Commit graph

101 commits

Author SHA1 Message Date
taca
f2ef09dc7e security/clamav: update to 0.103.7
0.103.7 (2022-07-26)

ClamAV 0.103.7 is a critical patch release with the following fixes:

* Upgrade the vendored UnRAR library to version 6.1.7.

* Fix logical signature "Intermediates" feature.

* Relax constraints on slightly malformed zip archives that contain
  overlapping file entries.
2022-08-10 13:38:00 +00:00
taca
3b485de1e9 security/clamav: update to 0.103.6
0.103.6 (2022-05-04)

ClamAV 0.103.6 is a critical patch release with the following fixes:

- [CVE-2022-20770](CVE-2022-20770): Fixed a possible infinite loop vulnerability
  in the CHM file parser.
  Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and
  prior versions.
  Thank you to Michał Dardas for reporting this issue.

- [CVE-2022-20796](CVE-2022-20796): Fixed a possible NULL-pointer dereference
  crash in the scan verdict cache check.
  Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2.
  Thank you to Alexander Patrakov and Antoine Gatineau for reporting this issue.

- [CVE-2022-20771](CVE-2022-20771): Fixed a possible infinite loop vulnerability
  in the TIFF file parser.
  Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and
  prior versions.
  The issue only occurs if the "--alert-broken-media" ClamScan option is
  enabled. For ClamD, the affected option is "AlertBrokenMedia yes", and for
  libclamav it is the "CL_SCAN_HEURISTIC_BROKEN_MEDIA" scan option.
  Thank you to Michał Dardas for reporting this issue.

- [CVE-2022-20785](CVE-2022-20785): Fixed a possible memory leak in the
  HTML file parser / Javascript normalizer.
  Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and
  prior versions.
  Thank you to Michał Dardas for reporting this issue.

- [CVE-2022-20792](CVE-2022-20792): Fixed a possible multi-byte heap buffer
  overflow write vulnerability in the signature database load module.
  The fix was to update the vendored regex library to the latest version.
  Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and
  prior versions.
  Thank you to Michał Dardas for reporting this issue.

- ClamOnAcc: Fixed a number of assorted stability issues and added niceties for
  debugging ClamOnAcc. Patches courtesy of Frank Fegert.

- Fixed an issue causing byte-compare subsignatures to cause an alert when they
  match even if other conditions of the given logical signatures were not met.

- Fix memleak when using multiple byte-compare subsignatures.
  This fix was backported from 0.104.0.
  Thank you to Andrea De Pasquale for contributing the fix.

- Assorted bug fixes and improvements.

Special thanks to the following people for code contributions and bug reports:
- Alexander Patrakov
- Andrea De Pasquale
- Antoine Gatineau
- Frank Fegert
- Michał Dardas
2022-05-05 00:44:07 +00:00
adam
f5e35d538b revbump for textproc/icu update 2022-04-18 19:09:40 +00:00
taca
96d637a4a8 security/clamav: update to 0.103.5
0.103.5 (2022-01-12)

ClamAV 0.103.5 is a critical patch release with the following fixes:

* CVE-2022-20698<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20698>:
  Fix for invalid pointer read that may cause a crash. This issue affects
  0.104.1, 0.103.4 and prior when ClamAV is compiled with libjson-c and the
  CL_SCAN_GENERAL_COLLECT_METADATA scan option (the clamscan --gen-json
  option) is enabled.

  Cisco would like to thank Laurent Delosieres of ManoMano for reporting
  this vulnerability.

* Fixed ability to disable the file size limit with libclamav C API, like
  this:

  cl_engine_set_num(engine, CL_ENGINE_MAX_FILESIZE, 0);

  This issue didn't affect ClamD or ClamScan which also can disable the
  limit by setting it to zero using MaxFileSize 0 in clamd.conf for ClamD,
  or clamscan --max-filesize=0 for ClamScan.

  Note: Internally, the max file size is still set to 2 GiB. Disabling the
  limit for a scan will fall back on the internal 2 GiB limitation.

* Increased the maximum line length for ClamAV config files from 512 bytes
  to 1,024 bytes to allow for longer config option strings.

* SigTool: Fix insufficient buffer size for --list-sigs that caused a
  failure when listing a database containing one or more very long
  signatures. This fix was backported from 0.104.

Special thanks to the following for code contributions and bug reports:

* Laurent Delosieres
2022-01-13 15:28:22 +00:00
adam
b6d9bd86bc revbump for icu and libffi 2021-12-08 16:01:42 +00:00
taca
9f8416394e security/clamav: update to 0.103.4
ClamAV 0.103.4 is a critical patch release with the following fixes:

- FreshClam:
  - Add a 24-hour cool-down for FreshClam clients that have received an HTTP
    403 (Forbidden) response from the CDN.
    This is to reduce the volume of 403-response data served to blocked
    FreshClam clients that are configured with a tight update-loop.
  - Fixed a bug where FreshClam treats an empty CDIFF as an incremental update
    failure instead of as an intentional request to download the whole CVD.

- ClamDScan: Fix a scan error when broken symlinks are encountered on macOS with
  "FollowDirectorySymlinks" and "FollowFileSymlinks" options disabled.

- Overhauled the scan recursion / nested archive extraction logic and added new
  limits on embedded file-type recognition performed during the "raw" scan of
  each file. This limits embedded file-type misidentification and prevents
  detecting embedded file content that is found/extracted and scanned at other
  layers in the scanning process.

- Fix an issue with the FMap module that failed to read from some nested files.

- Fixed an issue where failing to load some rules from a Yara file containing
  multiple rules may cause a crash.

- Fixed assorted compiler warnings.

- Fixed assorted Coverity static code analysis issues.

- Scan limits:
  - Added virus-name suffixes to the alerts that trigger when a scan limit has
    been exceeded. Rather than simply `Heuristics.Limits.Exceeded`, you may now
    see limit-specific virus-names, to include:
    - `Heuristics.Limits.Exceeded.MaxFileSize`
    - `Heuristics.Limits.Exceeded.MaxScanSize`
    - `Heuristics.Limits.Exceeded.MaxFiles`
    - `Heuristics.Limits.Exceeded.MaxRecursion`
    - `Heuristics.Limits.Exceeded.MaxScanTime`
  - Renamed the `Heuristics.Email.ExceedsMax.*` alerts to align with the other
    limit alerts names. These alerts include:
    - `Heuristics.Limits.Exceeded.EmailLineFoldcnt`
    - `Heuristics.Limits.Exceeded.EmailHeaderBytes`
    - `Heuristics.Limits.Exceeded.EmailHeaders`
    - `Heuristics.Limits.Exceeded.EmailMIMEPartsPerMessage`
    - `Heuristics.Limits.Exceeded.EmailMIMEArguments`
  - Fixed an issue where the Email-related scan limits would alert even when the
    "AlertExceedsMax" (`--alert-exceeds-max`) scan option is not enabled.
  - Fixes an issue in the Zip parser where exceeding the "MaxFiles" limit or
    the "MaxFileSize" limit would abort the scan but would fail to alert.
    The Zip scan limit issues were independently identified and reported by
    Aaron Leliaert and Max Allan.

- Fixed a leak in the Email parser when using the `--gen-json` scan option.

- Fixed an issue where a failure to record metadata in the Email parser when
  using the `--gen-json` scan option could cause the Email parser to abort the
  scan early and fail to extract and scan additional content.

- Fixed a file name memory leak in the Zip parser.

- Fixed an issue where certain signature patterns may cause a crash or cause
  unintended matches on some systems when converting characters to uppercase if
  a UTF-8 unicode single-byte grapheme becomes a multi-byte grapheme.
  Patch courtesy of Andrea De Pasquale.

Other fixes backported from 0.104.0:

- Fixed a crash in programs that use libclamav when the programs don't set a
  callback for the "virus found" event.
  Patch courtesy of Markus Strehle.

- Added checks to the the SIS archive parser to prevent an SIS file entry from
  pointing to the archive, which would result in a loop. This was not an actual
  infinite loop, as ClamAV's scan recursion limit limits the depth of nested
  archive extraction.

- ClamOnAcc: Fixed a socket file descriptor leak that could result in a crash
  when all available file descriptors are exhausted.

- FreshClam: Fixed an issue where FreshClam would download a CVD repeatedly if a
  zero-byte CDIFF is downloaded or if the incremental update failed and if the
  CVD downloaded after that is older than advertised.
  Patch courtesy of Andrew Williams.

- ClamDScan:
  - Fixed a memory leak of the scan target filename when using the
    `--fdpass` or `--stream` options.
  - Fixed an issue where ClamDScan would fail to scan any file after excluding
    a file with the "ExcludePath" option when using when using the `--multiscan`
    (`-m`) option along with either `--fdpass` or `--stream`.
    Also fixed a memory leak of the accidentally-excluded paths in this case.
  - Fixed a single file path memory leak when using `--fdpass`.
  - Fixed an issue where the "ExcludePath" regex may fail to exclude absolute
    paths when the scan is invoked with a relative path.

Special thanks to the following for code contributions and bug reports:
- Aaron Leliaert
- Andrea De Pasquale
- Andrew Williams
- Markus Strehle
- Max Allan
2021-11-08 14:49:23 +00:00
nia
3df0f20e22 security: Replace RMD160 checksums with BLAKE2s checksums
All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
2021-10-26 11:16:56 +00:00
nia
fa4b2904a6 security: Remove SHA1 hashes for distfiles 2021-10-07 14:53:40 +00:00
adam
5e7c36d9d2 revbump for boost-libs 2021-09-29 19:00:02 +00:00
jperkin
e9f20c268e clamav: Support GCC >= 10. 2021-09-28 12:59:40 +00:00
taca
dd00dd1c84 security/clamav: update to 0.103.2
0.103.2 (2021-04-07)

ClamAV 0.103.2 is a security patch release with the following fixes:

* CVE-2021-1386: Fix for UnRAR DLL load privilege escalation.  Affects
  0.103.1 and prior on Windows only.

* CVE-2021-1252: Fix for Excel XLM parser infinite loop.  Affects 0.103.0
  and 0.103.1 only.

* CVE-2021-1404: Fix for PDF parser buffer over-read; possible crash.
  Affects 0.103.0 and 0.103.1 only.

* CVE-2021-1405: Fix for mail parser NULL-dereference crash.  Affects
  0.103.1 and prior.

* Fix possible memory leak in PNG parser.

* Fix ClamOnAcc scan on file-creation race condition so files are scanned
  after their contents are written.

* FreshClam: Deprecate the SafeBrowsing config option.  The SafeBrowsing
  option will no longer do anything.

* For more details, see our blog post from last year about the future of the
  ClamAV Safe Browsing database.

* Tip: If creating and hosting your own safebrowing.gdb database, you can
  use the DatabaseCustomURL option in freshclam.conf to download it.

* FreshClam: Improved HTTP 304, 403, & 429 handling.

* FreshClam: Added back the mirrors.dat file to the database directory.
  This new mirrors.dat file will store:

	- A randomly generated UUID for the FreshClam User-Agent.
	- A retry-after timestamp that so FreshClam won't try to update
          after having received an HTTP 429 response until the Retry-After
          timeout has expired.

* FreshClam will now exit with a failure in daemon mode if an HTTP 403
  (Forbidden) was received, because retrying later won't help any.  The
  FreshClam user will have to take actions to get unblocked.

* Fix the FreshClam mirror-sync issue where a downloaded database is "older
  than the version advertised."

* If a new CVD download gets a version that is older than advertised,
  FreshClam will keep the older version and retry the update so that the
  incremental update process (CDIFF patch process) will update to the latest
  version.
2021-06-03 15:47:34 +00:00
adam
da0a125726 revbump for boost-libs 2021-04-21 13:24:06 +00:00
adam
9d0e79c401 revbump for textproc/icu 2021-04-21 11:40:12 +00:00
taca
1d62cf0ef0 security/clamav: update to 0.103.1
0.103.1 (2021-01-31)

ClamAV 0.103.1 is a patch release with the following fixes and improvements.

Notable changes

* Added a new scan option to alert on broken media (graphics) file formats.
  This feature mitigates the risk of malformed media files intended to
  exploit vulnerabilities in other software.  At present media validation
  exists for JPEG, TIFF, PNG, and GIF files.  To enable this feature, set
  AlertBrokenMedia yes in clamd.conf, or use the --alert-broken-media option
  when using clamscan.  These options are disabled by default in this patch
  release, but may be enabled in a subsequent release.  Application
  developers may enable this scan option by enabling
  CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field.

* Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG typing behavior.
  BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS
  because ClamAV does not yet have BMP or JPEG 2000 format checking
  capabilities.

Bug fixes

* Fixed PNG parser logic bugs that caused an excess of parsing errors and
  fixed a stack exhaustion issue affecting some systems when scanning PNG
  files.  PNG file type detection was disabled via signature database update
  for ClamAV version 0.103.0 to mitigate the effects from these bugs.

* Fixed an issue where PNG and GIF files no longer work with Target:5
  graphics signatures if detected as CL_TYPE_PNG/GIF rather than as
  CL_TYPE_GRAPHICS.  Target types now support up to 10 possible file types
  to make way for additional graphics types in future releases.

* Fixed clamonacc's --fdpass option.

* File descriptor passing (or "fd-passing") is a mechanism by which
  clamonacc and clamdscan may transfer an open file to clamd to scan, even
  if clamd is running as a non-privileged user and wouldn't otherwise have
  read-access to the file.  This enables clamd to scan all files without
  having to run clamd as root.  If possible, clamd should never be run as
  root so as to mitigate the risk in case clamd is somehow compromised while
  scanning malware.

* Interprocess file descriptor passing for clamonacc was broken since
  version 0.102.0 due to a bug introduced by the switch to curl for
  communicating with clamd.  On Linux, passing file descriptors from one
  process to another is handled by the kernel, so we reverted clamonacc to
  use standard system calls for socket communication when fd passing is
  enabled.

* Fixed a clamonacc stack corruption issue on some systems when using an
  older version of libcurl.  Patch courtesy of Emilio Pozuelo Monfort.

* Allow clamscan and clamdscan scans to proceed even if the realpath lookup
  failed.  This alleviates an issue on Windows scanning files hosted on
  file- systems that do not support the GetMappedFileNameW() API such as on
  ImDisk RAM-disks.

* Fixed freshclam --on-update-execute=EXIT_1 temporary directory cleanup
  issue.

* clamd's log output and VirusEvent now provide the scan target's file path
  instead of a file descriptor.  The clamd socket API for submitting a scan
  by FD-passing doesn't include a file path, this feature works by looking
  up the file path by file descriptor.  This feature works on Mac and Linux
  but is not yet implemented for other UNIX operating systems.  FD-passing
  is not available for Windows.

* Fixed an issue where freshclam database validation didn't work correctly
  when run in daemon mode on Linux/Unix.

Other improvements

* Scanning JPEG, TIFF, PNG, and GIF files will no longer return "parse"
  errors when file format validation fails.  Instead, the scan will alert
  with the "Heuristics.Broken.Media" signature prefix and a descriptive
  suffix to indicate the issue, provided that the "alert broken media"
  feature is enabled.

* GIF format validation will no longer fail if the GIF image is missing the
  trailer byte, as this appears to be a relatively common issue in otherwise
  functional GIF files.

* Added a TIFF dynamic configuration (DCONF) option, which was missing.
  This will allow us to disable TIFF format validation via signature
  database update in the event that it proves to be problematic.  This
  feature already exists for many other file types.

Acknowledgements

The ClamAV team thanks the following individuals for their code submissions:

Emilio Pozuelo Monfort
2021-02-28 17:14:10 +00:00
ryoon
4675ccbc79 *: Recursive revbump from textproc/icu-68.1 2020-11-05 09:06:42 +00:00
taca
2a4bc1cbe3 security/clamav: update to 0.103.0
Update clamav package to 0.103.0.


Quote from release announce:

ClamAV 0.103.0 highlights

With your feedback on the previous candidates, we've fixed these additional
issues:

* The freshclam PID file was not readable by other users in previous release
  candidates but is now readable by all.
* An issue with how freshclam was linked with the autotools build system
  caused SysLog settings to be ignored.
* The real-path checks introduced to clamscan and clamdscan in 0.102.4 broke
  scanning of some files with Unicode filenames and files on network shares
  for Windows users.

Thanks to the users for your help in fixing these bugs.

Major changes

* clamd can now reload the signature database without blocking
  scanning. This multi-threaded database reload improvement was made
  possible thanks to a community effort.

* Non-blocking database reloads are now the default behavior. Some systems
  that are more constrained on RAM may need to disable non-blocking reloads,
  as it will temporarily consume double the amount of memory. We added a new
  clamd config option ConcurrentDatabaseReload, which may be set to no.

Special thanks to those who made this feature a reality:

* Alberto Wu
* Alexander Sulfrian
* Arjen de Korte
* David Heidelberg
* Ged Haywood
* Julius Plenz
* Michael Orlitzky

Notable changes

* The DLP module has been enhanced with additional credit card ranges and a
  new engine option that allows ClamAV to alert only on credit cards (and
  not, for instance, gift cards) when scanning with the DLP module. John
  Schember developed this feature, with input from Alexander Sulfrian.
* We added support for Adobe Reader X PDF encryption and overhauled the
  PNG-scanning tool to detect PNG-specific exploits. We also made a major
  change to GIF parsing that now makes it more tolerant of problematic files
  and adds the ability to scan overlays, all thanks to work and patches
  submitted by Aldo Mazzeo.
* clamdtop.exe is now available for Windows users. The functionality is
  somewhat limited when compared to clamdtop on Linux. PDCurses is required
  to build clamdtop.exe for ClamAV on Windows.
* The phishing detection module will now print "Suspicious link found!"
  along with the "Real URL" and "Display URL" each time ClamAV detects
  phishing. In a future version, we would like to print out alert-related
  metadata like this at the end of a scan, but for now, this detail will
  help users understand why a given file is being flagged as phishing.
* Added new *experimental* CMake build tooling. CMake is not yet recommended
  for production builds. Our team would appreciate any assistance improving
  the CMake build tooling so we can one day deprecate autotools and remove
  the Visual Studio solutions.

	- Please see the new CMake installation instructions found in
          INSTALL.cmake.md for detailed instructions on how to build ClamAV
          with CMake.

* Added --ping and --wait options to the clamdscan and clamonacc client
  applications.

* The --ping (-p) command will attempt to ping clamd up to a specified
   maximum number of attempts at an optional interval. If the interval isn't
   specified, a default one-second interval is used. It will exit with
   status code `0` when it receives a PONG from clamd or status code `21` if
   the timeout expires before it receives a response.
2020-09-19 13:41:42 +00:00
jperkin
0c63258658 clamav: Explicitly set SMF_METHODS.
RCD_SCRIPTS changes depending on configured options, and clamav-milter
is launched directly from the manifest without a separate method script.
2020-09-17 16:16:38 +00:00
taca
94b734ae5c security/clamav: add clamav-milter startup script
Add clamav-milter startup script.

Bump PKGREVISION.
2020-09-14 16:54:35 +00:00
taca
b54e9cd017 security/clamav: update to 0.102.4
Update clamav to 0.102.4.


## 0.102.4

ClamAV 0.102.4 is a bug patch release to address the following issues.

- [CVE-2020-3350](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3350):
  Fix a vulnerability wherein a malicious user could replace a scan target's
  directory with a symlink to another path to trick clamscan, clamdscan, or
  clamonacc into removing or moving a different file (eg. a critical system
  file). The issue would affect users that use the --move or --remove options
  for clamscan, clamdscan, and clamonacc.

  For more information about AV quarantine attacks using links, see the
  [RACK911 Lab's report](https://www.rack911labs.com/research/exploiting-almost-every-antivirus-software).

- [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
  Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.3 that
  could cause a Denial-of-Service (DoS) condition. Improper bounds checking
  results in an out-of-bounds read which could cause a crash.
  The previous fix for this CVE in 0.102.3 was incomplete. This fix correctly
  resolves the issue.

- [CVE-2020-3481](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3481):
  Fix a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3
  could cause a Denial-of-Service (DoS) condition. Improper error handling
  may result in a crash due to a NULL pointer dereference.
  This vulnerability is mitigated for those using the official ClamAV
  signature databases because the file type signatures in daily.cvd
  will not enable the EGG archive parser in versions affected by the
  vulnerability.
2020-07-17 04:48:32 +00:00
adam
6bd0c30da6 Revbump for icu 2020-06-02 08:22:31 +00:00
adam
d62c903eea revbump after updating security/nettle 2020-05-22 10:55:42 +00:00
nia
4bb58570a7 Recursive revbump for json-c-0.14 2020-05-19 12:09:07 +00:00
taca
ef758b9905 security/clamav: update to 0.102.3
Update clamav to 0.102.3.


## 0.102.3

ClamAV 0.102.3 is a bug patch release to address the following issues.

- [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
  Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that
  could cause a Denial-of-Service (DoS) condition. Improper bounds checking of
  an unsigned variable results in an out-of-bounds read which causes a crash.

  Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ
  parsing vulnerability.

- [CVE-2020-3341](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3341):
  Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that
  could cause a Denial-of-Service (DoS) condition. Improper size checking of
  a buffer used to initialize AES decryption routines results in an out-of-
  bounds read which may cause a crash. Bug found by OSS-Fuzz.

- Fix "Attempt to allocate 0 bytes" error when parsing some PDF documents.

- Fix a couple of minor memory leaks.

- Updated libclamunrar to UnRAR 5.9.2.
2020-05-13 14:58:58 +00:00
adam
7d4b705c63 revbump after boost update 2020-05-06 14:04:05 +00:00
wiz
f669fda471 *: recursive bump for libffi 2020-03-08 16:47:24 +00:00
taca
2a4e61d1ed security/clamav: update to 0.102.2
Update clamav to 0.102.2.

## 0.102.2

ClamAV 0.102.2 is a bug patch release to address the following issues.

- [CVE-2020-3123](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123):
  An Denial-of-Service (DoS) condition may occur when using the optional credit
  card data-loss-prevention (DLP) feature. Improper bounds checking of an
  unsigned variable resulted in an out-of-bounds read which causes a crash.

- Significantly improved scan speed of PDF files on Windows.

- Re-applied a fix to alleviate file access issues when scanning RAR files in
  downstream projects that use libclamav where the scanning engine is operating
  in a low-privelege process. This bug was originally fixed in 0.101.2 and the
  fix was mistakenly omitted from 0.102.0.

- Fixed an issue wherein freshclam failed to update if the database version
  downloaded is 1 version older than advertised. This situation may occur after
  a new database version is published. The issue affected users downloading the
  whole CVD database file.

- Changed the default freshclam ReceiveTimeout setting to 0 (infinite).
  The ReceiveTimeout had caused needless database update failures for users with
  slower internet connections.

- Correctly display number of kilobytes (KiB) in progress bar and reduced the
  size of the progress bar to accomodate 80-char width terminals.

- Fixed an issue where running freshclam manually causes a daemonized freshclam
  process to fail when it updates because the manual instance deletes the
  temporary download directory. Freshclam temporary files will now download to a
  unique directory created at the time of an update instead of using a hardcoded
  directory created/destroyed at the program start/exit.

- Fix for Freshclam's OnOutdatedExecute config option.

- Fixes a memory leak in the error condition handling for the email parser.

- Improved bound checking and error handling in ARJ archive parser.

- Improved error handling in PDF parser.

- Fix for memory leak in byte-compare signature handler.

- Updates to the unit test suite to support libcheck 0.13.

- Updates to support autoconf 2.69 and automake 1.15.

Special thanks to the following for code contributions and bug reports:

- Antoine Deschênes
- Eric Lindblad
- Gianluigi Tiesi
- Tuomo Soini
2020-02-15 02:40:43 +00:00
rillig
9637f7852e all: migrate homepages from http to https
pkglint -r --network --only "migrate"

As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
2020-01-26 17:30:40 +00:00
jperkin
26c1bffc9f *: Recursive revision bump for openssl 1.1.1. 2020-01-18 21:48:19 +00:00
ryoon
eedd1e806f *: Recursive revbump from devel/boost-libs 2020-01-12 20:19:52 +00:00
taca
59e744eaa5 security/clamav: update to 0.102.1
Update clamav to 0.102.1.


## 0.102.1

ClamAV 0.102.1 is a security patch release to address the following issues.

- Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
  - [CVE-2019-15961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15961)
    A Denial-of-Service (DoS) vulnerability may occur when scanning a specially
    crafted email file as a result of excessively long scan times. The issue is
    resolved by implementing several maximums in parsing MIME messages and by
    optimizing use of memory allocation.

- Build system fixes to build clamav-milter, to correctly link with libxml2 when
  detected, and to correctly detect fanotify for on-access scanning feature
  support.

- Signature load time is significantly reduced by changing to a more efficient
  algorithm for loading signature patterns and allocating the AC trie.
  Patch courtesy of Alberto Wu.

- Introduced a new configure option to statically link libjson-c with libclamav.
  Static linking with libjson is highly recommended to prevent crashes in
  applications that use libclamav alongside another JSON parsing library.

- Null-dereference fix in email parser when using the `--gen-json` metadata
  option.

- Fixes for Authenticode parsing and certificate signature (.crb database) bugs.

Special thanks to the following for code contributions and bug reports:

- Alberto Wu
- Joran Dirk Greef
- Reio Remma
2019-12-03 12:55:16 +00:00
prlw1
608c252f55 Substitute CLAMAV_DBDIR (the point of patch-etc.clam*.conf.sample) 2019-11-19 16:20:24 +00:00
jperkin
0730e40706 clamav: Fix install with the milter option enabled. 2019-10-31 11:22:15 +00:00
prlw1
570e39d8ca remove pkgrevision 2019-10-10 15:43:44 +00:00
prlw1
81299c4f8a Update clamav to 0.102.0
* The On-Access Scanning feature has been migrated out of clamd and
  into a brand new utility named clamonacc, which is disabled in this
  package as it is for Linux only.
* The freshclam database update utility has undergone a significant
  update. This includes:
     + Added support for HTTPS.
     + Support for database mirrors hosted on ports other than 80.
     + Removal of the mirror management feature (mirrors.dat).
     + An all new libfreshclam library API.
* Added support for extracting ESTsoft .egg archives. This feature is
  new code developed from scratch using ESTsoft's Egg-archive
  specification and without referencing the UnEgg library provided by
  ESTsoft. This was necessary because the UnEgg library's license
  includes restrictions limiting the commercial use of the UnEgg library.

Full release notes available at:
https://github.com/Cisco-Talos/clamav-devel/blob/rel/0.102/NEWS.md
2019-10-10 15:41:29 +00:00
nros
183164410c Fix clamav install when PKG_SYSCONFDIR not set to ${PREFIX}/etc
Use PKG_SYSCONFDIR when moving files to EGDIR.
Fixes install when PKG_SYSCONFDIR is set to something else than
${PREFIX}/etc
2019-10-05 20:52:52 +00:00
jperkin
89448d8dd8 clamav: Disable mapfile on SunOS.
There are a couple of functions that aren't defined, and this is easier than
patching (and doesn't impact other OS).
2019-09-06 09:22:49 +00:00
ryoon
edacf2bbcb Recursive revbump from boost-1.71.0 2019-08-22 12:22:48 +00:00
prlw1
2bbaa92ff0 Update clamav to 0.101.2
Remove rar support to workaround PR pkg/54420

  This release includes 3 extra security related bug fixes that do not
   apply to prior versions. In addition, it includes a number of minor bug
   fixes and improvements.
     * Fixes for the following vulnerabilities affecting 0.101.1 and
       prior:
          + CVE-2019-1787: An out-of-bounds heap read condition may occur
            when scanning PDF documents. The defect is a failure to
            correctly keep track of the number of bytes remaining in a
            buffer when indexing file data.
          + CVE-2019-1789: An out-of-bounds heap read condition may occur
            when scanning PE files (i.e. Windows EXE and DLL files) that
            have been packed using Aspack as a result of inadequate
            bound-checking.
          + CVE-2019-1788: An out-of-bounds heap write condition may occur
            when scanning OLE2 files such as Microsoft Office 97-2003
            documents. The invalid write happens when an invalid pointer
            is mistakenly used to initialize a 32bit integer to zero. This
            is likely to crash the application.
     * Fixes for the following ClamAV vulnerabilities:
          + CVE-2018-15378: Vulnerability in ClamAV's MEW unpacking
            feature that could allow an unauthenticated, remote attacker
            to cause a denial of service (DoS) condition on an affected
            device. Reported by Secunia Research at Flexera.
          + Fix for a 2-byte buffer over-read bug in ClamAV's PDF parsing
            code. Reported by Alex Gaynor.
     * Fixes for the following vulnerabilities in bundled third-party
       libraries:
          + CVE-2018-14680: An issue was discovered in mspack/chmd.c in
            libmspack before 0.7alpha. It does not reject blank CHM
            filenames.
          + CVE-2018-14681: An issue was discovered in kwajd_read_headers
            in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file
            header extensions could cause a one or two byte overwrite.
          + CVE-2018-14682: An issue was discovered in mspack/chmd.c in
            libmspack before 0.7alpha. There is an off-by-one error in the
            TOLOWER() macro for CHM decompression.
          + Additionally, 0.100.2 reverted 0.100.1's patch for
            CVE-2018-14679, and applied libmspack's version of the fix in
            its place.
     * Fixes for the following CVE's:
          + CVE-2017-16932: Vulnerability in libxml2 dependency (affects
            ClamAV on Windows only).
          + CVE-2018-0360: HWP integer overflow, infinite loop
            vulnerability. Reported by Secunia Research at Flexera.
          + CVE-2018-0361: ClamAV PDF object length check, unreasonably
            long time to parse relatively small file. Reported by aCaB.

For the full release notes, see:
https://github.com/Cisco-Talos/clamav-devel/blob/clamav-0.101.2/NEWS.md
2019-08-05 14:44:20 +00:00
wiz
c30c5fbc0b *: recursive bump for nettle 3.5.1 2019-07-20 22:45:58 +00:00
ryoon
57d0806c39 Recursive revbump from boost-1.70.0 2019-07-01 04:07:44 +00:00
rillig
3d3f1c0f0e security/clamav: remove unrecognized configure option --disable-clamav 2019-05-04 16:12:00 +00:00
szptvlfn
3153f2035e clamav: remove patch-ag
already #ifdef-ed
2019-04-13 08:48:22 +00:00
adam
5b12b7b592 revbump for boost 1.69.0 2018-12-13 19:51:31 +00:00
jperkin
950dcb0882 clamav: Fix build on SunOS C99. 2018-10-24 14:10:59 +00:00
adam
9d06c0a472 revbump after boost-libs update 2018-08-16 18:54:26 +00:00
adam
35aa3efc12 revbump for boost-libs update 2018-04-29 21:31:17 +00:00
prlw1
cecdc1eaad Update clamav to 0.99.4 (fixes build)
ClamAV 0.99.4 is a hotfix release to patch a set of vulnerabilities.

- fixes for the following CVE's: CVE-2012-6706, CVE-2017-6419,
  CVE-2017-11423, CVE-2018-0202, and CVE-2018-1000085.
- also included are 2 fixes for file descriptor leaks as well fixes for
  a handful of other important bugs, including patches to support g++ 6, C++11.
2018-03-21 06:55:57 +00:00
bouyer
27605b8608 Fix memory/file descriptor leak in cli_scanscript().
Bump PKGREVISION.
2018-01-26 16:26:57 +00:00
bouyer
44650970f1 Reset PKGREVISION, ride previous package version bump. 2018-01-26 16:24:32 +00:00
bouyer
5905717e06 Update clamav and clamav-doc to 0.99.3. Changes since 0.99.2:
Security release fixing CVE-2017-12374, CVE-2017-12375, CVE-2017-12376,
CVE-2017-12377, CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
Also included are 2 minor fixes to properly detect openssl install locations on FreeBSD 11, and prevent false warnings about zlib 1.2.1# version numbers.
2018-01-26 12:20:16 +00:00