The 0.9x series introduces lots of improvements in terms of detection
rate and performance, like support for many new packers and decryptors,
RAR3 and SIS archives, and a new phishing signatures format that proves
to be very effective.
- freshclam: apply timeout patch from Everton da Silva Marques
<everton*lab.ipaccess.diveo.net.br> (new options: ConnectTimeout and
ReceiveTimeout)
- clamd: change stack size at the right place (closes bug#103)
Patch from Jonathan Chen <jon+clamav*spock.org>
- libclamav/petite.c: sanity check the number of rebuilt sections (speeds
up handling of malformed files)
(I tried to contact the MAINTAINER but got no reply. I'm using this in our
production systems so this should work just fine.)
* Bugfixes:
- libclamav/rebuildpe.c: fix possible heap overflow [IDEF1597]
- libclamav/chmunpack.c: fix possible crash [IDEF1736]
- freshclam/manager.c: "Cache-Control: no-cache" is now disabled by default.
If you're behind a broken proxy you can recompile freshclam with
--enable-no-cache.
Changes:
- libclamav/upx.c: fix possible heap overflow
See http://www.clamav.net/security/0.88.4.html for details.
- libclamav/tnef.c: handle trailing newline at the end of winmail.dat,
bug reported by Menno Smits <menno*netboxblue.com>
- freshclam/manager.c: fix possible infinite loop when read() fails
in get_database(), spotted by Everton da Silva Marques
<everton*lab.ipaccess.diveo.net.br>
and add a new helper target and script, "show-buildlink3", that outputs
a listing of the buildlink3.mk files included as well as the depth at
which they are included.
For example, "make show-buildlink3" in fonts/Xft2 displays:
zlib
fontconfig
iconv
zlib
freetype2
expat
freetype2
Xrender
renderproto
changes since 0.88:
* Bugfixes:
- libclamav/matcher.c: properly handle partial reads in cli_scandesc()
- libclamav/mbox.c: sync with CVS, fixes detection of Worm.Bagle.CT
- freshclam: fix support for LocalIPAddress
Patch by Anton Yuzhaninov <citrin*citrin.ru>
- docs/man: multiple manpage typo fixes
Patch by A. Costa <agcosta*gis.net>)
- shared/output.c: properly handle return value of vsnprintf
Thanks to Anton Yuzhaninov <citrin*rambler-co.ru>
- libclamav/htmlnorm.c: fix typo spotted by Gianluigi Tiesi
<sherpya*netfarm.it>
- sigtool/sigtool.c: fix possible crash in build(), thanks to Sven
- clamd/session.c: remove static timeout (5s) for SESSION
Pointed out by Joseph Benden <joe*thrallingpenguin.com>
- libclamav/pe.c: fix possible integer overflow reported by Damian Put
Note: only exploitable if file size limit (ArchiveMaxFileSize) disabled
- libclamav/scanners.c: properly report archive unpacking errors
Problem spotted by David F. Skoll <dfs*roaringpenguin.com>
- libclamav/others.c: fix possible crash in cli_bitset_test()
Reported by David Luyer <david_luyer*pacific.net.au>
- libclamav/zziplib: fix possible crash on FreeBSD
Reported by Robert Rebbun <robert*desertsurf.com>
- clamav-milter: fall back if sendfile() fails
RECOMMENDED is removed. It becomes ABI_DEPENDS.
BUILDLINK_RECOMMENDED.foo becomes BUILDLINK_ABI_DEPENDS.foo.
BUILDLINK_DEPENDS.foo becomes BUILDLINK_API_DEPENDS.foo.
BUILDLINK_DEPENDS does not change.
IGNORE_RECOMMENDED (which defaulted to "no") becomes USE_ABI_DEPENDS
which defaults to "yes".
Added to obsolete.mk checking for IGNORE_RECOMMENDED.
I did not manually go through and fix any aesthetic tab/spacing issues.
I have tested the above patch on DragonFly building and packaging
subversion and pkglint and their many dependencies.
I have also tested USE_ABI_DEPENDS=no on my NetBSD workstation (where I
have used IGNORE_RECOMMENDED for a long time). I have been an active user
of IGNORE_RECOMMENDED since it was available.
As suggested, I removed the documentation sentences suggesting bumping for
"security" issues.
As discussed on tech-pkg.
I will commit to revbump, pkglint, pkg_install, createbuildlink separately.
Note that if you use wip, it will fail! I will commit to pkgsrc-wip
later (within day).
INSTALL/DEINSTALL script creation within pkgsrc.
If an INSTALL or DEINSTALL script is found in the package directory,
it is automatically used as a template for the pkginstall-generated
scripts. If instead, they should be used simply as the full scripts,
then the package Makefile should set INSTALL_SRC or DEINSTALL_SRC
explicitly, e.g.:
INSTALL_SRC= ${PKGDIR}/INSTALL
DEINSTALL_SRC= # emtpy
As part of the restructuring of the pkginstall framework internals,
we now *always* generate temporary INSTALL or DEINSTALL scripts. By
comparing these temporary scripts with minimal INSTALL/DEINSTALL
scripts formed from only the base templates, we determine whether or
not the INSTALL/DEINSTALL scripts are actually needed by the package
(see the generate-install-scripts target in bsd.pkginstall.mk).
In addition, more variables in the framework have been made private.
The *_EXTRA_TMPL variables have been renamed to *_TEMPLATE, which are
more sensible names given the very few exported variables in this
framework. The only public variables relating to the templates are:
INSTALL_SRC INSTALL_TEMPLATE
DEINSTALL_SRC DEINSTALL_TEMPLATE
HEADER_TEMPLATE
The packages in pkgsrc have been modified to reflect the changes in
the pkginstall framework.
A possible heap overflow in the UPX code has been fixed. General improvements
include better zip and mail processing, and support for a self-protection mode.
The security of the UPX, FSG and Petite modules has been improved, too.
changes since 0.87:
* Bugfixes:
- libclamav/petite.c: fix boundary checks (acab)
- libclamav/mbox.c: scan attachments that have no filename (njh)
- libclamav/fsg.c: fix buffer size calculation in unfsg_133
Reported by Zero Day Initiative (ZDI-CAN-004)
- libclamav/tnef.c: fix possible infinite loop
Reported by iDEFENSE (IDEF1169).
- libclamav/mspack/cabd.c: fix possible infinite loop in cabd_find
(tk)
Reported by iDEFENSE (IDEF1180).
- clamd/others.c: fix compilation error on Cobalt Qube 1 (tk)
- clamd: properly handle ReadTimeout in SESSION (tk)
Bug reported by Kamil Kaczkowski <kamil*kamil.eisp.pl>
- libclamav/others.c,h: Add generic bitset implementation (trog)
- libclamav/ole2_extract.c: Make sure the property tree doesn't
loop (trog)
Fixes CAN-2005-3239. Installations with default settings were
not affected by this bug.
This version fixes vulnerabilities in handling of UPX and FSG compressed
executables. Support for PE files, Zip and Cabinet archives has been improved
and other small bugfixes have been made. The new option "--on-outdated-execute"
allows freshclam to run a command when system reports a new engine version.
backslashes anymore. A single backslash is enough. Changed the
definition in all affected packages. For those that are not caught, an
additional check is placed into bsd.pkginstall.mk.
changes since 0.86.1:
V 0.86.2
* Fixes backported from CVS:
- configure.in: disable support for URLs downloading with libcurl
(--with-libcurl) by default (tk)
- libclamav/others.c: cli_rmdirs: fix possible infinite loop (tk)
Patch by Mark Pizzolato <clamav-devel*subscriptions.pizzolato.net>
- libclamav/mspack: Some cab archives were not properly decompressed (tk)
Problem reported by Diego d'Ambra <diego*clamav.net>
- libclamav/pe.c: cli_peheader: Sync entry point calculation with
cli_scanpe (tk)
Problem reported by Christoph Cordes <ccordes*clamav.net>
- configure.in: fix compilation error when curl is installed in
a non-standard location (tk)
Reported by Serge van den Boom <svdb*stack.nl>
- configure.in: Add support for DragonFly (tk)
Thanks to Joerg Sonnenberger <joerg*britannica.bec.de>
- clamscan/clamscan.c: Verify arguments passed to --max-dir-recursion and
--max-ratio (tk)
Problem reported by Jo Mills <Jonathan.Mills*frequentis.com>
- libclamav/fsg.c: Fix possible integer overflow (acab)
Reported by Alex Wheeler.
- libclamav/mbox.c: Fix name clash with glibc library (njh)
Reported by Brian Bruns <bruns at 2mbit.com>
- libclamav/others.c: Check for 0 byte allocations in cli_(m|c|re)alloc (tk)
- libclamav/chmunpack.c: Fix possible malloc overflow (trog)
Reported by Alex Wheeler.
- libclamav/tnef.c: Fix possible crash if the length field is 0 or negative
in headers (njh)
Reported by Alex Wheeler (alexbling at gmail.com)
- clamav-milter: Honour LogClean. Only syslog once when storing email in
quarantine (reported by Panagiotis Christias, christias at gmail.com).
Log database reloads to the LogFile (njh)
- clamav-milter: Changed the default child_timeout to 5 minutes. Keep a
copy of the trie root in privdata. Removed trylock/unlock code in
clamfi_abort (njh)
(as with NetBSD 2, for instance), but pkgsrc sendmail 8.13 is installed,
then clamav will attempt to use the 8.13 milter API, and fail linking.
(It probably should use an autoconf symbol test instead.)
This change forces an API at least new enough to match the latest version
offered via pkgsrc; and since libmilter is a static library, it still
ends up with no runtime DEPENDS.
No PKGREVISION bump required, as milter is a non-default option.
changes since 0.85.1:
Thu Jun 23 23:13:41 CEST 2005
-----------------------------
V 0.86.1
- libclamav/mspack/qtmd.c: fix possible crash (tk)
Reported by Andrew Toller <atoller*connectfree.co.uk>
and Stefan Kanthak <stefan.kanthak*fujitsu-siemens.com>
Sun Jun 19 21:37:07 CEST 2005
-----------------------------
V 0.86
- libclamav/mspack/cabd.c: fix possible infinite loop (tk)
- libclamav/cvd.c: fix potential directory traversal in cvd unpacker (a low
risk problem since all databases are digitally signed). Pointed out by
Florian Weimer <fw*deneb.enyo.de> (tk)
- libclamav/zziplib/zzip-file.c: add method id for AES encrypted archives
(thanks to David Majorel <dm*lagoon.nc>) (tk)
- clamscan/manager.c: better message on zip/rar unpacking error (tk)
- libclamav/mbox.c: Fix mishandling of fast track uuencoded files (njh)
- clamav-milter: Better error message if the white-list file can't be
opened (njh)
- clamav-milter: When loading a new database when not in external mode,
keep scanning with the old one rather than hold up incoming mails while
waiting for clamav-milter to become idle then reloading the database (njh)
- libclamav/others.c: print warnings and errors in single call to write
(thanks to Denis Vlasenko <vda*ilport.com.ua>) (tk)
- clamscan/others.c: enable REG_EXTENDED in match_regex (tk)
- libclamav/scanners.c: fix file descriptor leaks if cli_msexpand() returns
an error in cli_scanszdd, patch by Mark Pizzolato (tk)
- libclamav/scanners.c: fix file descriptor leak in error path (out of mem)
in cli_scangzip(), patch by Mark Pizzolato (tk)
- clamd/scanner.c: fix error path for a read timeout which logged messages
indicating that both a timeout and a poll error occurred (patch by Mark
Pizzolato <clamav-devel*subscriptions.pizzolato.net>) (tk)
- libclamav: Extract TNEF files even when the filename isn't known,
problem reported by John Miller (contact*glideslopesoftware.co.uk) (njh)
A problem where an email with more than one content-disposition type line,
one or more of which was empty, could crash libclamav has been fixed. Other
minor bugfixes have been made.
- freshclam/manager.c: fix socket descriptor leak in --no-dns mode (patch
by GertJan Spoelman <cav*gjs.cc>) (tk)
- clamscan, freshclam: return with 62 (instead of 1) when logger can't be
initialized (tk)
- libclamav/matcher-ac.c, libclamav/matcher-bm.c: fix detection problem
with *.ndb OLE2 signatures (problem reported by Trog) (tk)
- fix signature offset calculation in large files (problem reported by
Christoph) (tk)
- clamav-milter: print segfault diagnostic, even if print_trace is not
available (njh)
- sigtool/sigtool.c: fix support for *.fp databases (tk)
- clamav-milter: Better handling of log file errors. Always send 451 when
loading a new database when --external is not set (njh)
- libclamav/tnef.c: If a parse fails and debugging is on, the file being
scanned is dumped to a temporary file (njh)
- libclamav/scanners.c: do not report I/O error with encrypted zips (tk)
Changes:
-) libclamav:
+ JPEG exploit detector now also checks embedded Photoshop thumbnail images
+ archive meta-data scanner (improves malware detection within encrypted
archives)
+ support for TNEF (winmail.dat) decoding
+ support for all tar archive formats
+ MD5 implementation replaced with a slightly faster one
+ improved database reloading with reference counter
+ database updateable false positive eliminator
+ speed improvements
+ various bugfixes
-) clamd:
+ VirusEvent now sets CLAM_VIRUSEVENT_FILENAME and CLAM_VIRUSEVENT_VIRUSNAME
environment variables
-) clamav-milter:
+ improved database update detection when not --external
-) clamscan:
+ new options --include-dir and exclude-dir
+ new option --max-dir-recursion
-) freshclam:
+ new directive LocalIPAddress
And always is defined as share/examples/rc.d
which was the default before.
This rc.d scripts are not automatically added to PLISTs now also.
So add to each corresponding PLIST as required.
This was discussed on tech-pkg in late January and late April.
Todo: remove the RCD_SCRIPTS_EXAMPLEDIR uses in MESSAGES and elsewhere
and remove the RCD_SCRIPTS_EXAMPLEDIR itself.
changes since 0.82 (summarized):
* clamd: change default value of StreamMaxPort to 2048
* freshclam: add support for Foreground (requested by Jeremy Kitchen
<kitchen*scriptkitchen.com>)
* clamav-milter: Added --whistlist-file and --sendmail-cf options
When in SESSION mode, not all sessions would send END
other changes are documentation and misc. bug fixes.
