Release notes:
https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html
- Fixes for the following vulnerabilities affecting 0.101.1 and prior:
- CVE-2019-1787:
An out-of-bounds heap read condition may occur when scanning PDF
documents. The defect is a failure to correctly keep track of the number
of bytes remaining in a buffer when indexing file data.
- CVE-2019-1789:
An out-of-bounds heap read condition may occur when scanning PE files
(i.e. Windows EXE and DLL files) that have been packed using Aspack as a
result of inadequate bound-checking.
- CVE-2019-1788:
An out-of-bounds heap write condition may occur when scanning OLE2 files
such as Microsoft Office 97-2003 documents. The invalid write happens when
an invalid pointer is mistakenly used to initialize a 32bit integer to
zero. This is likely to crash the application.
- Fixes for the following vulnerabilities affecting 0.101.1 and 0.101.0 only:
- CVE-2019-1786:
An out-of-bounds heap read condition may occur when scanning malformed PDF
documents as a result of improper bounds-checking.
- CVE-2019-1785:
A path-traversal write condition may occur as a result of improper input
validation when scanning RAR archives. Issue reported by aCaB.
- CVE-2019-1798:
A use-after-free condition may occur as a result of improper error
handling when scanning nested RAR archives. Issue reported by David L.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 4037c0a397)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Changed upstream URL to project site clamav.net, the tarball for the
new version is not available on sourceforge.net anymore.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
- removed autoreconf and two patches applied upstream
b20eeffadb785e4a90e0
- removed clamuko configure option
- disabled fanotify support because UCLIBC_HAS_FTS is disabled
https://github.com/vrtadmin/clamav-devel/blob/master/README
"Support for on-access scanning using Clamuko/Dazuko has been replaced
with fanotify."
- added host-pkgconf dependency, used by configure
- added optional dependency to pcre
- added sha256 hash
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Clamav uses AC_TRY_RUN in m4/reorganization/code_checks/ipv6.m4 to check
for ipv6 support, which is not cross-compile safe. Since buildroot
supports ipv6 out-of-the-box now this patch forces ipv6 support.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes:
CVE-2013-6497 - the jwplayer.js file causes ClamAV to seg fault when
scanned with the -a (list archived files).
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
