[Pkg-clamav-devel] clamav llvm 3.6 dependency

[harald at a-little-linux-box.at]

On Sun, Mar 27, 2016 at 11:05:53PM +0200, Sebastian Andrzej Siewior wrote:
> On 2016-03-25 10:18:53 [+0100], harald at a-little-linux-box.at wrote:
> > Dear clamav maintainers,
> 
> Hi Harald,

Hi Sebastian

> 
> > I just wanted to ask if it would be possible to adapt clamav to llvm 3.7
> > as 3.6 (at least the Debian package) contains a vulnerability which
> > seems to impair (at least according to the security tracker) the
> > security of clamav. As it is often used in a network context (mail and
> 
> Are you talking about CVE-2015-2305 / Henry Spencer BSD regex
> library?

Yes that is the one I was referring to, sorry I did not mention it
correctly.

> It
> looks hard to trigger (it was the case in clamav usage of the library). It
> would be probably best if you ping the llvm maintainer to get it fixed.

Well as far as I saw the case is that llvm 3.6 will eventually not make
in into stable as it already superseeded bye newer versions (llvm-3.8
ist already in unstable).

> According to the tracker 3.5 for instance has the same problem and this is
> part of stable. So the best thing to do seems to get llvm fixed.

It seems like the "fix" for 3.5 would be the update to 3.5.2 :-(.

> I am not even sure whether clamav compiles against 3.7. But I was not
> aware (until now) that 3.7 is part of testing. It wasn't the last time I
> looked at it.

Hmmm I understand well then maybe I will try to compile it myself and
see if it works.

> 
> BTW: llvm is only used for the bytecode interreter which becomes jit. If you
> disable bytecode thingy then it should be not used. The bytecode data comes
> from clamav.

Ok thanks for this workaround.

> 
> > web proxy scanning) this seems to be a not very desirable situation.
> > When answering please keep me cc as I'm not subscribed to your list.
> > 
> > Thanks for your time
> > Kind regards
> > Harald Jenny
> 
> Sebastian

Wish you a good night
Harald Jenny