Package: release.debian.org User: release.debian....@packages.debian.org Usertags: pu Tags: stretch Severity: normal
Please find attached the proposed update to libclamunrar for Stretch as part of the clamav transition, #924278. Sebastian
diff -Nru libclamunrar-0.101.1/clamav-config.h.in libclamunrar-0.101.2/clamav-config.h.in --- libclamunrar-0.101.1/clamav-config.h.in 2019-02-09 23:29:30.000000000 +0100 +++ libclamunrar-0.101.2/clamav-config.h.in 2019-03-30 14:57:29.000000000 +0100 @@ -314,6 +314,9 @@ /* Define to 1 if you have the `strnlen' function. */ #undef HAVE_STRNLEN +/* Define to 1 if you have the `strnstr' function. */ +#undef HAVE_STRNSTR + /* Define to 1 if sysconf(_SC_PAGESIZE) is available */ #undef HAVE_SYSCONF_SC_PAGESIZE diff -Nru libclamunrar-0.101.1/configure libclamunrar-0.101.2/configure --- libclamunrar-0.101.1/configure 2019-02-09 23:29:30.000000000 +0100 +++ libclamunrar-0.101.2/configure 2019-03-30 14:57:29.000000000 +0100 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for ClamAV 0.101.1. +# Generated by GNU Autoconf 2.69 for ClamAV 0.101.2. # # Report bugs to <https://bugzilla.clamav.net/>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='ClamAV' PACKAGE_TARNAME='clamav' -PACKAGE_VERSION='0.101.1' -PACKAGE_STRING='ClamAV 0.101.1' +PACKAGE_VERSION='0.101.2' +PACKAGE_STRING='ClamAV 0.101.2' PACKAGE_BUGREPORT='https://bugzilla.clamav.net/' PACKAGE_URL='https://www.clamav.net/' @@ -753,6 +753,8 @@ CHECK_CPPFLAGS CHECK_LIBS CHECK_CFLAGS +ENABLE_FUZZ_FALSE +ENABLE_FUZZ_TRUE BUILD_CONFIGURE_FLAGS VERSIONSCRIPT_FALSE VERSIONSCRIPT_TRUE @@ -908,6 +910,7 @@ enable_libtool_lock enable_gcc_vcheck enable_experimental +enable_fuzz enable_mempool enable_check enable_rpath @@ -1533,7 +1536,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures ClamAV 0.101.1 to adapt to many kinds of systems. +\`configure' configures ClamAV 0.101.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1605,7 +1608,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of ClamAV 0.101.1:";; + short | recursive ) echo "Configuration of ClamAV 0.101.2:";; esac cat <<\_ACEOF @@ -1626,6 +1629,7 @@ --disable-libtool-lock avoid locking (might break parallel builds) --disable-gcc-vcheck do not check for buggy gcc version --enable-experimental enable experimental code + --enable-fuzz enable building standalone fuzz targets [default=no] --disable-mempool do not use memory pools --enable-check enable check unit tests [default=auto] --disable-rpath do not hardcode runtime library paths @@ -1819,7 +1823,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -ClamAV configure 0.101.1 +ClamAV configure 0.101.2 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2363,7 +2367,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by ClamAV $as_me 0.101.1, which was +It was created by ClamAV $as_me 0.101.2, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4120,7 +4124,7 @@ # Define the identity of the package. PACKAGE='clamav' - VERSION='0.101.1' + VERSION='0.101.2' # Some tools Automake needs. @@ -5849,10 +5853,10 @@ -VERSION="0.101.1" +VERSION="0.101.2" LC_CURRENT=9 -LC_REVISION=1 +LC_REVISION=2 LC_AGE=0 LIBCLAMAV_VERSION="$LC_CURRENT":"$LC_REVISION":"$LC_AGE" @@ -19150,6 +19154,27 @@ BUILD_CONFIGURE_FLAGS=$build_configure_args +# Check whether --enable-fuzz was given. +if test "${enable_fuzz+set}" = set; then : + enableval=$enable_fuzz; enable_cov=$enableval +else + enable_cov="no" +fi + + +if test "x$enable_fuzz" = "xyes"; then + CXXFLAGS="-std=c++11 -stdlib=libc++ $CXXFLAGS" +fi + + if test "x$enable_fuzz" = "xyes"; then + ENABLE_FUZZ_TRUE= + ENABLE_FUZZ_FALSE='#' +else + ENABLE_FUZZ_TRUE='#' + ENABLE_FUZZ_FALSE= +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether uname(2) is POSIX" >&5 $as_echo_n "checking whether uname(2) is POSIX... " >&6; } @@ -19357,6 +19382,17 @@ fi done +for ac_func in strnstr +do : + ac_fn_c_check_func "$LINENO" "strnstr" "ac_cv_func_strnstr" +if test "x$ac_cv_func_strnstr" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_STRNSTR 1 +_ACEOF + +fi +done + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _LARGEFILE_SOURCE value needed for large files" >&5 $as_echo_n "checking for _LARGEFILE_SOURCE value needed for large files... " >&6; } if ${ac_cv_sys_largefile_source+:} false; then : @@ -28120,6 +28156,10 @@ as_fn_error $? "conditional \"VERSIONSCRIPT\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${ENABLE_FUZZ_TRUE}" && test -z "${ENABLE_FUZZ_FALSE}"; then + as_fn_error $? "conditional \"ENABLE_FUZZ\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${HAVE_LIBCHECK_TRUE}" && test -z "${HAVE_LIBCHECK_FALSE}"; then as_fn_error $? "conditional \"HAVE_LIBCHECK\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -28577,7 +28617,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by ClamAV $as_me 0.101.1, which was +This file was extended by ClamAV $as_me 0.101.2, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -28644,7 +28684,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -ClamAV config.status 0.101.1 +ClamAV config.status 0.101.2 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru libclamunrar-0.101.1/configure.ac libclamunrar-0.101.2/configure.ac --- libclamunrar-0.101.1/configure.ac 2019-02-09 23:29:26.000000000 +0100 +++ libclamunrar-0.101.2/configure.ac 2019-03-30 14:57:25.000000000 +0100 @@ -1,4 +1,6 @@ -dnl Copyright (C) 2002 - 2006 Tomasz Kojm <tk...@clamav.net> +dnl Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved. +dnl Copyright (C) 2007-2013 Sourcefire, Inc. +dnl Copyright (C) 2002-2007 Tomasz Kojm <tk...@clamav.net> dnl readdir_r checks (c) COPYRIGHT MIT 1995 dnl socklen_t check (c) Alexander V. Lukyanov <l...@yars.free.net> dnl @@ -20,7 +22,7 @@ AC_PREREQ([2.59]) dnl For a release change [devel] to the real version [0.xy] dnl also change VERSION below -AC_INIT([ClamAV], [0.101.1], [https://bugzilla.clamav.net/], [clamav], [https://www.clamav.net/]) +AC_INIT([ClamAV], [0.101.2], [https://bugzilla.clamav.net/], [clamav], [https://www.clamav.net/]) dnl enable C++ AC_PROG_CXX() @@ -73,6 +75,7 @@ build_configure_args=`echo "$ac_configure_args" | sed -e 's/[\"]//g'` AC_SUBST([BUILD_CONFIGURE_FLAGS], [$build_configure_args]) +m4_include([m4/reorganization/code_checks/fuzz.m4]) m4_include([m4/reorganization/code_checks/functions.m4]) m4_include([m4/reorganization/code_checks/mpool.m4]) m4_include([m4/reorganization/code_checks/unit_tests.m4]) diff -Nru libclamunrar-0.101.1/debian/changelog libclamunrar-0.101.2/debian/changelog --- libclamunrar-0.101.1/debian/changelog 2019-03-10 17:09:59.000000000 +0100 +++ libclamunrar-0.101.2/debian/changelog 2019-04-06 20:25:19.000000000 +0200 @@ -1,3 +1,13 @@ +libclamunrar (0.101.2-0+deb9u1) stretch; urgency=high + + * Import 0.101.2 + - CVE-2019-1785 (A path-traversal write condition may occur as a result of + improper input validation when scanning RAR archives) + - CVE-2019-1798 (A use-after-free condition may occur as a result of + improper error handling when scanning nested RAR archives) + + -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Sat, 06 Apr 2019 20:25:19 +0200 + libclamunrar (0.101.1-0+deb9u1) stretch; urgency=medium [ Scott Kitterman ] diff -Nru libclamunrar-0.101.1/debian/.git-dpm libclamunrar-0.101.2/debian/.git-dpm --- libclamunrar-0.101.1/debian/.git-dpm 2019-03-10 17:03:28.000000000 +0100 +++ libclamunrar-0.101.2/debian/.git-dpm 2019-04-06 20:23:33.000000000 +0200 @@ -1,8 +1,8 @@ # see git-dpm(1) from git-dpm package -b6445e154030cecddc72fe76d3d2e18869b15118 -b6445e154030cecddc72fe76d3d2e18869b15118 -b6445e154030cecddc72fe76d3d2e18869b15118 -b6445e154030cecddc72fe76d3d2e18869b15118 -libclamunrar_0.101.1.orig.tar.xz -446b41431eccef23f9d0ec5133eb964bc4a1776f -491568 +a1d0c295832affbb17bd4c16432800ec3aade630 +a1d0c295832affbb17bd4c16432800ec3aade630 +a1d0c295832affbb17bd4c16432800ec3aade630 +a1d0c295832affbb17bd4c16432800ec3aade630 +libclamunrar_0.101.2.orig.tar.xz +6f660fc27166a75b0e336b82769b242bf0471374 +487968 diff -Nru libclamunrar-0.101.1/libclamunrar_iface/Makefile.am libclamunrar-0.101.2/libclamunrar_iface/Makefile.am --- libclamunrar-0.101.1/libclamunrar_iface/Makefile.am 2019-02-09 23:29:26.000000000 +0100 +++ libclamunrar-0.101.2/libclamunrar_iface/Makefile.am 2019-03-30 14:57:25.000000000 +0100 @@ -1,6 +1,7 @@ # -# Copyright (C) 2002 - 2007 Tomasz Kojm <tk...@clamav.net> -# Copyright (C) 2008 - 2013 Sourcefire, Inc. +# Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved. +# Copyright (C) 2007-2013 Sourcefire, Inc. +# Copyright (C) 2002-2007 Tomasz Kojm <tk...@clamav.net> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff -Nru libclamunrar-0.101.1/libclamunrar_iface/Makefile.in libclamunrar-0.101.2/libclamunrar_iface/Makefile.in --- libclamunrar-0.101.1/libclamunrar_iface/Makefile.in 2019-02-09 23:29:31.000000000 +0100 +++ libclamunrar-0.101.2/libclamunrar_iface/Makefile.in 2019-03-30 14:57:30.000000000 +0100 @@ -15,8 +15,9 @@ @SET_MAKE@ # -# Copyright (C) 2002 - 2007 Tomasz Kojm <tk...@clamav.net> -# Copyright (C) 2008 - 2013 Sourcefire, Inc. +# Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved. +# Copyright (C) 2007-2013 Sourcefire, Inc. +# Copyright (C) 2002-2007 Tomasz Kojm <tk...@clamav.net> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -132,6 +133,7 @@ $(top_srcdir)/m4/reorganization/c_options.m4 \ $(top_srcdir)/m4/reorganization/compiler_checks.m4 \ $(top_srcdir)/m4/reorganization/linker_checks.m4 \ + $(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \ $(top_srcdir)/m4/reorganization/code_checks/functions.m4 \ $(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \ $(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \ diff -Nru libclamunrar-0.101.1/libclamunrar_iface/unrar_iface.cpp libclamunrar-0.101.2/libclamunrar_iface/unrar_iface.cpp --- libclamunrar-0.101.1/libclamunrar_iface/unrar_iface.cpp 2019-02-09 23:29:22.000000000 +0100 +++ libclamunrar-0.101.2/libclamunrar_iface/unrar_iface.cpp 2019-03-30 14:57:20.000000000 +0100 @@ -1,7 +1,9 @@ /* * Interface to libclamunrar - * Copyright (C) 2015-2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved. + * + * Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved. * Copyright (C) 2007-2013 Sourcefire, Inc. + * * Authors: Trog, Torok Edvin, Tomasz Kojm, Micah Snyder * * Redistribution and use in source and binary forms, with or without @@ -89,7 +91,7 @@ /** * @brief Translate an ERAR_<code> to the appropriate UNRAR_<code> - * + * * @param errorCode ERAR_<code> * @return cl_unrar_error_t UNRAR_OK, UNRAR_ENCRYPTED, or UNRAR_ERR. */ @@ -133,6 +135,7 @@ } case ERAR_EOPEN: { unrar_dbgmsg("unrar_retcode: Volume open error.\n"); + status = UNRAR_EOPEN; break; } case ERAR_ECREATE: { @@ -289,7 +292,7 @@ /** * @brief Get file metadata from the next file header. - * + * * @param hArchive Handle to the archive we're extracting. * @param[in/out] file_metadata Pointer to a pre-allocated metadata structure. * @return cl_unrar_error_t UNRAR_OK if metadata retrieved, UNRAR_BREAK if no more files, UNRAR_ENCRYPTED if header was encrypted, else maybe UNRAR_EMEM or UNRAR_ERR. @@ -317,7 +320,7 @@ */ headerData.CmtBuf = NULL; headerData.CmtBufSize = 0; - + headerData.RedirNameSize = 1024 * sizeof(wchar_t); headerData.RedirName = (wchar_t*)&RedirName; memset(headerData.RedirName, 0, headerData.RedirNameSize); diff -Nru libclamunrar-0.101.1/libclamunrar_iface/unrar_iface.h libclamunrar-0.101.2/libclamunrar_iface/unrar_iface.h --- libclamunrar-0.101.1/libclamunrar_iface/unrar_iface.h 2019-02-09 23:29:22.000000000 +0100 +++ libclamunrar-0.101.2/libclamunrar_iface/unrar_iface.h 2019-03-30 14:57:20.000000000 +0100 @@ -1,7 +1,9 @@ /* * Interface to libclamunrar - * Copyright (C) 2015-2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved. + * + * Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved. * Copyright (C) 2007-2013 Sourcefire, Inc. + * * Authors: Trog, Torok Edvin, Tomasz Kojm, Micah Snyder * * Redistribution and use in source and binary forms, with or without @@ -48,7 +50,8 @@ UNRAR_BREAK, UNRAR_ENCRYPTED, UNRAR_EMEM, - UNRAR_ERR + UNRAR_ERR, + UNRAR_EOPEN } cl_unrar_error_t; typedef struct unrar_metadata_tag diff -Nru libclamunrar-0.101.1/m4/reorganization/code_checks/functions.m4 libclamunrar-0.101.2/m4/reorganization/code_checks/functions.m4 --- libclamunrar-0.101.1/m4/reorganization/code_checks/functions.m4 2019-02-09 23:29:22.000000000 +0100 +++ libclamunrar-0.101.2/m4/reorganization/code_checks/functions.m4 2019-03-30 14:57:20.000000000 +0100 @@ -5,6 +5,7 @@ AC_CHECK_FUNCS_ONCE([poll setsid memcpy snprintf vsnprintf strerror_r strlcpy strlcat strcasestr inet_ntop setgroups initgroups ctime_r mkstemp mallinfo madvise getnameinfo]) AC_CHECK_FUNCS([strndup]) AC_CHECK_FUNCS([strnlen]) +AC_CHECK_FUNCS([strnstr]) AC_FUNC_FSEEKO dnl Check if anon maps are available, check if we can determine the page size diff -Nru libclamunrar-0.101.1/m4/reorganization/code_checks/fuzz.m4 libclamunrar-0.101.2/m4/reorganization/code_checks/fuzz.m4 --- libclamunrar-0.101.1/m4/reorganization/code_checks/fuzz.m4 1970-01-01 01:00:00.000000000 +0100 +++ libclamunrar-0.101.2/m4/reorganization/code_checks/fuzz.m4 2019-03-30 14:57:20.000000000 +0100 @@ -0,0 +1,11 @@ +AC_ARG_ENABLE(fuzz, + AC_HELP_STRING([--enable-fuzz], + [enable building standalone fuzz targets + @<:@default=no@:>@]), +[enable_cov=$enableval],[enable_cov="no"]) + +if test "x$enable_fuzz" = "xyes"; then + CXXFLAGS="-std=c++11 -stdlib=libc++ $CXXFLAGS" +fi + +AM_CONDITIONAL(ENABLE_FUZZ, test "x$enable_fuzz" = "xyes") diff -Nru libclamunrar-0.101.1/m4/reorganization/version.m4 libclamunrar-0.101.2/m4/reorganization/version.m4 --- libclamunrar-0.101.1/m4/reorganization/version.m4 2019-02-09 23:29:22.000000000 +0100 +++ libclamunrar-0.101.2/m4/reorganization/version.m4 2019-03-30 14:57:20.000000000 +0100 @@ -1,9 +1,9 @@ dnl change this on a release dnl VERSION="devel-`date +%Y%m%d`" -VERSION="0.101.1" +VERSION="0.101.2" LC_CURRENT=9 -LC_REVISION=1 +LC_REVISION=2 LC_AGE=0 LIBCLAMAV_VERSION="$LC_CURRENT":"$LC_REVISION":"$LC_AGE" AC_SUBST([LIBCLAMAV_VERSION]) diff -Nru libclamunrar-0.101.1/Makefile.in libclamunrar-0.101.2/Makefile.in --- libclamunrar-0.101.1/Makefile.in 2019-02-09 23:29:31.000000000 +0100 +++ libclamunrar-0.101.2/Makefile.in 2019-03-30 14:57:30.000000000 +0100 @@ -104,6 +104,7 @@ $(top_srcdir)/m4/reorganization/c_options.m4 \ $(top_srcdir)/m4/reorganization/compiler_checks.m4 \ $(top_srcdir)/m4/reorganization/linker_checks.m4 \ + $(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \ $(top_srcdir)/m4/reorganization/code_checks/functions.m4 \ $(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \ $(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \