunrar-0.99/debian/changelog
--- libclamunrar-0.99/debian/changelog	2016-12-16 21:38:26.0 +0100
+++ libclamunrar-0.99/debian/changelog	2017-07-05 21:20:40.0 +0200
@@ -1,3 +1,10 @@
+libclamunrar (0.99-0+deb8u3) oldstable; urgency=medium
+
+  * Cherry pick fix for arbitrary memory write. CVE-2012-6706
+(Closes: #867223).
+
+ -- Sebastian Andrzej Siewior   Wed, 05 Jul 2017 21:20:40 +0200
+
 libclamunrar (0.99-0+deb8u2) stable; urgency=medium
 
   * Add patches from upstream bugzilla bb11600 and bb11601 to fix out of band
diff -Nru libclamunrar-0.99/debian/.git-dpm libclamunrar-0.99/debian/.git-dpm
--- libclamunrar-0.99/debian/.git-dpm	2016-12-16 21:38:26.0 +0100
+++ libclamunrar-0.99/debian/.git-dpm	2017-07-05 21:19:45.0 +0200
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-e677e64787390c59bdb925be08113ebf47aed869
-e677e64787390c59bdb925be08113ebf47aed869
+bced92bf269023e533fa3433f57205aa77c40eec
+bced92bf269023e533fa3433f57205aa77c40eec
 87f93791ab6959fd522bdf0b1211ff0480cff4c7
 87f93791ab6959fd522bdf0b1211ff0480cff4c7
 libclamunrar_0.99.orig.tar.xz
diff -Nru libclamunrar-0.99/debian/patches/series libclamunrar-0.99/debian/patches/series
--- libclamunrar-0.99/debian/patches/series	2016-12-16 21:38:26.0 +0100
+++ libclamunrar-0.99/debian/patches/series	2017-07-05 21:19:45.0 +0200
@@ -2,3 +2,4 @@
 bb11600_pt2.patch
 bb11601.patch
 bb11601_pt2.patch
+unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch
diff -Nru libclamunrar-0.99/debian/patches/unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch libclamunrar-0.99/debian/patches/unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch
--- libclamunrar-0.99/debian/patches/unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch	1970-01-01 01:00:00.0 +0100
+++ libclamunrar-0.99/debian/patches/unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch	2017-07-05 21:19:45.0 +0200
@@ -0,0 +1,173 @@
+From bced92bf269023e533fa3433f57205aa77c40eec Mon Sep 17 00:00:00 2001
+From: Mickey Sola 
+Date: Thu, 29 Jun 2017 14:02:03 -0400
+Subject: unrar - adding proposed changes to fix RAR VMSF_DELTA Filter
+ Signedness error
+
+CVE: CVE-2012-6706: arbitrary memory write
+BTS: #867223
+Patch-Name: unrar-adding-proposed-changes-to-fix-RAR-VMSF_DELTA-.patch
+---
+ libclamunrar/unrarvm.c | 55 ++
+ 1 file changed, 29 insertions(+), 26 deletions(-)
+
+diff --git a/libclamunrar/unrarvm.c b/libclamunrar/unrarvm.c
+index 102fe2ebf044..b21e242fa72b 100644
+--- a/libclamunrar/unrarvm.c
 b/libclamunrar/unrarvm.c
+@@ -213,9 +213,9 @@ void rarvm_addbits(rarvm_input_t *rarvm_input, int bits)
+ 
+ unsigned int rarvm_getbits(rarvm_input_t *rarvm_input)
+ {
+-	unsigned int bit_field = 0;
++unsigned int bit_field = 0;
+ 
+-	if (rarvm_input->in_addr < rarvm_input->buf_size) {
++if (rarvm_input->in_addr < rarvm_input->buf_size) {
+ bit_field = (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr] << 16;
+ if (rarvm_input->in_addr+1 < rarvm_input->buf_size) {
+ bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+1] << 8;
+@@ -314,10 +314,10 @@ static unsigned int *rarvm_get_operand(rarvm_data_t *rarvm_data,
+ 	}
+ }
+ 
+-static unsigned int filter_itanium_getbits(unsigned char *data, int bit_pos, int bit_count)
++static unsigned int filter_itanium_getbits(unsigned char *data, unsigned int bit_pos, unsigned int bit_count)
+ {
+-	int in_addr=bit_pos/8;
+-	int in_bit=bit_pos&7;
++	unsigned int in_addr=bit_pos/8;
++	unsigned int in_bit=bit_pos&7;
+ 	unsigned int bit_field=(unsigned int)data[in_addr++];
+ 	bit_field|=(unsigned int)data[in_addr++] << 8;
+ 	bit_field|=(unsigned int)data[in_addr++] << 16;
+@@ -326,10 +326,10 @@ static unsigned int filter_itanium_getbits(unsigned char *data, int bit_pos, int
+ 	return(bit_field & (0x>>(32-bit_count)));
+ }
+ 
+-static void filter_itanium_setbits(unsigned char *data, unsigned int bit_field, int bit_pos, int bit_count)
++static void filter_itanium_setbits(unsigned char *data, unsigned int bit_field, unsigned int bit_pos, unsigned int bit_count)
+ {
+-	int i, in_addr=bit_pos/8;
+-	int in_bit=bit_pos&7;
++	unsigned int i, in_addr=bit_pos/8;
++	unsigned int in_bit=bit_pos&7;
+ 	unsigned int and_mask=0x>>(32-bit_count);
+ 	and_mask=~(and_mask<R[4];
+ 		file_offset = rarvm_data->R[6];
+ 
+-		if (((unsigned int)data_size >= VM_GLOBALMEMADDR) || (data_size < 

[Pkg-clamav-devel] Bug#830482: Bug#830482: Fresh installation causes freshclam to to fail

[Sebastian Andrzej Siewior]

On 2017-05-04 22:11:02 [+0200], To T. Joseph Carter wrote:
> I will try to reproduce this myself over the weekend. The original
> reported never came back to me. Just for the record: You run stable or
> testing? And all you did was just a plain install? And you do have
> systemd as default.

You replied that you were using `sid' but didn't Cc the bug so here I
add this detail for the protocol.

All you say is that once you have the "UpdateLogFile" entry then
freshclam won't work. Then you remove that line (or add # in front of
it) and it works. So this is something I can't reproduce. It worked
well here.
What is the error message that you face?

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#830482: Bug#830482: Fresh installation causes freshclam to to fail

[Sebastian Andrzej Siewior]

On 2017-04-02 23:27:38 [-0700], T. Joseph Carter wrote:
> ​​I don't know if I will hit upon the issue in this bug or not, but I'll
> offer what I've just found in case it may be useful:
> 
> I found freshclam to fail freshly installed with the error message
> indicated in this bug.  Here is my freshclam.conf upon installation:

I will try to reproduce this myself over the weekend. The original
reported never came back to me. Just for the record: You run stable or
testing? And all you did was just a plain install? And you do have
systemd as default.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#852894: Bug#852894: Bug#852894: clamav: FTBFS: dh_install: missing files, aborting

[Sebastian Andrzej Siewior]

control: forwarded -1 https://bugzilla.clamav.net/show_bug.cgi?id=11739

On 2017-01-28 12:50:41 [-0500], Scott Kitterman wrote:
> 
> Thanks for patch.  I wrongly assumed you were one of the curl maintainers.  
> The release team is considering if the change should be reverted, so I'm 
> going 
> to hold off on this for the moment, but I appreciate you putting it together 
> so quickly.

I forwarded the patch upstream and prepared a fix for unstable but did
not yet push it to the repo. Let me know if we need to fix this or if
curl will revert its change.

> Scott K

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#848926: jessie-pu: package libclamunrar/0.99-0+deb8u2

[Sebastian Andrzej Siewior]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

This update contains four patches which I noticed in upstream's git.
They appeared in July and the last fix (for a fix) was done last week. I
have no idea when 0.99.3 will appear and the changes in the debdiff are
the only (functional changes) in libclamunrar* since the 0.99.

The fixes look like bugs found by afl (or other fuzzer) while throwing
.rar files at clamav.

Sebastian
diff -Nru libclamunrar-0.99/debian/changelog libclamunrar-0.99/debian/changelog
--- libclamunrar-0.99/debian/changelog  2016-02-03 22:10:12.0 +0100
+++ libclamunrar-0.99/debian/changelog  2016-12-16 21:38:26.0 +0100
@@ -1,3 +1,10 @@
+libclamunrar (0.99-0+deb8u2) stable; urgency=medium
+
+  * Add patches from upstream bugzilla bb11600 and bb11601 to fix out of band
+access.
+
+ -- Sebastian Andrzej Siewior   Fri, 16 Dec 2016 
21:38:26 +0100
+
 libclamunrar (0.99-0+deb8u1) stable; urgency=medium
 
   [ Scott Kitterman ]
@@ -10,7 +17,7 @@
   * switch from libclamunrar6 to libclamunrar7
   * copy clamav's watch file
   * add pkg-config to dependencies so autoreconf does not break
-  * don't links against libpcre if available.
+  * don't link against libpcre if available.
 
  -- Sebastian Andrzej Siewior   Wed, 03 Feb 2016 
21:52:51 +0100
 
diff -Nru libclamunrar-0.99/debian/.git-dpm libclamunrar-0.99/debian/.git-dpm
--- libclamunrar-0.99/debian/.git-dpm   2016-02-03 22:09:03.0 +0100
+++ libclamunrar-0.99/debian/.git-dpm   2016-12-16 21:38:26.0 +0100
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-1256542cf41587e62a048e687097f23cef1511f0
-1256542cf41587e62a048e687097f23cef1511f0
-1256542cf41587e62a048e687097f23cef1511f0
-1256542cf41587e62a048e687097f23cef1511f0
-libclamunrar_0.98.5.orig.tar.xz
-6d4a3441e142002ffdaa76ad313bc018985e1999
-304828
+e677e64787390c59bdb925be08113ebf47aed869
+e677e64787390c59bdb925be08113ebf47aed869
+87f93791ab6959fd522bdf0b1211ff0480cff4c7
+87f93791ab6959fd522bdf0b1211ff0480cff4c7
+libclamunrar_0.99.orig.tar.xz
+3299e943affefb7a1aea0cada292f1c4ec039aed
+311248
diff -Nru libclamunrar-0.99/debian/patches/bb11600.patch 
libclamunrar-0.99/debian/patches/bb11600.patch
--- libclamunrar-0.99/debian/patches/bb11600.patch  1970-01-01 
01:00:00.0 +0100
+++ libclamunrar-0.99/debian/patches/bb11600.patch  2016-12-16 
21:38:26.0 +0100
@@ -0,0 +1,24 @@
+From 5a04072c135be7b49279792401f10d7b4f723ab5 Mon Sep 17 00:00:00 2001
+From: Steven Morgan 
+Date: Tue, 12 Jul 2016 12:36:29 -0400
+Subject: bb11600 - fix out of bounds stack read.
+
+Patch-Name: bb11600.patch
+---
+ libclamunrar/unrar20.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libclamunrar/unrar20.c b/libclamunrar/unrar20.c
+index ecfe40cf32f3..d938c472e1d8 100644
+--- a/libclamunrar/unrar20.c
 b/libclamunrar/unrar20.c
+@@ -117,7 +117,8 @@ static int read_tables20(int fd, unpack_data_t 
*unpack_data)
+   n = (rar_getbits(unpack_data) >> 14) + 3;
+   rar_addbits(unpack_data, 2);
+   while ((n-- > 0) && (i < table_size)) {
+-  table[i] = table[i-1];
++  if (i>0)
++  table[i] = table[i-1];
+   i++;
+   }
+   } else {
diff -Nru libclamunrar-0.99/debian/patches/bb11600_pt2.patch 
libclamunrar-0.99/debian/patches/bb11600_pt2.patch
--- libclamunrar-0.99/debian/patches/bb11600_pt2.patch  1970-01-01 
01:00:00.0 +0100
+++ libclamunrar-0.99/debian/patches/bb11600_pt2.patch  2016-12-16 
21:38:26.0 +0100
@@ -0,0 +1,24 @@
+From 6c667e29a8980bef06544bb2c931a18512aaf745 Mon Sep 17 00:00:00 2001
+From: Steven Morgan 
+Date: Tue, 12 Jul 2016 14:31:38 -0400
+Subject: fix possible out of bounds stack read.
+
+Patch-Name: bb11600_pt2.patch
+---
+ libclamunrar/unrar.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/libclamunrar/unrar.c b/libclamunrar/unrar.c
+index 456da4d6fef9..40a3d63cbd3e 100644
+--- a/libclamunrar/unrar.c
 b/libclamunrar/unrar.c
+@@ -469,7 +469,8 @@ static int read_tables(int fd, unpack_data_t *unpack_data)
+   rar_addbits(unpack_data, 7);
+   }
+   while (n-- > 0 && i < table_size) {
+-  table[i] = table[i-1];
++  if (i>0)
++  table[i] = table[i-1];
+   i++;
+   }
+   } else {
diff -Nru libclamunrar-0.99/debian/patches/bb11601.patch 
libclamunrar-0.99/debian/patches/bb11601.patch
--- libclamunrar-0.99/debian/patches/bb11601.patch  1970-01-01 
01:00:00.0 +0100
+++ libclamunrar-0.99/debian/patches/bb11601.patch 

[Pkg-clamav-devel] Bug#830482: Bug#830482: clamav-freshclam: duplicate logging with systemd

[Sebastian Andrzej Siewior]

On 2016-07-08 14:39:26 [+0200], Marki wrote:
> freshclam is configured to log to its logfile by itself (UpdateLogFile).
> However systemd unit file (as shipped with jessie) runs freshclam in
> foreground and redirects its stdout to syslog.
> 
> LogSyslog false
> Foreground false

According to the source code of freshclam this should not happen if
LogSyslog and Foreground is set to false like you have. I have
clamav-freshclam on a fresh box to double check and confirmed it.
(On my server I have freshclam run from cron so I could not check the
problem existed otherwise)
Is the freshclam.conf you attached to the bug report from the machine
that logs twice?

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#840331: Bug#840331: clamav autoconfiguring a Proxy based on Apt settings

[Sebastian Andrzej Siewior]

On 2016-10-10 17:54:12 [+0100], T A F Thorne wrote:

> If I check in /etc/clamav/freshclam.conf I can see:
> # Check for new database 24 times a day
> Checks 24
> DatabaseMirror db.local.clamav.net
> DatabaseMirror database.clamav.net
> # Proxy: http://warden.pt.local:3142/
> HTTPProxyServer warden.pt.local
> HTTPProxyPort 3142
> 

> I believe that the automatic configuration of this package is behaving
> in the wrong way. It should not be selecting warden as a Proxy.

Correct. During the installation process of clamav-freshclam debconf
checks http_proxy and takes whatever is here and uses it as a http_proxy
for freshclam.

> Warden is set as a proxy for APT on my system. It has Apt-Cacher NG
> installed for this purpose. In my /etc area, warden is only mentioned in
> the /etc/apt/apt.conf.d/02proxy file and in the automatically generated
> /etc/clamav/freshclam.conf file.
> $ sudo rgrep warden.pt.local /etc/
> /etc/clamav/freshclam.conf:# Proxy: http://warden.pt.local:3142/
> /etc/clamav/freshclam.conf:HTTPProxyServer warden.pt.local
> /etc/apt/apt.conf.d/02proxy:Acquire::http { Proxy
> "http://warden.pt.local:3142";; };

can you do
echo $http_proxy
sudo echo $http_proxy

> When I check other machines on my network that have a similar setting
> for apt, they also express this error messages about clamav in their
> syslogs. As far as I can see both 14.04 and 16.04 machines exhibit the
> same behaviour.

this is like that since a _long_ time.

> I am willing to accept that I have mis-configured apt in some way to
> cause this. If that is likely, how should I setup an apt only http
> cache? I have not noticed any other program attempt to automatically use
> apt for all HTTP traffic.

The only way for freshclam to pickup a proxy is to have http_proxy
environtment variable set during the install process. From a grep
through apt's source I can't see that apt sets this variable. I see that
apt will use http_proxy if set but it won't set it by itself (if
configured as you did via the "Acquire::http" option).
That means I don't see anything wrong. I *assume* that you have (or had)
http_proxy set during the install process and now you ended up with it.
You can drop it by calling
dpkg-reconfigure clamav-freshclam
and then it should not come back.

You could also use use
deb http://warden.pt.local:3142/ubuntu

in your /etc/apt/sources file instead of setting the proxy on your box
_and_ the debian mirror. The advantage is that now everybody would use
the mirror configure in apt-proxy-ng. Otherwise apt-cacher-ng would keep
two copies of the same file if two different mirrors were used (I think
if I remember it correctly).

> Would this bug be a security vulnerability? If a large number of
> machines do not get av definition updates for months or years at a time
> I could see how that could compromise a system in some small way. I will
> avoid marking it as such for now as I am not sure it really is one.

Well. You should test your box after an installation. That is the first
point where it was not working. So it was not working at all. Second you
should monitor your boxes (as a good sysadmin) and have an eye on things
like that. It is also possible that the upstream blacklisted your ISP
for one reason or another _or_ that clamav made an update to its
database and you required a newer version to keep it working.
What I am trying to say is that it is hard hard to argue that "this is a
security vulnerability" while at the same time you admit that you did
not check log files for "for months or years".

> Certainly, here is what I can find on my system:
> thomasthorne@thorne-ul-dt:~$ echo $http_proxy

since you don't have this set here, is it possible that it was at the
installation time?

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#844066: Bug#844066: clamav FTCBFS: build-depends on host architecture perl and python

[Sebastian Andrzej Siewior]

control: tags -1 pending

On 2016-11-12 09:42:18 [+0100], Helmut Grohne wrote:
> clamav fails to cross build from source, because it Build-Depends on the
> host architecture perl and python, both of which are neither installable
> nor executable. Indeed clamav only uses both interpreters as build
> tools. Thus it should ask for the build architecture instances of them.
> This can be achieved by annotating the respective dependencies with
> :native. After doing so cross building clamav succeeds. Please consider
> applying the attached patch.

Thanks, applied. I noticed that you did not use bc:native and then I
figured out that `bc' is not used during build so that one is gone.

> Helmut

Sebasian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#842074: Bug#842074: clamav-daemon: unowned directory after purge: /etc/systemd/system/clamav-daemon.service.d/

[Sebastian Andrzej Siewior]

control: tags -1 pending

On 2016-10-25 19:46:00 [+0200], Andreas Beckmann wrote:
> 1m3.1s ERROR: FAIL: Package purging left files on system:
>   /etc/systemd/system/clamav-daemon.service.d/ not owned

Interresting. So it is just a folder that remains after a purge of
clamav-daemon. However after the purge of clamav-freshclam that empty
folder is gone. And freshclam postrm is not touching that area.
I fixed the typo in clamav-daemon's postrm so this should be gone in the
next upload.

> cheers,
> 
> Andreas

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#839850: Bug#839850: clamav: FTBFS with LLVM 3.8

[Sebastian Andrzej Siewior]

On 2016-10-05 20:06:13 [+0200], Emilio Pozuelo Monfort wrote:
> configure: Using external LLVM
> checking for supported LLVM version... no (3.8.1)
> configure: error: LLVM < 3.7 required, but "3.8.1"(381) found
> configure: error: Failed to configure LLVM, and LLVM was explicitly requested

it is not as simple as telling configure that 3.8.x is fine, too. The
build will break later…

> I would like to get rid of some LLVM versions for Stretch, so I'd appreciate
> if you could make clamav work with LLVM 3.8 or 3.9.

if will look into 3.8 support. Unfortunately upstream isn't too eager to
keep up with llvm.

> Thanks,
> Emilio

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#838497: Bug#838497: libtfm1: Please add basic test coverage to build process

[Sebastian Andrzej Siewior]

On 2016-09-21 15:35:31 [+], Louis Bouchard wrote:
> A very basic test is available :
> make -f makefile.shared stest 
> 
>   ./stest 
>   
> Could you please consider adding the following test to the 
> debian/rules's override so some level of library testing
> is performed during the build process ?

this test is _very_ simple. It is so simple that I am not brave enough
to enable the asm optimisation just based on this.

Do you have time to work on a proper test (which would involve to get a
few changes to mtest) or do you just want stest to be enabled and be done
with it?

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#838405: Bug#838405: Updating the clamav Uploaders list

[Sebastian Andrzej Siewior]

control: tags -1 pending

On 2016-09-20 22:46:43 [+0200], Tobias Frost wrote:
> Stephen Gran  wishes no longer to be uploader of clamav.

as he wishes.
  
https://anonscm.debian.org/cgit/pkg-clamav/clamav.git/commit/?id=3d6c08594497121c9587d484ff3f0fff68d984b3

> Thanks.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Patch to extend systemd socket support to more than two sockets

[Sebastian Andrzej Siewior]

On 2016-09-19 11:06:35 [+0200], Matthias Hörmann wrote:
> Hello
Hi,

> The current Debian jessie version of clamav does not allow systemd
> to pass more than two sockets (one UDS, one TCP) to the clamav daemon.
> 
> This prevents us from binding explicitly to several IP:port combinations.
> 
> We have been using the attached patch successfully in production for
> several versions to fix that issue but of course every new version of clamav
> breaks this again until we compile our own, patched version so I want to
> submit this patch for inclusion in the Debian patch series.

If you look at unstable (which is almost the same thing as jessie) you
will notice that I removed that socket support for systemd. The commits
are
 
https://anonscm.debian.org/cgit/pkg-clamav/clamav.git/commit/?id=3bdb184f87270d6f5053b1382e1ab0637e9fd74c
 
https://anonscm.debian.org/cgit/pkg-clamav/clamav.git/commit/?id=a4556736fe82424eab80d74f6ddca9c197d7321c
 
https://anonscm.debian.org/cgit/pkg-clamav/clamav.git/commit/?id=bdc1ee5fa19278b8955520b7e6796d9ffd90a8ba

Would it be correct to assume that your problem goes away once this
change lands in jessie?

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#817067: Bug#817067: Bug#817067: clamscan large archive DOS protection could be used to hide virus

[Sebastian Andrzej Siewior]

On 2016-03-07 21:32:22 [+0100], Sebastian Andrzej Siewior wrote:
> Sounds reasonable. I forwarded your report upstream.

proxy mode on.

|Kevin Lin 2016-03-10 21:24:37 CET
|Engine limitations, as well as certain non-fatal internal errors, are
|suppressed within the engine. This is done to simplify issues and
|suppress issues caused by a non-clean return code and allow the engine
|to continue parsing the file.
|
|The solution to the issue would be to track the limitation statuses,
|most likely in the scanning context and have clamscan changed to
|interpret the statuses. Note that this mostly likely would affect the
|ABI.

|Steven Morgan 2016-06-24 20:26:42 CEST May use a virus such as
|Heuristic.SizeLimitsExceeded under the control of clamd/clamscan option
|(BlockLimitsExceeded). Rational - its not really an error or a virus,
|but flagging an heuristic fits better within ClamAV processing modes.

proxy mode off.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#827909: Bug#827909: clamav-freshclam and clamav-daemon not starting after install

[Sebastian Andrzej Siewior]

On 2016-06-22 14:39:50 [+0200], Christian Ehrhardt wrote:
> ## The case ##
> 1. "sudo apt-get install clamav-daemon clamav-freshclam"
> 2. ClamAV doesn't start even though it should.
> 
> $ systemctl status clamav-daemon
> ● clamav-daemon.service - Clam AntiVirus userspace daemon
>Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled;
> vendor preset: enabled)
>Active: inactive (dead)
> Condition: start condition failed at Thu 2016-06-09 11:58:19 EEST; 7min ago
>  Docs: man:clamd(8)
>man:clamd.conf(5)
>http://www.clamav.net/lang/en/doc/
this is okay.

> $ systemctl status clamav-freshclam.service
> ● clamav-freshclam.service - ClamAV virus database updater
>Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled;
> vendor preset: enabled)
>Active: inactive (dead)
>  Docs: man:freshclam(1)
>man:freshclam.conf(5)
>http://www.clamav.net/lang/en/doc/
this is not.

> ## The issues ##
> #1 - freshclam not starting after install anymore (works in jessie)
>   => That part is a regression.

why did freshclam not start? An up to date sid:
|root@debsidamd64:/home/bigeasy/deb-clamav# dpkg -i 
clamav-freshclam_0.99.2+dfsg-2_amd64.deb
|Selecting previously unselected package clamav-freshclam.
|(Reading database ... 47039 files and directories currently installed.)
|Preparing to unpack clamav-freshclam_0.99.2+dfsg-2_amd64.deb ...
|Unpacking clamav-freshclam (0.99.2+dfsg-2) ...
|Setting up clamav-freshclam (0.99.2+dfsg-2) ...
|Created symlink 
/etc/systemd/system/multi-user.target.wants/clamav-freshclam.service → 
/lib/systemd/system/clamav-freshclam.service.
|Processing triggers for systemd (231-1) ...
|Processing triggers for man-db (2.7.5-1) ...
|root@debsidamd64:/home/bigeasy/deb-clamav# systemctl status 
clamav-freshclam.service
|● clamav-freshclam.service - ClamAV virus database updater
|   Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; 
vendor preset: enabled)
|   Active: active (running) since Wed 2016-08-10 23:53:22 CEST; 5s ago
| Docs: man:freshclam(1)
|   man:freshclam.conf(5)
|   http://www.clamav.net/lang/en/doc/
| Main PID: 20697 (freshclam)
|   CGroup: /system.slice/clamav-freshclam.service
|   ├─20697 /usr/bin/freshclam -d --foreground=true
|   └─20897 /usr/bin/freshclam -d --foreground=true
|
|Aug 10 23:53:22 debsidamd64 systemd[1]: Started ClamAV virus database updater.
|Aug 10 23:53:22 debsidamd64 freshclam[20697]: ClamAV update process started at 
Wed Aug 10 23:53:22 2016
|Aug 10 23:53:24 debsidamd64 freshclam[20697]: Downloading main.cvd [100%]

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824817: Bug#824817: Bug#824817: Please include bytecode.cvd in one .deb

[Sebastian Andrzej Siewior]

On 2016-05-22 12:14:29 [+0200], Sebastian Andrzej Siewior wrote:
> Ah. You scan for the eicar sample. Okay. So you try to do something like
> we do in [0] ? Because that shouldn't work:
> |$ sigtool -lbytecode.cvd
> |BC.Win32.Patched.User32
> |BC.PDF.{JS.HighEntropy}
> |BC.ClamAV-Test-File-detected-via-bytecode.{}
> |ClamAV-Test-File
> |Internal-Test-Signature
> 
> since I don't see the "Eicar-Test-Signature" in it. So if you use the
> bytecode.cvd from the clamav test-repo you have to test against the files
> in the testfiles package. 
> If this is what you plan then I could a file like sample.cvd which is
> the bytecode.cvd with the 5 signatures.

*ping*

> [0] https://sources.debian.net/src/clamav/0.99.2%2Bdfsg-2/debian/tests/clamd/

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#825055: Bug#825055: clamav: Mostly easy-to-fix lintian errors

[Sebastian Andrzej Siewior]

On 2016-05-23 08:59:54 [+0200], Peter Gervai wrote:
> Hello,
Hi Peter,

> This is mainly cosmetics, as most of the lintian errors are spelling errors
> or minor fixups:
> 
> https://lintian.debian.org/maintainer/pkg-clamav-de...@lists.alioth.debian.org.html#clamav
> 
> Still you might want to fix them.

Sure. What about a patch?

> g

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824196: Bug#824196: Bug#824196: clamav-daemon: clamd crashes daily

[Sebastian Andrzej Siewior]

On 2016-07-12 00:07:34 [+0200], Sebastian Andrzej Siewior wrote:
> I took 2015.NHMU_.AccessionForm_distributed-2.pdf and the
> local-js-sigs.ndb from the archive and could reproduce the bug on 0.99.2
> without any further changes. I applied the patch from upstream's
> bugzilla #11549 and I could not reproduce the issue anymore.

Will: do you want/need prebuild .deb packages for Squeeze?

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824196: Bug#824196: clamav-daemon: clamd crashes daily

[Sebastian Andrzej Siewior]

control: tags -1 + patch fixed-upstream upstream
control: forwarded -1 https://bugzilla.clamav.net/show_bug.cgi?id=11549

On 2016-07-08 10:57:02 [-0600], Will Aoki wrote:
> Posted at 
> ftp://ftp.umnh.utah.edu/general-temporary/clamav/var_lib_clamav.tar.bz2
thanks.

> After additional testing, I think the problem lies with
> local-js-sigs.ndb. WIth that file removed, clamav still dumps debug
> warnings (when configured per the clamd.conf in the tarball) but does
> not seem to leak file descriptors.

I took 2015.NHMU_.AccessionForm_distributed-2.pdf and the
local-js-sigs.ndb from the archive and could reproduce the bug on 0.99.2
without any further changes. I applied the patch from upstream's
bugzilla #11549 and I could not reproduce the issue anymore.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#829270: Bug#829270: tomsfastmath: please make the build reproducible

[Sebastian Andrzej Siewior]

control: tags -1 + pending fixed-upstream

On 2016-07-01 22:49:49 [+0200], Reiner Herrmann wrote:
> Hi!
Hi,

> While working on the "reproducible builds" effort [1], we have noticed
> that tomsfastmath could not be built reproducibly.
> A list of object files is unsorted, which causes a non-deterministic
> linking order.
> 
> The attached patch fixes this.

I commited your patch.
I don't mind getting a debdiff patch. But _please_ make a patch (talking
about reproducible-build.patch here) which follows a standard which is
used by quilt or git and that is:

|From: Author as you did
|Subject: Title
|
|description
|
|---
|Patch

> Regards,
>  Reiner

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#829597: Bug#829597: clamav-daemon: LocalSocket not created.

[Sebastian Andrzej Siewior]

On 2016-07-04 10:37:01 [-0400], Gordon Dickens wrote:
> Dear Maintainer,
Hi Gordon,

> I just upgraded three Debian exim mail servers from clamav 0.99 to clamav 
> 0.99.2 and now all three mail servers are broken. That is, I have LocalSocket 
> defined in /etc/clamav/clamd.conf as follows:

and you remained on Jessie, correct?

> LocalSocket /var/run/clamav/clamd.ctl
> 
> However, the /var/run/clamav/clamd.ctl socket is never created on any of the 
> three systems. Furthermore, the /var/run/clamav directory is never created at 
> boot time either. So, could this be a systemd issue? The bottom line is that 
> clamav is now totally broken which has subsequently broken exim's virus 
> checking as well. freshclam reports the following in /var/log/freshclam.log:

You should have /run which is a tmpfs:
|$ mount|grep "run "
|tmpfs on /run type tmpfs (rw,nosuid,relatime,size=1607508k,mode=755)

and /var/run should be a symlink:

|$ ls -l /var/ | grep "run "
|lrwxrwxrwx  1 root root  4 Aug  3  2013 run -> /run

and since you run systemd there should be two service files:
|# systemctl status clamav-daemon.socket
|● clamav-daemon.socket - Socket for Clam AntiVirus userspace daemon
|   Loaded: loaded (/lib/systemd/system/clamav-daemon.socket; enabled)
|  Drop-In: /etc/systemd/system/clamav-daemon.socket.d
|   └─extend.conf
|   Active: active (running) since Thu 2016-05-26 22:35:00 CEST; 1 months 8 
days ago
| Docs: man:clamd(8)
|   man:clamd.conf(5)
|   http://www.clamav.net/lang/en/doc/
|   Listen: /var/run/clamav/clamd.ctl (Stream)
|
|Warning: Journal has been rotated since unit was started. Log output is 
incomplete or unavailable.
|# systemctl status clamav-daemon.service
|● clamav-daemon.service - Clam AntiVirus userspace daemon
|   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled)
|   Active: active (running) since Thu 2016-05-26 22:35:00 CEST; 1 months 8 
days ago
| Docs: man:clamd(8)
|   man:clamd.conf(5)
|   http://www.clamav.net/lang/en/doc/
| Main PID: 11021 (clamd)
|   CGroup: /system.slice/clamav-daemon.service
|   └─11021 /usr/sbin/clamd --foreground=true
|

If you read the .socket file then you will see that one creates the
socket and the .service file depends on it. Uppon start, systemd passes
the socket to clamd then. I *assume* that the socket part is not started
for some reason on your machines.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] BUG: Upgrading clamav issue

[Sebastian Andrzej Siewior]

On 2016-06-25 09:53:27 [+0800], Zhang Huangbin wrote:
> Dear clamav maintainers,
Hi,

> i'm reporting an issue caused by upgrading ClamAV on Debian 8.
> 
> We had clamav running, then upgrade to the latest version (from official 
> debian apt repo, of course), then 'clamav-daemon' service cannot be started, 
> the error message from systemctl is:
> 
> clamd[2041]: ERROR: Parse error at line 11: Unknown option 
> AllowSupplementaryGroups
> clamd[2041]: ERROR: Can't open/parse the config file /etc/clamav/clamd.conf
> 
> Since parameter 'AllowSupplementaryGroups' was not supported by the latest 
> ClamAV, the package post-install or post-upgrade script should remove it from 
> config file directly.

Please remove the AllowSupplementaryGroups option from the config file.
After that it should work again. As Scott replied we have an update
pending which ignores the state the of the Option for Jessie (and you
will have to remove in the Stretch release).

> And the systemd service has to be re-enabled, or it does not start 
> automatically.

After that option has been removed, it should start again. Sorry for the
mess.

> Thanks for your attention and helping. :)

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] ClamAV Package on Wheezy

[Sebastian Andrzej Siewior]

On 2016-06-30 09:36:18 [+0300], Klaipedaville on Google wrote:
> Hello there,
Hi,

> It’s been almost half a year since I’ve been getting this "Clamav is 
> outdated, don't panic" message in my logs and patiently waiting for updates. 
> I was wondering is it not available / coming any more in packages and we are 
> on our own now to compile it from sources? Could anybody advise, please? Many 
> thanks!

Wheezy is now in the hands of the Debian-LTS team. I won't do an upload
but according to my IRC backlog someone from LTS team is looking into
this. I CCed the LTS team to ACK/NACK my statement :)

> Regards,
> Dennis.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#828083: Bug#828083: bind9: clamav with openssl 1.1: Doesn't find openssl

[Sebastian Andrzej Siewior]

control: forwarded -1 https://bugzilla.clamav.net/show_bug.cgi?id=11594
control: tags -1 + patch

On 2016-06-24 21:20:07 [+0200], Kurt Roeckx wrote:

> Your package is FTBFS with openssl 1.1:
…
> Kurt

Sebastian
>From f6e66c4b73cc4a0ce813c19ee210c8d974cf0787 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior 
Date: Sat, 2 Jul 2016 00:12:01 +0200
Subject: [PATCH] make it compile against openssl 1.1.0

- SSL_library_init() is no longer a function but a define invoking
  another function with parameters. Thus a link check against this
  function will fail. As a fix AC_LINK_IFELSE is used so the header file
  can be included.

- X509_CRL is opaque and needs an accessor. X509_CRL_get_nextUpdate() is
  around since OpenSSL 0.9.1c. X509_cmp_current_time() seems to be
  around since SSLeay 0.8.1b.

BTS: https://bugs.debian.org/828083

Signed-off-by: Sebastian Andrzej Siewior 
---
 libclamav/crypto.c| 21 ++---
 m4/reorganization/libs/openssl.m4 | 12 +---
 2 files changed, 15 insertions(+), 18 deletions(-)

diff --git a/libclamav/crypto.c b/libclamav/crypto.c
index c62c65a..4be900f 100644
--- a/libclamav/crypto.c
+++ b/libclamav/crypto.c
@@ -1096,7 +1096,6 @@ X509_CRL *cl_load_crl(const char *file)
 {
 X509_CRL *x=NULL;
 FILE *fp;
-struct tm *tm;
 
 if (!(file))
 return NULL;
@@ -1110,21 +1109,13 @@ X509_CRL *cl_load_crl(const char *file)
 fclose(fp);
 
 if ((x)) {
-tm = cl_ASN1_GetTimeT(x->crl->nextUpdate);
-if (!(tm)) {
-X509_CRL_free(x);
-return NULL;
-}
+	ASN1_TIME *tme;
 
-#if !defined(_WIN32)
-if (timegm(tm) < time(NULL)) {
-X509_CRL_free(x);
-free(tm);
-return NULL;
-}
-#endif
-
-free(tm);
+	tme = X509_CRL_get_nextUpdate(x);
+	if (!tme || X509_cmp_current_time(tme) < 0) {
+		X509_CRL_free(x);
+		return NULL;
+	}
 }
 
 return x;
diff --git a/m4/reorganization/libs/openssl.m4 b/m4/reorganization/libs/openssl.m4
index 78e2c23..45ee02d 100644
--- a/m4/reorganization/libs/openssl.m4
+++ b/m4/reorganization/libs/openssl.m4
@@ -26,12 +26,13 @@ save_LDFLAGS="$LDFLAGS"
 save_CFLAGS="$CFLAGS"
 save_LIBS="$LIBS"
 
-SSL_LIBS="-lssl -lcrypto -lz"
+SSL_LIBS="$LIBS -lssl -lcrypto -lz"
+LIBS="$LIBS $SSL_LIBS"
 
 if test "$LIBSSL_HOME" != "/usr"; then
 SSL_LDFLAGS="-L$LIBSSL_HOME/lib"
 SSL_CPPFLAGS="-I$LIBSSL_HOME/include"
-LDFLAGS="-L$LIBSSL_HOME/lib $SSL_LIBS"
+LDFLAGS="-L$LIBSSL_HOME/lib"
 CFLAGS="$SSL_CPPFLAGS"
 else
 SSL_LDFLAGS=""
@@ -41,7 +42,12 @@ fi
 have_ssl="no"
 have_crypto="no"
 
-AC_CHECK_LIB([ssl], [SSL_library_init], [have_ssl="yes"], [AC_MSG_ERROR([Your OpenSSL installation is misconfigured or missing])], [-lcrypto -lz])
+AC_LINK_IFELSE(
+	   [AC_LANG_PROGRAM([[#include ]],
+[[SSL_library_init();]])],
+	   [have_ssl="yes";],
+	   [AC_MSG_ERROR([Your OpenSSL installation is misconfigured or missing])])
+
 
 AC_CHECK_LIB([crypto], [EVP_EncryptInit], [have_crypto="yes"], [AC_MSG_ERROR([Your OpenSSL installation is misconfigured or missing])], [-lcrypto -lz])
 
-- 
2.8.1

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#826607: jessie-pu: package clamav/0.99.2+dfsg-0+deb8u2

[Sebastian Andrzej Siewior]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: jessie
Severity: normal

The last version (0.99.2+dfsg-0+deb8u1) removed AllowSupplementaryGroups
and hit stable over the weekend. Now Hans van Kranenburg had an
unattended upgrade and the config file was not fixed up (i.e. the option
removed as suggested during the upgrade process). clamav did not start,
he fixed it manually and reported #826406.
This update will ignore the AllowSupplementaryGroups option whether set
or not and the behaviour will remain unchanged. All binaries will behave
the same except they won't complain about the AllowSupplementaryGroups
option. The plan is not to push this change into unstable so people
upgrading Jessie -> Stretch have to have this option removed at this
point.

I am not sure if this update makes sense at this point since most people
got probably bitten by this, cursed my name and moved on. So if you
think that this update makes sense here it is - otherwise...

Sebastian
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 462fb68..286a2a5 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-2489109e048f803a6019c00671cff2b43f139555
-2489109e048f803a6019c00671cff2b43f139555
+279c06a817c13eb22dc3ade949ea8b4a8aea9825
+279c06a817c13eb22dc3ade949ea8b4a8aea9825
 48a96d2a3f0f4aca12f39f62a53fe1671a6e15a2
 48a96d2a3f0f4aca12f39f62a53fe1671a6e15a2
 clamav_0.99.2+dfsg.orig.tar.xz
diff --git a/debian/changelog b/debian/changelog
index 9cde7f8..5ebcb45 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+clamav (0.99.2+dfsg-0+deb8u2) stable; urgency=medium
+
+  * Don't fail if AllowSupplementaryGroups is still set in the config file but
+ignore it and continue (Closes: #826406).
+
+ -- Sebastian Andrzej Siewior   Mon, 06 Jun 2016 22:06:52 +0200
+
 clamav (0.99.2+dfsg-0+deb8u1) stable; urgency=medium
 
   * Import new Upstream.
diff --git a/debian/patches/ingore-AllowSupplementaryGroups-option.patch b/debian/patches/ingore-AllowSupplementaryGroups-option.patch
new file mode 100644
index 000..b152276
--- /dev/null
+++ b/debian/patches/ingore-AllowSupplementaryGroups-option.patch
@@ -0,0 +1,28 @@
+From 279c06a817c13eb22dc3ade949ea8b4a8aea9825 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior 
+Date: Mon, 6 Jun 2016 21:17:34 +0200
+Subject: Ignore AllowSupplementaryGroups if set
+
+Ignore the AllowSupplementaryGroups option if set. This should ease
+stable auto upgrade in case nobody touches the config files.
+
+BTS: https://bugs.debian.org/826406
+Patch-Name: ingore-AllowSupplementaryGroups-option.patch
+Signed-off-by: Sebastian Andrzej Siewior 
+---
+ shared/optparser.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/shared/optparser.c b/shared/optparser.c
+index e2b28cc..f8911ea 100644
+--- a/shared/optparser.c
 b/shared/optparser.c
+@@ -285,6 +285,8 @@ const struct clam_option __clam_options[] = {
+ 
+ { "User", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD | OPT_MILTER, "Run the daemon as a specified user (the process must be started by root).", "clamav" },
+ 
++{ "AllowSupplementaryGroups", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER, "Initialize a supplementary group access (the process must be started by root).", "no" },
++
+ /* Scan options */
+ { "Bytecode", "bytecode", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "With this option enabled ClamAV will load bytecode from the database. It is highly recommended you keep this option on, otherwise you'll miss detections for many new viruses.", "yes" },
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 82aadd6..3c7804d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ clamav_add_private_fts_implementation.patch
 fix-ssize_t-size_t-off_t-printf-modifier.patch
 libclamav-use-libmspack.patch
 drop-AllowSupplementaryGroups-option-and-make-it-def.patch
+ingore-AllowSupplementaryGroups-option.patch
diff --git a/shared/optparser.c b/shared/optparser.c
index e2b28cc..f8911ea 100644
--- a/shared/optparser.c
+++ b/shared/optparser.c
@@ -285,6 +285,8 @@ const struct clam_option __clam_options[] = {
 
 { "User", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD | OPT_MILTER, "Run the daemon as a specified user (the process must be started by root).", "clamav" },
 
+{ "AllowSupplementaryGroups", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_FRESHCLAM | OPT_MILTER, "Initialize a supplementary group access (the process must be started by root).", "no" },
+
 /* Scan options */
 { "Bytecode", "bytecode", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD 

[Pkg-clamav-devel] Bug#826406: Bug#826406: Too abrupt removal of AllowSupplementaryGroups option in stable

[Sebastian Andrzej Siewior]

On 2016-06-05 13:27:08 [+0200], Hans van Kranenburg wrote:
> Hi Maintainer,
Hi,

> The version in the main Debian Stable archive (so not in the additional
> jessie-updates) has the option AllowSupplementaryGroups removed (see
> #822444), which prevents the program from starting when this option is
> present in the configuration file:
> 
> clamd[27916]: ERROR: Parse error at line 12: Unknown option
> AllowSupplementaryGroups
> clamd[27916]: ERROR: Can't open/parse the config file /etc/clamav/clamd.conf
> 
> I had to set this option to be able to use clamav with postfix on my
> incoming mail servers, and I should not expect them to stop processing mail
> because of stable updates.
> 
> Updates of packages in Debian Stable must never break existing installations
> by changing APIs (configuration file considered being some kind of API).

I wasn't aware that this might break existing installations. I had always the
debconf popping up and the the diff was simple so…

> At least make the option deprecated and ignore it with a warning if set, and
> only make it disappear when upgrading to Stretch.

So you want me to do another stable update and ignore this option if
set/unset. Sounds reasonable give the circumstances. Did you have
unattended-upgrades running?

> Thanks,

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824196: Bug#824196: clamav-daemon: clamd crashes daily

[Sebastian Andrzej Siewior]

On 2016-05-23 16:26:51 [-0600], Will Aoki wrote:
> After a fresh start, it's steady at 9 until I scan the file at
> ,
> after which it increases. Scanning other PDFs from 
> 
> also makes clamd leak file descriptors, as do all the PDFs from outside
> sources that I've tried.

That is something. Would you mind to send me your clamd.conf +
/var/lib/clamav without the daily.cvd + main.cvd? I just tried it with
those pdf and nothing here leaks fds.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824196: Bug#824196: clamav-daemon: clamd crashes daily

[Sebastian Andrzej Siewior]

On 2016-05-23 09:02:34 [-0600], Will Aoki wrote:
> ERROR: accept() failed:
> LibClamAV Error: cli_tgzload: Can't duplicate descriptor 468
> LibClamAV Error: Can't load /var/lib/clamav/bytecode.cld: Can't duplicate 
> file descriptor
> LibClamAV Error: cli_loaddbdir(): error loading database 
> /var/lib/clamav/bytecode.cld
> ERROR: reload db failed: Can't duplicate file descriptor
> Terminating because of a fatal error.
> ERROR: Can't unlink the pid file /var//run/clamd.pid

This makes sense. The "accept()" error (which isn't complete for some
reason) is just something that gets logged. The reason why clamd
terminates is the failure during reloading of the database which is due
to the failure of dup(). And this in turn is probably (as you said in
your previous email) because the process runs out of file descriptors.

I get:
|$ ls -1 /proc/$(pidof clamd)/fd/ |wc -l
|9

After "clamdscan /usr/share/clamav-testfiles/*" (from the
clamav-testfiles package) it remains at nine. I bet that you have one
test file which keeps the number of descriptors growing. Could you
please figure out which one it is?

> and returns 1.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824817: Bug#824817: Please include bytecode.cvd in one .deb

[Sebastian Andrzej Siewior]

On 2016-05-21 03:26:54 [+0200], Mathieu Parent (Debian) wrote:
> I need this for clamd. I currently do:
> http://anonscm.debian.org/cgit/collab-maint/c-icap-modules.git/tree/debian/tests/virus-scan?id=846f5eaf67f92edb26775317dd4ad1699c61a681
> 
> But this dowork offline.

Ah. You scan for the eicar sample. Okay. So you try to do something like
we do in [0] ? Because that shouldn't work:
|$ sigtool -lbytecode.cvd
|BC.Win32.Patched.User32
|BC.PDF.{JS.HighEntropy}
|BC.ClamAV-Test-File-detected-via-bytecode.{}
|ClamAV-Test-File
|Internal-Test-Signature

since I don't see the "Eicar-Test-Signature" in it. So if you use the
bytecode.cvd from the clamav test-repo you have to test against the files
in the testfiles package. 
If this is what you plan then I could a file like sample.cvd which is
the bytecode.cvd with the 5 signatures.

[0] https://sources.debian.net/src/clamav/0.99.2%2Bdfsg-2/debian/tests/clamd/

> 
> Regards

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824817: Bug#824817: Please include bytecode.cvd in one .deb

[Sebastian Andrzej Siewior]

On 2016-05-20 07:05:11 [+0200], Mathieu Parent wrote:
> Hi,
Hi,

> There is no offline way to test clamav. I need this to ensure c-icap is
> working properly using autopkgtest.
> 
> I propose that you include bytecode.cvd in clamav-testfiles.

bytecode.cvd? You mean that you need a sig database for malware testing?
Becase if you need something to test against the samples provided by
clamav-testfiles then you can use A `hdb' file that contains

aa15bcf478d165efd2065190eb473bcb:544:ClamAV-Test-File

For example:

|$ echo "aa15bcf478d165efd2065190eb473bcb:544:ClamAV-Test-File" > clamav.hdb
|$ $ clamscan -d clamav.hdb /usr/share/clamav-testfiles/clam.exe 
|/usr/share/clamav-testfiles/clam.exe: ClamAV-Test-File.UNOFFICIAL FOUND
|
|--- SCAN SUMMARY ---
|Known viruses: 1
|Engine version: 0.99.2
|Scanned directories: 0
|Scanned files: 1
|Infected files: 1
|Data scanned: 0.00 MB
|Data read: 0.00 MB (ratio 0.00:1)
|Time: 0.007 sec (0 m 0 s)

Is this what you are looking for?

> Thanks

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824042: Bug#824042: gets into kill/restart loop

[Sebastian Andrzej Siewior]

On 2016-05-12 19:47:17 [-0300], Felipe Sateler wrote:
> > This functionality will come with systemd 230:
> > https://github.com/systemd/systemd/pull/3148 , so nothing out of the
> > box yet.
> >
> > A more involved solution (but working right now) would be to have
> > OnFailure=clamav-failed.service and have clamav-failed.service stop
> > the socket.
> 
> For clarification: this would stop the socket only on failure. A
> simpler solution that would stop the socket always would be to have
> 
> ExecStopPost=/bin/systemctl --no-block stop clamav-daemon.socket
> 
> On the service. If clamav-daemon never exits on its own, then this
> might be a better solution

Thank you very much for your feedback.
So there is something Joey can try/use for now. In the longterm we need
think if we want to keep the socket activation. I think it was
introduced so freshclam can kick clamd to start after initial
instalation (once the virus database was donwloaded). Sadly it did not
work as expected because systemd evalutated the "condition" only once.
>From the bug history it is fixed for systemd in unstable but not stable.

Now with the background of getting killed repeatedly by OOM it makes me
wonder if we still want that. Adding RestartOnFailure with a delay of 1
minute or so to clamav-daemon.service would probably do the job, too.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824196: Bug#824196: clamav-daemon: clamd crashes daily

[Sebastian Andrzej Siewior]

control: tags -1 + moreinfo

On 2016-05-17 10:18:48 [-0600], Will Aoki wrote:
> It doesn't dump core. Memory grows very slightly over time. The very end
> of the debug log and a journal of memory use are attached; error code
> will be available once I run it again without nohup.

it seems to grow a little and get back. So it does not look like leak.

> > If you manage to give me something to reproduce it locally (like a VM
> > image) I might try it when I have some time.
> 
> I'll see if I can put a test case together.

okay, thanks.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#823513: clamav-freshclam: freshclam fails to download daily.cvd and clamav do not start

[Sebastian Andrzej Siewior]

On 2016-05-06 23:51:13 [+0200], Sebastian Andrzej Siewior wrote:
> > Update failed. Your network may be down or none of the mirrors listed in
> > /etc/clamav/freshclam.conf is working. Check
> > http://www.clamav.net/doc/mirrors-faq.html for possible reasons.
> 
> To get rid of the "Ignoring mirror … due to previous errors" you need to
> either wait or remove /var/lib/clamav/mirrors.dat - that is where it
> information comes from.
> Then you can try again and show what goes wrong.

One thing that comes to mind is that it could blacklist the two servers
if they did not have the signatures *yet*
I assume the problem is gone, can you please confirm?

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824485: Bug#824485: clamav-freshclam: Segfault

[Sebastian Andrzej Siewior]

On 2016-05-16 19:33:58 [+0200], Kurt Roeckx wrote:
> I'm guessing there is some ABI breakage between the 2 versions.

So now learnt how to use/ read abipkgdiff properly:

|  in unqualified underlying type 'struct cl_engine' at others.h:250:1:
|type size changed from 8640 to 8704 bits
|1 data member insertion:
|  'cli_matcher* cl_engine::test_root', at offset 1472 (in bits) at 
others.h:312:1

it is not *that* obvious. cl_engine is an anonymous struct used as
handle so a change here should not matter. However clamd + freshclam
know the struct, access the members directly and pass members from it to
other functions from the library like cli_bytecode_prepare2() where the
bom happens. The member insertion moved one pointer which was read
in freshclam and passed to the library.
Since this function is declared as CLAMAV_PRIVATE nobody but clamav
itself should access it. Also the struct is not publicly exported so
the damage is really contained within the clamav package. As a
consequence I'm going make sure that we bumb the private symbols in the
symbols file on each major release to ensure that all packages from this
source package depend on the latest libclamav7 if they need it.

> Kurt
Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824485: Bug#824485: clamav-freshclam: Segfault

[Sebastian Andrzej Siewior]

On 2016-05-16 17:32:55 [+0200], Kurt Roeckx wrote:
> Received signal: wake up
> ClamAV update process started at Mon May 16 15:52:55 2016
> main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: 
> amishhammer)
> Downloading daily-21555.cdiff [100%]
> Downloading daily-21556.cdiff [100%]
> ERROR: Database load killed by signal 11
> ERROR: Failed to load new database

Could you please install the dbg package for freshclam + libclamav7 and send
a gdb backtrace?
I have here:
|# freshclam 
|ClamAV update process started at Mon May 16 19:02:44 2016
|main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: 
amishhammer)
|Downloading daily-21518.cdiff [100%]
…
|Downloading daily-21555.cdiff [100%]
|Downloading daily-21556.cdiff [100%]
|daily.cld updated (version: 21556, sigs: 143888, f-level: 63, builder: neo)
|bytecode.cvd is up to date (version: 277, sigs: 47, f-level: 63, builder: neo)
|Database updated (4362725 signatures) from db.fr.clamav.net (IP: 178.32.100.7)
|Clamd successfully notified about the update.

on my sid-amd64 box.

> Kurt

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824196: Bug#824196: clamav-daemon: clamd crashes daily

[Sebastian Andrzej Siewior]

On 2016-05-13 14:06:27 [-0600], Will Aoki wrote:

> That's it. A space is logged after the colon, but nothing else.

interresting. The source says that there should be more.
Your bug report says you run i386. Is this the case for the server or
just the machine you made the report?

> May 13 08:56:05 skunk clamd[12310]: accept() failed:
> May 13 08:56:05 skunk clamd: Last message 'accept() failed: ' repeated 198 
> times, suppressed by syslog-ng on [the loghost]
> May 13 08:56:11 skunk clamd[12310]: accept() failed:
> May 13 08:56:11 skunk clamd: Last message 'accept() failed: ' repeated 199 
> times, suppressed by syslog-ng on [the loghost]

Ah right, there two loops. So clamd tries mutliple times and somehow
always runto into the same error.

> I've noticed that /tmp is filling up with directories named e.g.
> clamav-fe97224f9fa888d6e2d47ddfee0ca573.tmp

Those are created by some filetypes during scan but should have been
cleaned up. You can remove them. But this looks like it terminated in a
hurry.

Could you enable debug loglevel? Maybe it logs something usefull. 
Also would it be possible to enable core dumps and see if it dumps
something? Could start clamd from commandline in foreground so you can
log its exit code? Ah. And could please check with top or something if
the memory of clamd grows overtime? In case it has a memory leak
somewhere.

If you manage to give me something to reproduce it locally (like a VM
image) I might try it when I have some time.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824196: Bug#824196: clamav-daemon: clamd crashes daily

[Sebastian Andrzej Siewior]

On 2016-05-13 09:43:24 [-0600], Will Aoki wrote:
> After upgrading from 0.98.7+dfsg-0+deb7u1 to 0.99+dfsg-0+deb7u2 two
> months ago, clamd on one of our servers has crashed approximately daily.
> It's rarely stayed running for more than 24 hours. 
> 
> Before crashing, the daemon spews the message
> 
>accept() failed:
This is it? Nothing more? There should be an error message included
after the colon.

> The kernel is not reporting segfaults or OOM.

Correct. Based on the source code the `accapt()' function failed and
therefore the daemon terminated.

> On this particular server, clamd is used by clamav-milter. A Nagios
> check script also runs clamdscan about every five minutes against a CAB,
> an EXE, a bzip2'd EXE and a zip file that alll contain
> "Clamav.Test.File-6". As of a Monday (long after the problem starte),
> the script has started scanning another file we've had false-positive
> problems with.

You mean you gave a "normal" file and it was reported as a virus?

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#824042: Bug#824042: gets into kill/restart loop

[Sebastian Andrzej Siewior]

On 2016-05-11 12:12:42 [-0400], Joey Hess wrote:
> Looks like it was being killed each time by the OOM killer. Which makes
> sense; clamav uses 18% of the system's 2 gb of ram and so will be the
> top target.
> 
> I think there should be something to prevent this runaway scenario.
> Maybe a delay, or maybe avoid restarting repeatedly.
> 
> May  8 13:58:14 kite kernel: [12577316.169029] Out of memory: Kill
> process 14646 (clamd) score 115 or sacrifice child
> May  8 13:58:14 kite kernel: [12577316.169043] Killed process 14646
> (clamd) total-vm:425680kB, anon-rss:264680kB, file-rss:0kB
> May  8 13:58:29 kite kernel: [12577330.925647] Out of memory: Kill
> process 14662 (clamd) score 115 or sacrifice child
> May  8 13:58:29 kite kernel: [12577330.925663] Killed process 14662
> (clamd) total-vm:425936kB, anon-rss:264684kB, file-rss:12kB

This does not look like multiple times per seond.
If I 'kill -9 `pidif clamd`' then it does not come back. The service
file does not say to restart it:

|systemctl show clamav-daemon.service | grep Restart
|Restart=no
|RestartUSec=100ms

So it remains offs. However we have socket activation for clamd. So
assuming that you have a mailserver poking at the socket then it will
bring clamd back from the death.

I have no idea how to limit / disable the restart or make it
configurable in this case. Maybe someone with systemfoo has an idea :)

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Initial start of clamav-daemon

[Sebastian Andrzej Siewior]

On 2016-04-22 18:31:10 [+0200], Dilyan Palauzov wrote:
> Hello,
Hi,

> My understanding is that during service start ConditionPathExistsGlob is
> checked once and if it fails, it is not retried, contrary to something like
> ExecStartPre=/bin/bash -c 'while ! [ -s /var/lib/clamav/main.inc -o -s
> /var/lib/clamav/main.cvd -o -s /var/lib/clamav/main.cld ) -a  ( -s
> /var/lib/clamav/daily.inc -o -s /var/lib/clamav/daily.cvs -o -s
> /var/lib/clamav/daily.cld ] ; do sleep 1 ; done ' .

I kind of don't like this.

> For the mentioned reasons with the current configuration clamd is not going
> to start automatically, once freshclam has downloaded all the files.
> 
> I propose removing the ConditionPathExistsGlob from
> clamav-daemon.s(ervice,ocket). Then, once freshclam is ready, it will notify
> clamd over the socket, systemd will start clamd because of
> clamav-daemon.socket  and everything is fine.  If somebody tries to contact
> the socket before freshclam is ready, and clamd starts and fails due to
> missing databases, we have the current situation: in order to start clamd,
> it has to be restarted manually, once the databases have been downloaded.
> So removing ConditionPathExistsGlob is an improvement, as it boots the
> system correctly in more cases, than now.

Now that I had the time to look at this. Removing the glob from socket
could bring #775458. Not sure if we get the same behaviour if we remove
the glob from both.
I just tried this on my Jessie VM and I don't see the problem:
install both, start the daemon:
|root@deb8i386:~# systemctl status clamav-daemon.service
|● clamav-daemon.service - Clam AntiVirus userspace daemon
|   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled)
|   Active: inactive (dead) since Sat 2016-05-07 16:04:03 CEST; 2min 3s ago
|   start condition failed at Sat 2016-05-07 16:04:29 CEST; 1min 37s ago
|   ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc} was not 
met
| Docs: man:clamd(8)
|   man:clamd.conf(5)
|   http://www.clamav.net/lang/en/doc/
|  Process: 1919 ExecStart=/usr/sbin/clamd --foreground=true (code=exited, 
status=0/SUCCESS)
| Main PID: 1919 (code=exited, status=0/SUCCESS)

does not work yet. Wait for freshclam. Try start again and then:
|root@deb8i386:~# systemctl status clamav-daemon.service
|● clamav-daemon.service - Clam AntiVirus userspace daemon
|   Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled)
|   Active: active (running) since Sat 2016-05-07 16:06:09 CEST; 1s ago
| Docs: man:clamd(8)
|   man:clamd.conf(5)
|   http://www.clamav.net/lang/en/doc/
| Main PID: 1972 (clamd)
|   CGroup: /system.slice/clamav-daemon.service
|   └─1972 /usr/sbin/clamd --foreground=true

This problem of manual start is only there after a fresh install. On
SystemV we print a warning/error message so the user does a manual start.
Maybe we should do the same for SystemD or document it better.

Now you have just the pain start it manually once freshclam is done.
If we would allow to start clamd with an empty database then you would
have your auto trigger from freshclam. And what about exim/postfix
asking for the socket to scan something? I *think* we could reject them
until the dabase is available. After all the system is not yet properly
setup. All requested for the socket would be rejected anyway.

> Greetings
>   Dilian

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#816272: Bug#816272: clamav-freshclam: logrotate errors out with "gzip: stdin: file size changed while zipping"

[Sebastian Andrzej Siewior]

On 2016-05-05 14:31:31 [+0200], Christian Pernegger wrote:
> Hello!
Hi,

> So it seems to me like it has migrated to stable, and a while ago at that,
> or at least volatile / stable-updates. Or am I missing something?

No, this is correct. You reported the bug against 0.98.7+dfsg-0+deb8u1
and this version did not have the change. 

The question is now, what did you do to make the logrotate message go
away? Was it the upgrade to current stable or something else? If it was
the upgrade then yes, it is likely a duplicate of the other bug and can
be closed / merged.

> Cheers,
> C.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#823513: Bug#823513: clamav-freshclam: freshclam fails to download daily.cvd and clamav do not start

[Sebastian Andrzej Siewior]

On 2016-05-06 15:10:39 [+0200], Simone Piccardi wrote:
> Yes, I tried.
> No, it's not a temporary or a network problem.
> The error messages/WARNING are the same I already reported.

The message regarding 0.90.0 is old and 0.90.2 is current is harmless.

> Anyway I reinstalled everything (using a VM snapshot) from the start two
> time, with the same result. This is the effect of:
> 
> root@jessie:~# systemctl stop clamav-freshclam.service
> root@jessie:~# freshclam -v
…
> Querying current.cvd.clamav.net
…
> Retrieving http://db.local.clamav.net/daily.cvd
> Ignoring mirror 195.154.7.176 (due to previous errors)
> Ignoring mirror 90.147.160.69 (due to previous errors)
> Ignoring mirror 195.154.7.176 (due to previous errors)
> Ignoring mirror 90.147.160.69 (due to previous errors)
> WARNING: Can't download daily.cvd from db.local.clamav.net

I assume that db.local.clamav.net points to db.it.clamav.net for you and
this in turn resolved to two hosts. Both are ignored due to previous
errors and therefore 

> Trying again in 5 secs...

freshclam does nothing.

> Giving up on database.clamav.net...

this is another hosts however it is an alias for db.local.clamav.net so
you get the same IPs in return. 

> Update failed. Your network may be down or none of the mirrors listed in
> /etc/clamav/freshclam.conf is working. Check
> http://www.clamav.net/doc/mirrors-faq.html for possible reasons.

To get rid of the "Ignoring mirror … due to previous errors" you need to
either wait or remove /var/lib/clamav/mirrors.dat - that is where it
information comes from.
Then you can try again and show what goes wrong.

> If I understand correctly the clamav FAQ the warning:
> 
> "WARNING: Your ClamAV installation is OUTDATED!"
> 
> means that current version of freshclam will always fail to download that
> file.

No, freshclam remains to work.
http://www.clamav.net/documents/official-mirror-faq CTRL-F is ou

> There is Local version: 0.99 and recommended 0.99.2, so until there is a way
> to relax that restriction, or accept a different minor version, or release
> an updated package, clamav-daemon will break.

This is just a warning. Freshclam is still working, so is clamav-daemon:
|# freshclam 
|ClamAV update process started at Fri May  6 23:41:31 2016
|WARNING: Your ClamAV installation is OUTDATED!
|WARNING: Local version: 0.99 Recommended version: 0.99.2
|DON'T PANIC! Read http://www.clamav.net/support/faq
|main.cvd is up to date (version: 57, sigs: 4218790, f-level: 60, builder: 
amishhammer)
|WARNING: getfile: daily-21517.cdiff not found on remote server (IP: 
2620:121:0:23::67)
|WARNING: getpatch: Can't download daily-21517.cdiff from db.ipv6.clamav.net
|Downloading daily-21517.cdiff [100%]
|daily.cld updated (version: 21517, sigs: 98748, f-level: 63, builder: neo)
|bytecode.cld is up to date (version: 277, sigs: 47, f-level: 63, builder: neo)
|Database updated (4317585 signatures) from db.ipv6.clamav.net (IP: 
2001:41d0:2:9aba::1)
|Clamd successfully notified about the update.

As you see, it failed to download the file from 2620:121:0:23::67.

> Regards
> Simone

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#823513: Bug#823513: clamav-freshclam: freshclam fails to download daily.cvd and clamav do not start

[Sebastian Andrzej Siewior]

On 2016-05-05 15:52:43 [+0200], Simone Piccardi wrote:
> After installing clamav-freshclam I got these in syslog:
> May  5 15:32:29 jessie freshclam[4851]: ERROR: Can't download daily.cvd from 
> database.clamav.net
> May  5 15:32:29 jessie freshclam[4851]: Giving up on database.clamav.net...
> May  5 15:32:29 jessie freshclam[4851]: Update failed. Your network may be 
> down or none of the mirrors listed in /etc/clamav/freshclam.conf is working. 
> Check http://www.clamav.net/doc/mirrors-faq.html for possible reasons.

…

> So there is no /var/lib/clamav/daily.cvd downloaded and clamav-daemon was 
> not started, silently failing (no trace in syslog also). I just got it 
> because amavis was angry, and then I got the problem with:
> 
> root@jessie:~# systemctl status clamav-daemon
> ● clamav-daemon.service - Clam AntiVirus userspace daemon
>Loaded: loaded (/lib/systemd/system/clamav-daemon.service; enabled)
>Active: inactive (dead) since gio 2016-05-05 15:45:31 CEST; 28s ago
>start condition failed at gio 2016-05-05 15:45:53 CEST; 6s ago
>ConditionPathExistsGlob=/var/lib/clamav/daily.{c[vl]d,inc} was not 
> met

yeah. as long as the database is missing you can't start clamd.

> I have jessie-updates in my sources list, and I could just plain take the 
> file 
> with wget, so it's not a network problem.
> 
> I could solve the issue downloading the file with:
> 
> cd /var/lib/clamav/
> wget http://database.clamav.net/daily.cvd
> 
> after this clamav-daemon was startable, but the clamav-freshclam package 
> now is just broken, do not work, and the current configuration prevent 
> also clamav-daemon to work.

can you try `freshclam' on the command line and see if it works? It should
work and so should freshclam from cron. It might been a temporary problem.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#816272: clamav-freshclam: logrotate errors out with "gzip: stdin: file size changed while zipping"

[Sebastian Andrzej Siewior]

On 2016-04-05 10:43:13 [+0200], Christian Pernegger wrote:
> Hi,
Hi,

> no error e-mail this week, yay!
> 
> It looks like this is/was a duplicate of #788652 in the end (at least
> the clamav-freshclam part of it). If you agree, please close & merge
> as appropriate.

indeed. This did not yet migrate into stable. What is your change that
you made to make it go away?
But you are right. The reload fails if it is started from cron. Not sure
if the error message is the same :)

> Thank you,
> Christian

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#823074: clamav: Fix LSB init output

[Sebastian Andrzej Siewior]

control: tags -1 pending

On 2016-05-04 02:00:22 [+0200], Guillem Jover wrote:
> Hi!
Hi,

> I checked those when fixing freshclam, and they looked fine, but it's
> true that they might also miss --quiet for start-stop-daemon itself.

Oki. Added to your patch:
https://anonscm.debian.org/cgit/pkg-clamav/clamav.git/commit/?id=8f6bb8f02a7c6fbfb0fdbdf3ae40c3e83dad00f0

> Thanks,
> Guillem

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#822444: Solved

[Sebastian Andrzej Siewior]

control: tags -1 patch pending
control: forwarded -1 https://bugzilla.clamav.net/show_bug.cgi?id=11557 
control: found -1 0.98.5~beta1+dfsg-1

On 2016-05-01 17:33:02 [+0200], Xavier Quost wrote:
> Hello Sebastian
Hi Xavier,

> Basically I was cloning configuration for mail server from wheezy to Jessie  
> and could not understand my mistake. Confronting configuration files between 
> wheezy and Jessie seeing nothing relevant lead me to look at init process.

yeah and I don't think this should happen.

> A simple comment in clamd configuration files like "clamd started with 
> systemd is enforcing strongly this options whereas started with sysinit it 
> might not" would have been enough for not bothering you.
maybe but people still need to read this and connect the dots. And when I
upgrade from oldstable to stable I am very glad about things I don't
have to deal with :)
Anyway. I removed the config option and it does not look that upstream
is insisting on it. So I will push this change in the next unstable upload
and hope that we won't carry that patch for long.

> Best regards and thanks for your kind explanations.
you are welcome.

> XQ

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#823074: clamav: Fix LSB init output

[Sebastian Andrzej Siewior]

On 2016-04-30 16:52:55 [+0200], Guillem Jover wrote:
> Hi!
Hi Guillem,

> The attached patch fixes the LSB init script to have more consistent
> output.
Thanks for the patch.
This is only against freshclam. Is clamd + clam-milter good? One change
was to add --quiet to the stop option and I don't see this in the other
two.

> Thanks,
> Guillem

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#822444: Found the problem

[Sebastian Andrzej Siewior]

On 2016-04-26 22:39:16 [+0200], Xavier Quost wrote:
> Hello Sebastian, 
Hello Xavier,

> /lib/systemd/system/clamav-daemon.service 
…
> [Service]
…
> User=clamav
> Group=clamav

> I'm not familiar with systemd, however I'm surprised that when 
> /etc/init.d/clamav-daemon is somethink like 400 lines, systemd is something 
> like 10 lines.
> But still I'm not familiar with systemd.

A lot of the stuff in clamav-daemon is legacy stuff and solved in
systemd differently. To give an example:
- we pass `-c /etc/clamav/clamd.conf' in the non-systemd case. But this
  is the default settings so we could drop it. Therefore it makes no
  difference if you pass this in systemd case or not (nothing changes).
- In the systemv case we start the daemon via start-stop-daemon and pass
  the user from the config as an argument. We could however start clamd
  as root and let the daemon itself change the user to whatever is
  selected in clamd.conf. This is what happens in the systemd case.

> Please would you tell me if those modifications make sense, or if those shall 
> be made elsewhere in the system.

I installed clamsmtp and been looking a little around and I think I
found the problem: You clamd.conf says
AllowSupplementaryGroups disabled
but clamsmtp adds the group clamsmtp to the clamav user:
# id clamav
uid=108(clamav) gid=113(clamav) groups=113(clamav),114(clamsmtp)

With this option set to disabled / false clamav has only access to the
clamav user+group. I think if you revert your changes and instead set
true here (to AllowSupplementaryGroups) then it should work again. I
*think* systemd + start-stop-daemon do this by default and that is why
we did not notice this before.
Could you please check if this change works for you?

> Best regards
> 
> XQ
Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#822444: Bug#822444: clamav-daemon does not start with same options using sysinit and systemd

[Sebastian Andrzej Siewior]

On 2016-04-24 17:39:37 [+0200], xavier quost wrote:
> It seems that clamav-daemon does not start with thes sames options when using 
> systemd or sysvinit.
> This leads to problem with clamsmtp / clamd communication breaking mail 
> checking systeme.

>From browsing through the logs here I can't spot the difference / error.

> when using sysv 
> clamd process is started with those default options :
> clamav8357 1  0 16:57 ?00:00:00 /usr/sbin/clamd -c 
> /etc/clamav/clamd.conf --pid=/run/clamav/clamd.pid
> clamsmtp  8409 1  0 16:58 ?00:00:00 /usr/sbin/clamsmtpd

default config + pid file

> ## check systemd
> ## it seems that clamav-daemon is no more start with good options
> clamsmtp   747 1  0 17:11 ?00:00:00 /usr/sbin/clamsmtpd
> clamav 791 1  7 17:11 ?00:00:07 /usr/sbin/clamd 
> --foreground=true
depends on what you mean by good. It runs in foreground mode and reads the
same config file.

> Communication beetween clamsmtp and clamd is now failing 
> Apr 24 17:14:02 pc251270 clamsmtpd: 10: clamav error: 
> /var/spool/clamsmtp/clamsmtpd.9g7gF4: lstat() failed: Permission denied. ERROR
> Apr 24 17:14:02 pc251270 clamsmtpd: 10: 
> from=xqu...@pc251270.valfontenay.ratp, to=xquost@localhost, 
> status=CLAMAV-ERROR

Can you find out what the difference here is? My guess is that for $reason the
/var/spool/clamsmtp/ folder has different owner/permissions set.
Unless you find something I would have to install it as you have and reproduce
it.

> Thanks, best regards
> 
> XQ

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] Initial start of clamav-daemon

[Sebastian Andrzej Siewior]

On 2016-04-22 18:31:10 [+0200], Dilyan Palauzov wrote:
> Hello,
Hi,

> I propose removing the ConditionPathExistsGlob from
> clamav-daemon.s(ervice,ocket). Then, once freshclam is ready, it will notify
> clamd over the socket, systemd will start clamd because of
> clamav-daemon.socket  and everything is fine.  If somebody tries to contact
> the socket before freshclam is ready, and clamd starts and fails due to
> missing databases, we have the current situation: in order to start clamd,
> it has to be restarted manually, once the databases have been downloaded.
> So removing ConditionPathExistsGlob is an improvement, as it boots the
> system correctly in more cases, than now.

This does not sound that bad. I am not sure at the time of writting but I
*think* that we could start clamd without signatures (which is what you
suggests).
Unless Andreas comes up with something different / better I would try your
way.
I am traveling the next week so I don't when I get to it. Am I assuming
correct that this affects stable+?

> Greetings
>   Dilian

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

Re: [Pkg-clamav-devel] clamav llvm 3.6 dependency

[Sebastian Andrzej Siewior]

On 2016-03-25 10:18:53 [+0100], har...@a-little-linux-box.at wrote:
> Dear clamav maintainers,

Hi Harald,

> I just wanted to ask if it would be possible to adapt clamav to llvm 3.7
> as 3.6 (at least the Debian package) contains a vulnerability which
> seems to impair (at least according to the security tracker) the
> security of clamav. As it is often used in a network context (mail and

Are you talking about CVE-2015-2305 / Henry Spencer BSD regex library? It
looks hard to trigger (it was the case in clamav usage of the library). It
would be probably best if you ping the llvm maintainer to get it fixed.
According to the tracker 3.5 for instance has the same problem and this is
part of stable. So the best thing to do seems to get llvm fixed.
I am not even sure whether clamav compiles against 3.7. But I was not
aware (until now) that 3.7 is part of testing. It wasn't the last time I
looked at it.

BTW: llvm is only used for the bytecode interreter which becomes jit. If you
disable bytecode thingy then it should be not used. The bytecode data comes
from clamav.

> web proxy scanning) this seems to be a not very desirable situation.
> When answering please keep me cc as I'm not subscribed to your list.
> 
> Thanks for your time
> Kind regards
> Harald Jenny

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#813894: Bug#813894: ClamAV installation is OUTDATED

[Sebastian Andrzej Siewior]

On 2016-03-22 11:42:58 [+0100], Oleg Hahm wrote:
> Now the message is:
> Mar 22 11:40:18 ba freshclam[4079]: WARNING: Local version: 0.99 Recommended 
> version: 0.99.1

Your point?
I will try to figure out when upstream plans to drop 0.99.2. If it is anytime
soon it will be probably the best to skip .1 and push .2 into the stable
release.

> Cheers,
> Oleg

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#817943: dh-strip-nondeterminism damages .zip files

[Sebastian Andrzej Siewior]

Package: dh-strip-nondeterminism
Version: 0.016-1

I attached two files, cat them to get the testcase:
   cat split.clam.bz2.zipaa split.clam.bz2.zipab > clam.bz2.zip

The file is from Clamav's test files package so it will be recognized
as a virus - therefore the split.
Now. The original file:
|$ unzip clam.bz2.zip 
|Archive:  clam.bz2.zip
| bunzipping: clam.exe
|$ ls -lh clam.exe 
|-rw-r--r-- 1 bigeasy bigeasy 544 Sep  6  2004 clam.exe

After `dh_strip_nondeterminism':

|$ unzip clam.bz2.zip
|Archive:  clam.bz2.zip
| bunzipping: clam.exe
|   error:  invalid compressed data to bunzip
|$ ls -lh clam.exe 
|-rw-r--r-- 1 bigeasy bigeasy 0 Mar  2 15:48 clam.exe

I will try to work this around by using the `-X' argument and exclude
the test files. Therefore I keep the severity as normal rather than
important.

Sebastian


split.clam.bz2.zipaa
Description: Binary data


split.clam.bz2.zipab
Description: Binary data
___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] 0.99.1 packaging, round 1

[Sebastian Andrzej Siewior]

Hi,

just packaged 0.99.1 for unstable. It builds. Wanted to go over lintian
report, bls before trying to install it :)

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#816956: clamav: [INTL:pt_BR] Brazilian Portuguese debconf templates translation

[Sebastian Andrzej Siewior]

control: -1 tags + pending

On 2016-03-06 16:03:51 [-0300], Adriano Rafael Gomes wrote:
> Hello,
Hello Adriano,

> Please, Could you update the Brazilian Portuguese Translation?

sure.

> Attached you will find the file pt_BR.po. It is UTF-8 encoded and it is
> tested with msgfmt and podebconf-display-po.

Thank you, applied. The next upload should have it.

> 
> Kind regards.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#816272: Bug#816272: Bug#816272: clamav-freshclam: logrotate errors out with "gzip: stdin: file size changed while zipping"

[Sebastian Andrzej Siewior]

On 2016-03-06 12:30:59 [+0100], Christian Pernegger wrote:
> > When you select `cron' in debconf then it will roll the big dice
> Tried that yesterday, result:
> 18 */12 * * *clamav [ -x /usr/bin/freshclam ] &&
> /usr/bin/freshclam --quiet >/dev/null
> 
> It now runs at 18 past noon and midnight, but I still got a
> (different) error e-mail this morning:
> /etc/cron.daily/logrotate:
> error: error running non-shared postrotate script for
> /var/log/clamav/freshclam.log of '/var/log/clamav/freshclam.log '
> run-parts: /etc/cron.daily/logrotate exited with return code 1

now there is nothing.

> Maybe that's just an artefact of the recent debconf run, we'll see in a week.
> 
> > So *I* really think just adding the extra option to lograte is the simplest
> > thing to do.
> 
> I'd love to but it is already in there as standard:

yes, indeed. I somehow though that it was not. But that makes no sense
then. It rotates the freshclam.log to freshclam.log.0 on the first week
and on the second week it performs gzip on freshclam.log.0. freshclam
should no longer have a handle on it.
Could you try to force a lograte? The -v option of lorotate might give
more information on what is going on.

> Christian

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#817067: Bug#817067: clamscan large archive DOS protection could be used to hide virus

[Sebastian Andrzej Siewior]

control: forwarded -1 https://bugzilla.clamav.net/show_bug.cgi?id=11522
control: tags -1 + upstream

On 2016-03-07 15:59:37 [-0400], Joey Hess wrote:
> Package: clamav
> Version: 0.99+dfsg-2
> Severity: important
> Tags: security
> 
> Any script relying on clamscan's exit status can probably be tricked
> with a file that contains a virus, but that uses clamscan's DOS
> protection to trick clamscan into not scanning it in full.

This sounds similar to #740059. Here it continues, in the other it
aborts.

> Suggested fix: If clamscan doesn't process the whole file content for
> any reason, exit with 2, which is documented to mean "some error
> occurred".

Sounds reasonable. I forwarded your report upstream.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#816272: Bug#816272: clamav-freshclam: logrotate errors out with "gzip: stdin: file size changed while zipping"

[Sebastian Andrzej Siewior]

On 2016-03-05 20:44:33 [+0100], Christian Pernegger wrote:
> Thank you for getting back to me on this.
> 
> Yes, cron.weekly seems to run at 6:47 and the freshclam update every
> other hour at :46 ...

every other? I assumed twice a day. Probably got the numbers wrong.
Btw: is this the cron/ anacron package or systemd's cron stuff?

> I'll try the delaycompress option. Do you know if there's anything I
> can do to fix the root cause, i.e. the two cron jobs running so close
> together? It's a server that runs 24/7, there's plenty of time for
> them to get out of each other's hair.

I don't know if this is the cron daemon optimizing things or if it is really
by chance that cron.weekly runs at :47 while debconf decided :46 is a good
one.

When you select `cron' in debconf then it will roll the big dice and come up
with a number between 0 and 59 for the minute value. hour is just 24/x
depending on the interval you select. It seems you had bad luck and those
two came close together.
So either you edit it manually (/etc/cron.d/freshclam or so) or try again your
luck with debconf. Assuming the minute value gets set to :15 and then out of 
the sudden cron.weekly runs at 6:15 then it might be optimizing on cron's
side (but then this is the first report).
So there is this. I don't know how easy it would be to get both sides using
`flock' so they don't try writting to the same file at the same time. And we
have multiple scenarios like daemon mode, cron mode and so on.
So *I* really think just adding the extra option to lograte is the simplest
thing to do.

> 
> Christian

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#816272: Bug#816272: clamav-freshclam: logrotate errors out with "gzip: stdin: file size changed while zipping"

[Sebastian Andrzej Siewior]

On 2016-02-29 12:02:51 [+0100], Christian Pernegger wrote:
> > From: Cron Daemon 
> > To: r...@buddha.southpark.chp
> > Subject: Cron  test -x /usr/sbin/anacron || ( cd / && 
> > run-parts --report /etc/cron.daily )
> >
> > /etc/cron.daily/logrotate:
> > error: error running non-shared postrotate script for 
> > /var/log/clamav/freshclam.log of '/var/log/clamav/freshclam.log '
> > gzip: stdin: file size changed while zipping
> > run-parts: /etc/cron.daily/logrotate exited with return code 1
> 
> No configuration of clamav or freshclam has been done (yet), apart
> from the debconf settings at the bottom of this mail.

I copied your debconf and it seems to work here. Can you check your logs
if the freshclam log runs at the same time as your logrorate script?
I have no idea why but it seems to be the case. Adding `delaycompress'
to the cron script should fix it.

> Regards,
> Christian Pernegger

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] libclamunrar repo recreated

[Sebastian Andrzej Siewior]

Hi,

Scott noticed that the stable branches are slightly broken. I've thrown
the old repo away (libclamunrar.old.git is still available) and imported
mostly everything from the .dsc files.

Now the reason why stable branches were broken is probably a bad git dpm
work flow on my side and a few attempts to fix it. While importing the
two wheezy release I tried to write everything down the way *I* think it
should be done. If there is a better / recommended way to do so please
don't hesitate and shout at me!

Unstable:
~
- git dpm import-new-upstream --rebase ../libclamunrar_0.98.5.orig.tar.xz
- pristine-tar commit ../libclamunrar_0.98.5.orig.tar.xz 
f00c4e9d974252e8e650ceb96d8b859a5272ff84
- changes
- git dpm tag
 
Next release:
~
- git dpm import-new-upstream --rebase ../libclamunrar_0.99.orig.tar.xz
- pristine-tar commit ../libclamunrar_0.99.orig.tar.xz 
da1d48dcae97ca642065f1a4b596b8ed79146d98
- changes
- git dpm tag

First backport for wheezy:
~~
- git checkout -b wheezy
- changes
- git dpm tag
 
Next backport for wheezy:
~
- Assuming `upstream-unstable' points to the `libclamunrar_0.99.orig.tar.xz' 
import:
git dpm record-new-upstream ../libclamunrar_0.99.orig.tar.xz 
upstream-unstable
  This will create a new `upstream-wheezy' branch which is identical to the
   `upstream-unstable' branch (that means both have the same commit ID). This 
is important.
- With patches `git-dpm rebase-patched' is required as the next action.
- once done, `git dpm tag'
 'upstream-0.99' already up to date
 Creating new tag 'patched-0.99-0+deb7u1'...
 Creating new tag 'debian-0.99-0+deb7u1'...
  It only created patched + debian tag because the upstream tag is the same 
compared to the
  upstream release.

Sebastian

___
Pkg-clamav-devel mailing list
Pkg-clamav-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-clamav-devel

[Pkg-clamav-devel] Bug#816002: wheezy-pu: package c-icap/1:0.1.6-1.1+deb7u2

[Sebastian Andrzej Siewior]

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian@packages.debian.org
Usertags: pu

In order to address the current FTBFS of c-icap-modules here is an
update for c-icap which resolves the problem. With this patch I was able
to build c-icap-modules again.

Mathieu, I will be happy to perform the upload unless you want to do
this yourself.

Sebastian
diff -Nru c-icap-0.1.6/debian/changelog c-icap-0.1.6/debian/changelog
--- c-icap-0.1.6/debian/changelog	2014-12-10 17:38:58.0 +0100
+++ c-icap-0.1.6/debian/changelog	2016-02-26 15:35:32.0 +0100
@@ -1,3 +1,12 @@
+c-icap (1:0.1.6-1.1+deb7u2) oldstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add 0008-Rename-CONF-to-C_ICAP_CONF.patch
+Rename the CONF symbol which is also declared by openssl in order to
+fix FTBFS of c-icap-modules (Closes: #768684).
+
+ -- Sebastian Andrzej Siewior   Fri, 26 Feb 2016 15:30:44 +0100
+
 c-icap (1:0.1.6-1.1+deb7u1) wheezy-security; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -Nru c-icap-0.1.6/debian/patches/0008-Rename-CONF-to-C_ICAP_CONF.patch c-icap-0.1.6/debian/patches/0008-Rename-CONF-to-C_ICAP_CONF.patch
--- c-icap-0.1.6/debian/patches/0008-Rename-CONF-to-C_ICAP_CONF.patch	1970-01-01 01:00:00.0 +0100
+++ c-icap-0.1.6/debian/patches/0008-Rename-CONF-to-C_ICAP_CONF.patch	2016-02-26 15:27:13.0 +0100
@@ -0,0 +1,477 @@
+From 6673de8b3b04c6ed43bb6f2ed582b5775a066ed3 Mon Sep 17 00:00:00 2001
+From: Sebastian Andrzej Siewior 
+Date: Fri, 26 Feb 2016 15:21:11 +0100
+Subject: [PATCH] Rename CONF to C_ICAP_CONF
+
+Based on a patch by Mathieu Parent  done by sed:
+
+   sed -i 's@\@C_ICAP_CONF@g' *.c include/*.h
+
+In order to address FTBFS of c-icap-modules in Wheezy (openssl and
+c-icap define CONF in a public header).
+
+See also: https://bugs.debian.org/768684
+Signed-off-by: Sebastian Andrzej Siewior 
+---
+ aserver.c   |   14 +--
+ cfg_param.c |   66 +--
+ include/cfg_param.h |2 +-
+ module.c|   32 -
+ mpmt_server.c   |8 +++
+ service.c   |6 ++---
+ 6 files changed, 64 insertions(+), 64 deletions(-)
+
+diff --git a/aserver.c b/aserver.c
+index 4602f10..249497c 100644
+--- a/aserver.c
 b/aserver.c
+@@ -100,9 +100,9 @@ int main(int argc, char **argv)
+  ci_txt_template_init();
+  ci_txt_template_set_dir(DATADIR"templates");
+ 
+- if (!(CONF.MAGIC_DB = ci_magic_db_load(CONF.magics_file))) {
++ if (!(C_ICAP_CONF.MAGIC_DB = ci_magic_db_load(C_ICAP_CONF.magics_file))) {
+   ci_debug_printf(1, "Can not load magic file %s!!!\n",
+-  CONF.magics_file);
++  C_ICAP_CONF.magics_file);
+  }
+  init_conf_tables();
+  request_stats_init();
+@@ -113,26 +113,26 @@ int main(int argc, char **argv)
+  ci_debug_printf(2, "My hostname is:%s\n", MY_HOSTNAME);
+ 
+ #if ! defined(_WIN32)
+- if (is_icap_running(CONF.PIDFILE)) {
++ if (is_icap_running(C_ICAP_CONF.PIDFILE)) {
+   ci_debug_printf(1, "c-icap server already running!\n");
+   exit(-1);
+  }
+  if (DAEMON_MODE)
+   run_as_daemon();
+- if (!set_running_permissions(CONF.RUN_USER, CONF.RUN_GROUP))
++ if (!set_running_permissions(C_ICAP_CONF.RUN_USER, C_ICAP_CONF.RUN_GROUP))
+   exit(-1);
+- store_pid(CONF.PIDFILE);
++ store_pid(C_ICAP_CONF.PIDFILE);
+ #endif
+ 
+  if (!log_open()) {
+   ci_debug_printf(1, "Can not init loggers. Exiting.\n");
+   exit(-1);
+  }
+- if (!init_server(CONF.ADDRESS, CONF.PORT, &(CONF.PROTOCOL_FAMILY)))
++ if (!init_server(C_ICAP_CONF.ADDRESS, C_ICAP_CONF.PORT, &(C_ICAP_CONF.PROTOCOL_FAMILY)))
+   return -1;
+  post_init_modules();
+  post_init_services();
+  start_server();
+- clear_pid(CONF.PIDFILE);
++ clear_pid(C_ICAP_CONF.PIDFILE);
+  return 0;
+ }
+diff --git a/cfg_param.c b/cfg_param.c
+index 5b8f5ba..0a2039d 100644
+--- a/cfg_param.c
 b/cfg_param.c
+@@ -37,7 +37,7 @@
+ int ARGC;
+ char **ARGV;
+ 
+-struct ci_server_conf CONF = {
++struct ci_server_conf C_ICAP_CONF = {
+  NULL, /* LISTEN ADDRESS */ 1344, /*PORT*/ AF_INET,/*SOCK_FAMILY */
+ #ifdef _WIN32
+  "c:\\TEMP", /*TMPDIR*/ "c:\\TEMP\\c-icap.pid", /*PIDFILE*/ ".\\pipe\\c-icap",  /*COMMANDS_SOCKET; */
+@@ -128,9 +128,9 @@ struct sub_table {
+ };
+ 
+ static struct ci_conf_entry conf_variables[] = {
+- {"ListenAddress", &CONF.ADDRESS, intl_cfg_set_str, NULL},
+- {"PidFile", &CONF.PIDFILE, intl_cfg_set_str, NULL},
+- {"CommandsSocket", &CONF.COMMANDS_SOCKET, intl_cfg_set_str, NULL},
++ {"ListenAddress", &C_ICAP_CONF.ADDRESS, intl_cfg_set_str, NULL},
++ {"Pid