NetBSD Problem Report #54951
From root@labma.ru Mon Feb 10 11:55:22 2020
Return-Path: <root@labma.ru>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id E2B6D1A9213
for <gnats-bugs@gnats.NetBSD.org>; Mon, 10 Feb 2020 11:55:22 +0000 (UTC)
Message-Id: <20200210103658.3073421514@ml08.labma.ru>
Date: Mon, 10 Feb 2020 13:36:58 +0300 (MSK)
From: d.veselov@labma.ru
Reply-To: d.veselov@labma.ru
To: gnats-bugs@NetBSD.org
Subject: clamav should be updated
X-Send-Pr-Version: 3.95
>Number: 54951
>Category: pkg
>Synopsis: clamav 0.102.1 has security flaw and should be replaced
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: closed
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Mon Feb 10 12:00:00 +0000 2020
>Closed-Date: Tue Oct 13 03:10:15 +0000 2020
>Last-Modified: Tue Oct 13 03:10:15 +0000 2020
>Originator: Dima Veselov
>Release: NetBSD 8.1_STABLE
>Organization:
ZAO LMA
>Environment:
System: NetBSD ranir 8.1_STABLE NetBSD 8.1_STABLE (Ranir) #4: Mon Jun 10 10:52:14 MSK 2019 kab00m@almaz:/export/build/obj/amd64/sys/arch/amd64/compile/Ranir amd64
Architecture: x86_64
Machine: amd64
>Description:
clamav 0.102.1 is vulnerable (CVE-2020-3123). pkgsrc version also lack
rc.d script for milter option
>How-To-Repeat:
>Fix:
Updated package can be found http://lich.phys.spbu.ru/clamav-0.102.2nb2.tgz
Diff follow:
diff -U2 -r ../pkgsrc/security/clamav/Makefile.common security/clamav/Makefile.common
--- ../pkgsrc/security/clamav/Makefile.common 2020-02-03 12:45:57.328973185 +0300
+++ security/clamav/Makefile.common 2020-02-10 13:09:12.148274915 +0300
@@ -4,5 +4,5 @@
# used by security/clamav-doc/Makefile
-DISTNAME= clamav-0.102.1
+DISTNAME= clamav-0.102.2
CATEGORIES= security
MASTER_SITES= http://www.clamav.net/downloads/production/
diff -U2 -r ../pkgsrc/security/clamav/distinfo security/clamav/distinfo
--- ../pkgsrc/security/clamav/distinfo 2020-02-10 13:07:23.529810703 +0300
+++ security/clamav/distinfo 2020-02-10 13:09:12.152275003 +0300
@@ -1,8 +1,8 @@
$NetBSD: distinfo,v 1.31 2019/12/03 12:55:16 taca Exp $
-SHA1 (clamav-0.102.1.tar.gz) = 88040368d506b923b627eab3c8a96c941f1719f9
-RMD160 (clamav-0.102.1.tar.gz) = 3b3c652c6b9f01bd2cc0e14390b841e48cfdee90
-SHA512 (clamav-0.102.1.tar.gz) = 2d0cd2dece771ab8228771f9a95eb0342e756083a0107b2bef31bd2f5f46c36aa692e15d7eb2ea321f535ea4e18c8df043c8663ae350d40fbe1bdb4d073dcb90
-Size (clamav-0.102.1.tar.gz) = 13215586 bytes
+SHA1 (clamav-0.102.2.tar.gz) = 9adabeac41736770aa22ae1ee1f8aba9e253cfaa
+RMD160 (clamav-0.102.2.tar.gz) = a1ef9999257f02ca55abc8da73b4456e0f02ec80
+SHA512 (clamav-0.102.2.tar.gz) = 7db53e0e2b4d6b0e4cf5048d3c9dfbcabcffd680c3a2b718c763b9599b0c1c14e56bae70c54c251ee9e8fd1acd3134657196dbaad2d23a16bad76a088c6fc41f
+Size (clamav-0.102.2.tar.gz) = 13227538 bytes
SHA1 (patch-Makefile.in) = a11766ea353d81fb281a07c8120e8a1f5c8dc60f
SHA1 (patch-aa) = 8539a90ac5591c86f7e9f6b8c073f36523f221a5
Only in security/clamav/files: clamav-milter.sh
diff -U2 -r ../pkgsrc/security/clamav/options.mk security/clamav/options.mk
--- ../pkgsrc/security/clamav/options.mk 2020-02-10 13:07:03.441354849 +0300
+++ security/clamav/options.mk 2020-02-10 13:09:12.336279181 +0300
@@ -18,4 +18,5 @@
CONF_SAMPLES+= clamav-milter.conf
SMF_INSTANCES+= clamav-milter
+RCD_SCRIPTS+= clamav-milter
.else
CONFIGURE_ARGS+= --disable-milter
rc.d script follow:
[root@ranir pkgsrc-labma]$ cat security/clamav/files/clamav-milter.sh
#!/bin/sh
#
# $NetBSD:
#
# clamav-milter provides milter socket for mail daemon
#
# PROVIDE: clamav-milter
# REQUIRE: clamd
# BEFORE: mail local
# KEYWORD: shutdown
if [ -f /etc/rc.subr ]; then
. /etc/rc.subr
fi
name="clamav_milter"
rcvar=$name
command="/usr/pkg/sbin/clamav-milter"
required_files="/usr/pkg/etc/clamav-milter.conf"
start_precmd="clamav_milter_precmd"
#stop_cmd="clamav_milter_stopcmd"
if [ -f "${required_files}" ]; then
pidfile_=`/usr/bin/awk '/^#/ {next}; /^PidFile[ ]/ {r = $2};
END {print r}' ${required_files}`
if [ -n "${pidfile_}" ]; then
pidfile=${pidfile_}
fi
logfile=`/usr/bin/awk 'BEGIN {r = "/tmp/clamd.log"};
/^#/ {next}; /^LogFile[ ]/ {r = $2};
END {print r}' ${required_files}`
socket=`/usr/bin/awk 'BEGIN {r = "/tmp/clamd"};
/^#/ {next}; /^LocalSocket[ ]/ {r = $2};
END {print r}' ${required_files}`
clamav_milter_user=`/usr/bin/awk 'BEGIN {r = "clamav"};
/^#/ {next}; /^User[ ]/ {r = $2};
END {print r}' ${required_files}`
fi
clamav_milter_precmd()
{
/bin/rm -f ${socket}
if [ -n "${logfile}" ]; then
/usr/bin/touch ${logfile}
/usr/sbin/chown ${clamav_milter_user} ${logfile}
fi
if [ -n "${pidfile}" ]; then
/usr/bin/touch ${pidfile}
/usr/sbin/chown ${clamav_milter_user} ${pidfile}
fi
}
clamav_milter_stopcmd()
{
# Workaround bug when clamd is built against pth by send TERM to
# clamd, then forcing it to start a worker thread that exits.
# This forces the main thread to awaken and realize that it's
# supposed to shutdown.
#
echo "Stopping ${name}."
doit="/usr/bin/su -m ${clamav_milter_user} -c \"kill -TERM $rc_pid\""
if ! eval $doit && [ -z "$rc_force" ]; then
return 1
fi
#${scan_command} --quiet ${scan_command} 2>/dev/null
wait_for_pids $rc_pid
}
if [ -f /etc/rc.subr -a -f /etc/rc.conf \
-a -d /etc/rc.d -a -f /etc/rc.d/DAEMON ]; then
load_rc_config $name
run_rc_command "$1"
else
echo -n " ${name}"
eval ${start_precmd}
${command} ${clamav_milter_flags} ${command_args}
fi
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: pkg-manager->taca
Responsible-Changed-By: leot@NetBSD.org
Responsible-Changed-When: Sat, 15 Feb 2020 13:02:31 +0000
Responsible-Changed-Why:
Takahiro, can you please give a look? (as last updater)
(The update was done and would be nice to request a pullup
request for 2019Q4, the clamav-milter script though
was not added.)
From: "Benny Siegert" <bsiegert@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/54951 CVS commit: [pkgsrc-2019Q4] pkgsrc/security/clamav
Date: Sat, 22 Feb 2020 19:45:06 +0000
Module Name: pkgsrc
Committed By: bsiegert
Date: Sat Feb 22 19:45:06 UTC 2020
Modified Files:
pkgsrc/security/clamav [pkgsrc-2019Q4]: Makefile.common distinfo
Log Message:
Pullup ticket #6137 - requested by taca
security/clamav: security fix + partial fix for PR pkg/54951
Revisions pulled up:
- security/clamav/Makefile 1.60-1.62
- security/clamav/Makefile.common 1.14-1.15
- security/clamav/distinfo 1.32
---
Module Name: pkgsrc
Committed By: ryoon
Date: Sun Jan 12 20:20:50 UTC 2020
Modified Files:
pkgsrc/security/clamav: Makefile
Log Message:
*: Recursive revbump from devel/boost-libs
---
Module Name: pkgsrc
Committed By: jperkin
Date: Sat Jan 18 21:51:16 UTC 2020
Modified Files:
pkgsrc/security/clamav: Makefile
Log Message:
*: Recursive revision bump for openssl 1.1.1.
---
Module Name: pkgsrc
Committed By: rillig
Date: Sun Jan 26 17:32:28 UTC 2020
Modified Files:
pkgsrc/security/clamav: Makefile.common
Log Message:
all: migrate homepages from http to https
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Feb 15 02:40:43 UTC 2020
Modified Files:
pkgsrc/security/clamav: Makefile Makefile.common distinfo
Log Message:
security/clamav: update to 0.102.2
Update clamav to 0.102.2.
## 0.102.2
ClamAV 0.102.2 is a bug patch release to address the following issues.
- [CVE-2020-3123](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123):
An Denial-of-Service (DoS) condition may occur when using the optional credit
card data-loss-prevention (DLP) feature. Improper bounds checking of an
unsigned variable resulted in an out-of-bounds read which causes a crash.
- Significantly improved scan speed of PDF files on Windows.
- Re-applied a fix to alleviate file access issues when scanning RAR files in
downstream projects that use libclamav where the scanning engine is operating
in a low-privelege process. This bug was originally fixed in 0.101.2 and the
fix was mistakenly omitted from 0.102.0.
- Fixed an issue wherein freshclam failed to update if the database version
downloaded is 1 version older than advertised. This situation may occur after
a new database version is published. The issue affected users downloading the
whole CVD database file.
- Changed the default freshclam ReceiveTimeout setting to 0 (infinite).
The ReceiveTimeout had caused needless database update failures for users with
slower internet connections.
- Correctly display number of kilobytes (KiB) in progress bar and reduced the
size of the progress bar to accomodate 80-char width terminals.
- Fixed an issue where running freshclam manually causes a daemonized freshclam
process to fail when it updates because the manual instance deletes the
temporary download directory. Freshclam temporary files will now download to a
unique directory created at the time of an update instead of using a hardcoded
directory created/destroyed at the program start/exit.
- Fix for Freshclam's OnOutdatedExecute config option.
- Fixes a memory leak in the error condition handling for the email parser.
- Improved bound checking and error handling in ARJ archive parser.
- Improved error handling in PDF parser.
- Fix for memory leak in byte-compare signature handler.
- Updates to the unit test suite to support libcheck 0.13.
- Updates to support autoconf 2.69 and automake 1.15.
Special thanks to the following for code contributions and bug reports:
- Antoine DeschĂȘnes
- Eric Lindblad
- Gianluigi Tiesi
- Tuomo Soini
To generate a diff of this commit:
cvs rdiff -u -r1.13 -r1.13.4.1 pkgsrc/security/clamav/Makefile.common
cvs rdiff -u -r1.31 -r1.31.4.1 pkgsrc/security/clamav/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: bsiegert@NetBSD.org
State-Changed-When: Sat, 29 Feb 2020 10:45:39 +0000
State-Changed-Why:
Updated and pulled up.
From: Leonardo Taccari <leot@NetBSD.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: pkg/54951 (clamav 0.102.1 has security flaw and should be replaced)
Date: Sat, 29 Feb 2020 11:55:27 +0100
bsiegert@NetBSD.org writes:
> Synopsis: clamav 0.102.1 has security flaw and should be replaced
>
> State-Changed-From-To: open->closed
> State-Changed-By: bsiegert@NetBSD.org
> State-Changed-When: Sat, 29 Feb 2020 10:45:39 +0000
> State-Changed-Why:
> Updated and pulled up.
>
While it was updated and pulled up the clamav-milter rc.d script was
not added.
Maybe it better to leave it open for that, no?
From: Takahiro Kambe <taca@NetBSD.org>
To: gnats-bugs@netbsd.org, leot@NetBSD.org
Cc: d.veselov@labma.ru, taca@netbsd.org
Subject: Re: pkg/54951 (clamav 0.102.1 has security flaw and should be
replaced)
Date: Sat, 29 Feb 2020 20:07:20 +0900 (JST)
In message <20200229110003.565521A9219@mollari.NetBSD.org>
on Sat, 29 Feb 2020 11:00:03 +0000 (UTC),
Leonardo Taccari <leot@NetBSD.org> wrote:
> While it was updated and pulled up the clamav-milter rc.d script was
> not added.
>
> Maybe it better to leave it open for that, no?
Yes, I think it should still open.
--
Takahiro Kambe <taca@NetBSD.org>
Responsible-Changed-From-To: taca->pkg-manager
Responsible-Changed-By: leot@NetBSD.org
Responsible-Changed-When: Tue, 03 Mar 2020 00:05:53 +0000
Responsible-Changed-Why:
Over to pkg-manager (<taca> handled most part of them
except clamav-milter rc.d scriptaddition)
State-Changed-From-To: closed->open
State-Changed-By: leot@NetBSD.org
State-Changed-When: Tue, 03 Mar 2020 00:05:53 +0000
State-Changed-Why:
<taca> updated it and requested a pullup, addressing
most important bits of this PR.
However, the clamav-milter rc.d script was not added.
State-Changed-From-To: open->closed
State-Changed-By: maya@NetBSD.org
State-Changed-When: Tue, 13 Oct 2020 03:10:15 +0000
State-Changed-Why:
The remaining issue was addressed by taca:
revision 1.7
date: 2020-09-14 19:54:35 +0300; author: taca; state: Exp; lines: +2 -1; commitid: Ignu2ul3DPvnl2oC;
security/clamav: add clamav-milter startup script
Add clamav-milter startup script.
Thanks for the report & patch! thanks to taca for committing it.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.46 2020/01/03 16:35:01 leot Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2020
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
Home