Update clamav to 0.102.3.
## 0.102.3
ClamAV 0.102.3 is a bug patch release to address the following issues.
- [CVE-2020-3327](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3327):
Fix a vulnerability in the ARJ archive parsing module in ClamAV 0.102.2 that
could cause a Denial-of-Service (DoS) condition. Improper bounds checking of
an unsigned variable results in an out-of-bounds read which causes a crash.
Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ
parsing vulnerability.
- [CVE-2020-3341](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3341):
Fix a vulnerability in the PDF parsing module in ClamAV 0.101 - 0.102.2 that
could cause a Denial-of-Service (DoS) condition. Improper size checking of
a buffer used to initialize AES decryption routines results in an out-of-
bounds read which may cause a crash. Bug found by OSS-Fuzz.
- Fix "Attempt to allocate 0 bytes" error when parsing some PDF documents.
- Fix a couple of minor memory leaks.
- Updated libclamunrar to UnRAR 5.9.2.
Update clamav to 0.102.2.
## 0.102.2
ClamAV 0.102.2 is a bug patch release to address the following issues.
- [CVE-2020-3123](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123):
An Denial-of-Service (DoS) condition may occur when using the optional credit
card data-loss-prevention (DLP) feature. Improper bounds checking of an
unsigned variable resulted in an out-of-bounds read which causes a crash.
- Significantly improved scan speed of PDF files on Windows.
- Re-applied a fix to alleviate file access issues when scanning RAR files in
downstream projects that use libclamav where the scanning engine is operating
in a low-privelege process. This bug was originally fixed in 0.101.2 and the
fix was mistakenly omitted from 0.102.0.
- Fixed an issue wherein freshclam failed to update if the database version
downloaded is 1 version older than advertised. This situation may occur after
a new database version is published. The issue affected users downloading the
whole CVD database file.
- Changed the default freshclam ReceiveTimeout setting to 0 (infinite).
The ReceiveTimeout had caused needless database update failures for users with
slower internet connections.
- Correctly display number of kilobytes (KiB) in progress bar and reduced the
size of the progress bar to accomodate 80-char width terminals.
- Fixed an issue where running freshclam manually causes a daemonized freshclam
process to fail when it updates because the manual instance deletes the
temporary download directory. Freshclam temporary files will now download to a
unique directory created at the time of an update instead of using a hardcoded
directory created/destroyed at the program start/exit.
- Fix for Freshclam's OnOutdatedExecute config option.
- Fixes a memory leak in the error condition handling for the email parser.
- Improved bound checking and error handling in ARJ archive parser.
- Improved error handling in PDF parser.
- Fix for memory leak in byte-compare signature handler.
- Updates to the unit test suite to support libcheck 0.13.
- Updates to support autoconf 2.69 and automake 1.15.
Special thanks to the following for code contributions and bug reports:
- Antoine Deschênes
- Eric Lindblad
- Gianluigi Tiesi
- Tuomo Soini
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
Update clamav to 0.102.1.
## 0.102.1
ClamAV 0.102.1 is a security patch release to address the following issues.
- Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
- [CVE-2019-15961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15961)
A Denial-of-Service (DoS) vulnerability may occur when scanning a specially
crafted email file as a result of excessively long scan times. The issue is
resolved by implementing several maximums in parsing MIME messages and by
optimizing use of memory allocation.
- Build system fixes to build clamav-milter, to correctly link with libxml2 when
detected, and to correctly detect fanotify for on-access scanning feature
support.
- Signature load time is significantly reduced by changing to a more efficient
algorithm for loading signature patterns and allocating the AC trie.
Patch courtesy of Alberto Wu.
- Introduced a new configure option to statically link libjson-c with libclamav.
Static linking with libjson is highly recommended to prevent crashes in
applications that use libclamav alongside another JSON parsing library.
- Null-dereference fix in email parser when using the `--gen-json` metadata
option.
- Fixes for Authenticode parsing and certificate signature (.crb database) bugs.
Special thanks to the following for code contributions and bug reports:
- Alberto Wu
- Joran Dirk Greef
- Reio Remma
* The On-Access Scanning feature has been migrated out of clamd and
into a brand new utility named clamonacc, which is disabled in this
package as it is for Linux only.
* The freshclam database update utility has undergone a significant
update. This includes:
+ Added support for HTTPS.
+ Support for database mirrors hosted on ports other than 80.
+ Removal of the mirror management feature (mirrors.dat).
+ An all new libfreshclam library API.
* Added support for extracting ESTsoft .egg archives. This feature is
new code developed from scratch using ESTsoft's Egg-archive
specification and without referencing the UnEgg library provided by
ESTsoft. This was necessary because the UnEgg library's license
includes restrictions limiting the commercial use of the UnEgg library.
Full release notes available at:
https://github.com/Cisco-Talos/clamav-devel/blob/rel/0.102/NEWS.md
Remove rar support to workaround PR pkg/54420
This release includes 3 extra security related bug fixes that do not
apply to prior versions. In addition, it includes a number of minor bug
fixes and improvements.
* Fixes for the following vulnerabilities affecting 0.101.1 and
prior:
+ CVE-2019-1787: An out-of-bounds heap read condition may occur
when scanning PDF documents. The defect is a failure to
correctly keep track of the number of bytes remaining in a
buffer when indexing file data.
+ CVE-2019-1789: An out-of-bounds heap read condition may occur
when scanning PE files (i.e. Windows EXE and DLL files) that
have been packed using Aspack as a result of inadequate
bound-checking.
+ CVE-2019-1788: An out-of-bounds heap write condition may occur
when scanning OLE2 files such as Microsoft Office 97-2003
documents. The invalid write happens when an invalid pointer
is mistakenly used to initialize a 32bit integer to zero. This
is likely to crash the application.
* Fixes for the following ClamAV vulnerabilities:
+ CVE-2018-15378: Vulnerability in ClamAV's MEW unpacking
feature that could allow an unauthenticated, remote attacker
to cause a denial of service (DoS) condition on an affected
device. Reported by Secunia Research at Flexera.
+ Fix for a 2-byte buffer over-read bug in ClamAV's PDF parsing
code. Reported by Alex Gaynor.
* Fixes for the following vulnerabilities in bundled third-party
libraries:
+ CVE-2018-14680: An issue was discovered in mspack/chmd.c in
libmspack before 0.7alpha. It does not reject blank CHM
filenames.
+ CVE-2018-14681: An issue was discovered in kwajd_read_headers
in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file
header extensions could cause a one or two byte overwrite.
+ CVE-2018-14682: An issue was discovered in mspack/chmd.c in
libmspack before 0.7alpha. There is an off-by-one error in the
TOLOWER() macro for CHM decompression.
+ Additionally, 0.100.2 reverted 0.100.1's patch for
CVE-2018-14679, and applied libmspack's version of the fix in
its place.
* Fixes for the following CVE's:
+ CVE-2017-16932: Vulnerability in libxml2 dependency (affects
ClamAV on Windows only).
+ CVE-2018-0360: HWP integer overflow, infinite loop
vulnerability. Reported by Secunia Research at Flexera.
+ CVE-2018-0361: ClamAV PDF object length check, unreasonably
long time to parse relatively small file. Reported by aCaB.
For the full release notes, see:
https://github.com/Cisco-Talos/clamav-devel/blob/clamav-0.101.2/NEWS.md
ClamAV 0.99.4 is a hotfix release to patch a set of vulnerabilities.
- fixes for the following CVE's: CVE-2012-6706, CVE-2017-6419,
CVE-2017-11423, CVE-2018-0202, and CVE-2018-1000085.
- also included are 2 fixes for file descriptor leaks as well fixes for
a handful of other important bugs, including patches to support g++ 6, C++11.
Security release fixing CVE-2017-12374, CVE-2017-12375, CVE-2017-12376,
CVE-2017-12377, CVE-2017-12378, CVE-2017-12379, CVE-2017-12380.
Also included are 2 minor fixes to properly detect openssl install locations on FreeBSD 11, and prevent false warnings about zlib 1.2.1# version numbers.
If pcre2 is installed, configure finds pcre2-config in /usr/pkg/bin,
even though it is not include via bl3, resulting in a build failure.
There's no reason to avoid moving to pcre2, and it's easier than
making clamav not find it.
- Move PKGREVISION (unchanged) to Makefiles.
- Fix used-by annotation.
- Add PATCHDIR so clamav-doc has consistent distinfo/patches (even
though clamav-doc just copies files that aren't patched).
clamav defines a gets macro, which confuses fortify. Until resolved,
disable fortify so that it builds. (Note that SSP is still enabled;
clamav with SSP and without FORTIFY appears to work.)
on pkgsrc-users.
Changes from 0.99.1 to 0.99.2 are available only with ChangeLog and it
is too many to write here. Please refer ChangeLog file.
0.99.1
------
ClamAV 0.99.1 contains a new feature for parsing Hancom Office files
including extracting and scanning embedded objects. ClamAV 0.99.1
also contains important bug fixes. Please see ChangeLog for details.
