[Pkg-clamav-devel] clamav llvm 3.6 dependency

[harald at a-little-linux-box.at]

On Sun, Mar 27, 2016 at 11:05:53PM +0200, Sebastian Andrzej Siewior wrote:
> On 2016-03-25 10:18:53 [+0100], harald at a-little-linux-box.at wrote:
> > Dear clamav maintainers,
> 
> Hi Harald,

Hello Sebastian

> 
> > I just wanted to ask if it would be possible to adapt clamav to llvm 3.7
> > as 3.6 (at least the Debian package) contains a vulnerability which
> > seems to impair (at least according to the security tracker) the
> > security of clamav. As it is often used in a network context (mail and
> 
> Are you talking about CVE-2015-2305 / Henry Spencer BSD regex library? It
> looks hard to trigger (it was the case in clamav usage of the library). It
> would be probably best if you ping the llvm maintainer to get it fixed.
> According to the tracker 3.5 for instance has the same problem and this is
> part of stable. So the best thing to do seems to get llvm fixed.
> I am not even sure whether clamav compiles against 3.7. But I was not
> aware (until now) that 3.7 is part of testing. It wasn't the last time I
> looked at it.

Did some testing to compile clamav with llvm 3.7 but there are going to
be many code changes which need intimate knowledge of llvm I guess. Hope
that the llvm package from experimental which pulls in llvm 3.7 as
default llvm version won't reach unstable soon ;-).

> 
> BTW: llvm is only used for the bytecode interreter which becomes jit. If you
> disable bytecode thingy then it should be not used. The bytecode data comes
> from clamav.
> 
> > web proxy scanning) this seems to be a not very desirable situation.
> > When answering please keep me cc as I'm not subscribed to your list.
> > 
> > Thanks for your time
> > Kind regards
> > Harald Jenny
> 
> Sebastian

Wish you a nice weekend
Harald