From patchwork Sat Dec 21 12:55:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8365 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4YFkn40C6jz3xDX for ; Sat, 21 Dec 2024 12:56:24 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4YFkn33QRWz7WK; Sat, 21 Dec 2024 12:56:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4YFkn32v5Dz34K1; Sat, 21 Dec 2024 12:56:23 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R11" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4YFkmW2QgYz34LN for ; Sat, 21 Dec 2024 12:55:55 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4YFkmV1LWKz7Qs; Sat, 21 Dec 2024 12:55:54 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1734785754; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jRrQqh52TJ4AwQ6OIyRNEc3e+KofWXujuPbffWhTFwU=; b=ZVEMnJYaS4enDbI2HBEQov7xMiot7iu4o6xLNfYoRfUF4CPJoh5DtJkX1ymLubVDHve+Tr snWydjtZ9eJ0R0Bg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1734785754; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=jRrQqh52TJ4AwQ6OIyRNEc3e+KofWXujuPbffWhTFwU=; b=jQVTbZe1xqXp2rlIIvBtXh96YQfPKeb7JU5iDYlrh0vPFCUJ2/s7moVxTqllHMglLSZekV f/M9Ye1hrqsbz/d++3Rn5rf05fywbHmiJW3UWURCnIdE8wzZRTZyKcFEbz40RQn+l3CQ46 eq2USOMzftJTTLBq9oPAWNEJKWcKLvSD5au9IKMjRB7VGKe2MhIeKnwT2PxwZDrH6rUxkz B2N/rl3WBrjX56IoAZI5M/Xid+iSBHxuK3yhauamn7T5u79BCz8Hm+rVHdFeyZ+R+zYpLm UrdQ2AUkrmLvTdwPC1KRWFTflOXoMfOvPUPDYBbrImuDGSvvSG7tJKBquP2BFw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 32/32] clamav: Update to version 1.4.1 Date: Sat, 21 Dec 2024 13:55:39 +0100 Message-ID: <20241221125539.15309-32-adolf.belka@ipfire.org> In-Reply-To: <20241221125539.15309-1-adolf.belka@ipfire.org> References: <20241221125539.15309-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: XIHZIAYYYUTLNRCW37HY6TOPS2FJAPXA X-Message-ID-Hash: XIHZIAYYYUTLNRCW37HY6TOPS2FJAPXA X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - Update from version 1.3.2 to 1.4.1 - Update of rootfile - Changelog 1.4.1 ClamAV 1.4.1 is a critical patch release with the following fixes: - [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506): Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files. This issue affects all currently supported versions. It will be fixed in: - 1.4.1 - 1.3.2 - 1.0.7 - 0.103.12 Thank you to Detlef for identifying this issue. - [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505): Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service (DoS) condition. This issue affects all currently supported versions. It will be fixed in: - 1.4.1 - 1.3.2 - 1.0.7 - 0.103.12 Thank you to OSS-Fuzz for identifying this issue. - Removed unused Python modules from freshclam tests including deprecated 'cgi' module that is expected to cause test failures in Python 3.13. 1.4.0 Major changes - Added support for extracting ALZ archives. The new ClamAV file type for ALZ archives is `CL_TYPE_ALZ`. Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html) option to enable or disable ALZ archive support. > _Tip_: DCONF (Dynamic CONFiguration) is a feature that allows for some > configuration changes to be made via ClamAV `.cfg` "signatures". - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1183) - Added support for extracting LHA/LZH archives. The new ClamAV file type for LHA/LZH archives is `CL_TYPE_LHA_LZH`. Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html) option to enable or disable LHA/LZH archive support. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1192) - Added the ability to disable image fuzzy hashing, if needed. For context, image fuzzy hashing is a detection mechanism useful for identifying malware by matching images included with the malware or phishing email/document. New ClamScan options: ``` --scan-image[=yes(*)/no] --scan-image-fuzzy-hash[=yes(*)/no] ``` New ClamD config options: ``` ScanImage yes(*)/no ScanImageFuzzyHash yes(*)/no ``` New libclamav scan options: ```c options.parse &= ~CL_SCAN_PARSE_IMAGE; options.parse &= ~CL_SCAN_PARSE_IMAGE_FUZZY_HASH; ``` Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html) option to enable or disable image fuzzy hashing support. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1186) Other improvements - Added cross-compiling instructions for targeting ARM64/aarch64 processors for [Windows](https://github.com/Cisco-Talos/clamav/blob/main/INSTALL-cross-windows-arm64.md) and [Linux](https://github.com/Cisco-Talos/clamav/blob/main/INSTALL-cross-linux-arm64.md). - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1116) - Improved the Freshclam warning messages when being blocked or rate limited so as to include the Cloudflare Ray ID, which helps with issue triage. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1195) - Removed unnecessary memory allocation checks when the size to be allocated is fixed or comes from a trusted source. We also renamed internal memory allocation functions and macros, so it is more obvious what each function does. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1137) - Improved the Freshclam documentation to make it clear that the `--datadir` option must be an absolute path to a directory that already exists, is writable by Freshclam, and is readable by ClamScan and ClamD. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1199) - Added an optimization to avoid calculating the file hash if the clean file cache has been disabled. The file hash may still be calculated as needed to perform hash-based signature matching if any hash-based signatures exist that target a file of the same size, or if any hash-based signatures exist that target "any" file size. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1167) - Added an improvement to the SystemD service file for ClamOnAcc so that the service will shut down faster on some systems. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1164) - Added a CMake build dependency on the version map files so that the build will re-run if changes are made to the version map files. Work courtesy of Sebastian Andrzej Siewior. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1294) - Added an improvement to the CMake build so that the RUSTFLAGS settings are inherited from the environment. Work courtesy of liushuyu. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1301) Bug fixes - Silenced confusing warning message when scanning some HTML files. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1252) - Fixed minor compiler warnings. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1197) - Since the build system changed from Autotools to CMake, ClamAV no longer supports building with configurations where bzip2, libxml2, libz, libjson-c, or libpcre2 are not available. Libpcre is no longer supported in favor of libpcre2. In this release, we removed all the dead code associated with those unsupported build configurations. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1217) - Fixed assorted typos. Patch courtesy of RainRat. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1228) - Added missing documentation for the ClamScan `--force-to-disk` option. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1186) - Fixed an issue where ClamAV unit tests would prefer an older libclamunrar_iface library from the install path, if present, rather than the recently compiled library in the build path. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1258) - Fixed a build issue on Windows with newer versions of Rust. Also upgraded GitHub Actions imports to fix CI failures. Fixes courtesy of liushuyu. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1307) - Fixed an unaligned pointer dereference issue on select architectures. Fix courtesy of Sebastian Andrzej Siewior. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1293) - Fixed a bug that prevented loading plaintext (non-CVD) signature files when using the `--fail-if-cvd-older-than=DAYS` / `FailIfCvdOlderThan` option. Fix courtesy of Bark. - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1309) Signed-off-by: Adolf Belka --- config/rootfiles/packages/clamav | 8 ++++---- lfs/clamav | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/config/rootfiles/packages/clamav b/config/rootfiles/packages/clamav index f8deb9479..0bf660202 100644 --- a/config/rootfiles/packages/clamav +++ b/config/rootfiles/packages/clamav @@ -14,20 +14,20 @@ usr/bin/sigtool #usr/include/libfreshclam.h usr/lib/libclamav.so usr/lib/libclamav.so.12 -usr/lib/libclamav.so.12.0.2 +usr/lib/libclamav.so.12.0.3 #usr/lib/libclamav_rust.a usr/lib/libclammspack.so usr/lib/libclammspack.so.0 usr/lib/libclammspack.so.0.8.0 usr/lib/libclamunrar.so usr/lib/libclamunrar.so.12 -usr/lib/libclamunrar.so.12.0.2 +usr/lib/libclamunrar.so.12.0.3 usr/lib/libclamunrar_iface.so usr/lib/libclamunrar_iface.so.12 -usr/lib/libclamunrar_iface.so.12.0.2 +usr/lib/libclamunrar_iface.so.12.0.3 usr/lib/libfreshclam.so usr/lib/libfreshclam.so.3 -usr/lib/libfreshclam.so.3.0.1 +usr/lib/libfreshclam.so.3.0.2 #usr/lib/pkgconfig/libclamav.pc usr/sbin/clamd #usr/share/doc/ClamAV diff --git a/lfs/clamav b/lfs/clamav index f98d52532..72a3be790 100644 --- a/lfs/clamav +++ b/lfs/clamav @@ -26,7 +26,7 @@ include Config SUMMARY = Antivirus Toolkit -VER = 1.3.2 +VER = 1.4.1 THISAPP = clamav-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = clamav -PAK_VER = 73 +PAK_VER = 74 DEPS = @@ -50,7 +50,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 65f5e951a0c8b506e4975a7f5ffcf2c0402907ac528075362efd39fece1325ca05127b89a8ae7dcb638577b441af20aed7ab233e5b73d33f5daa0f793e6416e8 +$(DL_FILE)_BLAKE2 = 2cc31d5d4f33ddfffd01a46d88b09965ea8634fa711e5772a303d00c31efab2986727d6d26ca221f6518b80eb5ea3637c26dc0a2c32a493dd0a1cd43d2fd5d10 install : $(TARGET)