[Pkg-clamav-devel] Bug#926170: unblock: libclamunrar/0.101.2-1
Sebastian Andrzej Siewior
sebastian at breakpoint.cc
Mon Apr 1 13:42:06 BST 2019
Package: release.debian.org
User: release.debian.org at packages.debian.org
Usertags: unblock
Severity: normal
Please unblock package libclamunrar.
The new release is part of the new clamav release which fixes two RAR
related CVEs.
unblock libclamunrar/0.101.2-1
Sebastian
-------------- next part --------------
diff -Nru libclamunrar-0.101.1/clamav-config.h.in libclamunrar-0.101.2/clamav-config.h.in
--- libclamunrar-0.101.1/clamav-config.h.in 2019-02-09 23:29:30.000000000 +0100
+++ libclamunrar-0.101.2/clamav-config.h.in 2019-03-30 14:57:29.000000000 +0100
@@ -314,6 +314,9 @@
/* Define to 1 if you have the `strnlen' function. */
#undef HAVE_STRNLEN
+/* Define to 1 if you have the `strnstr' function. */
+#undef HAVE_STRNSTR
+
/* Define to 1 if sysconf(_SC_PAGESIZE) is available */
#undef HAVE_SYSCONF_SC_PAGESIZE
diff -Nru libclamunrar-0.101.1/configure libclamunrar-0.101.2/configure
--- libclamunrar-0.101.1/configure 2019-02-09 23:29:30.000000000 +0100
+++ libclamunrar-0.101.2/configure 2019-03-30 14:57:29.000000000 +0100
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for ClamAV 0.101.1.
+# Generated by GNU Autoconf 2.69 for ClamAV 0.101.2.
#
# Report bugs to <https://bugzilla.clamav.net/>.
#
@@ -590,8 +590,8 @@
# Identity of this package.
PACKAGE_NAME='ClamAV'
PACKAGE_TARNAME='clamav'
-PACKAGE_VERSION='0.101.1'
-PACKAGE_STRING='ClamAV 0.101.1'
+PACKAGE_VERSION='0.101.2'
+PACKAGE_STRING='ClamAV 0.101.2'
PACKAGE_BUGREPORT='https://bugzilla.clamav.net/'
PACKAGE_URL='https://www.clamav.net/'
@@ -753,6 +753,8 @@
CHECK_CPPFLAGS
CHECK_LIBS
CHECK_CFLAGS
+ENABLE_FUZZ_FALSE
+ENABLE_FUZZ_TRUE
BUILD_CONFIGURE_FLAGS
VERSIONSCRIPT_FALSE
VERSIONSCRIPT_TRUE
@@ -908,6 +910,7 @@
enable_libtool_lock
enable_gcc_vcheck
enable_experimental
+enable_fuzz
enable_mempool
enable_check
enable_rpath
@@ -1533,7 +1536,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures ClamAV 0.101.1 to adapt to many kinds of systems.
+\`configure' configures ClamAV 0.101.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1605,7 +1608,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of ClamAV 0.101.1:";;
+ short | recursive ) echo "Configuration of ClamAV 0.101.2:";;
esac
cat <<\_ACEOF
@@ -1626,6 +1629,7 @@
--disable-libtool-lock avoid locking (might break parallel builds)
--disable-gcc-vcheck do not check for buggy gcc version
--enable-experimental enable experimental code
+ --enable-fuzz enable building standalone fuzz targets [default=no]
--disable-mempool do not use memory pools
--enable-check enable check unit tests [default=auto]
--disable-rpath do not hardcode runtime library paths
@@ -1819,7 +1823,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-ClamAV configure 0.101.1
+ClamAV configure 0.101.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2363,7 +2367,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by ClamAV $as_me 0.101.1, which was
+It was created by ClamAV $as_me 0.101.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -4120,7 +4124,7 @@
# Define the identity of the package.
PACKAGE='clamav'
- VERSION='0.101.1'
+ VERSION='0.101.2'
# Some tools Automake needs.
@@ -5849,10 +5853,10 @@
-VERSION="0.101.1"
+VERSION="0.101.2"
LC_CURRENT=9
-LC_REVISION=1
+LC_REVISION=2
LC_AGE=0
LIBCLAMAV_VERSION="$LC_CURRENT":"$LC_REVISION":"$LC_AGE"
@@ -19150,6 +19154,27 @@
BUILD_CONFIGURE_FLAGS=$build_configure_args
+# Check whether --enable-fuzz was given.
+if test "${enable_fuzz+set}" = set; then :
+ enableval=$enable_fuzz; enable_cov=$enableval
+else
+ enable_cov="no"
+fi
+
+
+if test "x$enable_fuzz" = "xyes"; then
+ CXXFLAGS="-std=c++11 -stdlib=libc++ $CXXFLAGS"
+fi
+
+ if test "x$enable_fuzz" = "xyes"; then
+ ENABLE_FUZZ_TRUE=
+ ENABLE_FUZZ_FALSE='#'
+else
+ ENABLE_FUZZ_TRUE='#'
+ ENABLE_FUZZ_FALSE=
+fi
+
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether uname(2) is POSIX" >&5
$as_echo_n "checking whether uname(2) is POSIX... " >&6; }
@@ -19357,6 +19382,17 @@
fi
done
+for ac_func in strnstr
+do :
+ ac_fn_c_check_func "$LINENO" "strnstr" "ac_cv_func_strnstr"
+if test "x$ac_cv_func_strnstr" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_STRNSTR 1
+_ACEOF
+
+fi
+done
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for _LARGEFILE_SOURCE value needed for large files" >&5
$as_echo_n "checking for _LARGEFILE_SOURCE value needed for large files... " >&6; }
if ${ac_cv_sys_largefile_source+:} false; then :
@@ -28120,6 +28156,10 @@
as_fn_error $? "conditional \"VERSIONSCRIPT\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${ENABLE_FUZZ_TRUE}" && test -z "${ENABLE_FUZZ_FALSE}"; then
+ as_fn_error $? "conditional \"ENABLE_FUZZ\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${HAVE_LIBCHECK_TRUE}" && test -z "${HAVE_LIBCHECK_FALSE}"; then
as_fn_error $? "conditional \"HAVE_LIBCHECK\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -28577,7 +28617,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by ClamAV $as_me 0.101.1, which was
+This file was extended by ClamAV $as_me 0.101.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -28644,7 +28684,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-ClamAV config.status 0.101.1
+ClamAV config.status 0.101.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff -Nru libclamunrar-0.101.1/configure.ac libclamunrar-0.101.2/configure.ac
--- libclamunrar-0.101.1/configure.ac 2019-02-09 23:29:26.000000000 +0100
+++ libclamunrar-0.101.2/configure.ac 2019-03-30 14:57:25.000000000 +0100
@@ -1,4 +1,6 @@
-dnl Copyright (C) 2002 - 2006 Tomasz Kojm <tkojm at clamav.net>
+dnl Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+dnl Copyright (C) 2007-2013 Sourcefire, Inc.
+dnl Copyright (C) 2002-2007 Tomasz Kojm <tkojm at clamav.net>
dnl readdir_r checks (c) COPYRIGHT MIT 1995
dnl socklen_t check (c) Alexander V. Lukyanov <lav at yars.free.net>
dnl
@@ -20,7 +22,7 @@
AC_PREREQ([2.59])
dnl For a release change [devel] to the real version [0.xy]
dnl also change VERSION below
-AC_INIT([ClamAV], [0.101.1], [https://bugzilla.clamav.net/], [clamav], [https://www.clamav.net/])
+AC_INIT([ClamAV], [0.101.2], [https://bugzilla.clamav.net/], [clamav], [https://www.clamav.net/])
dnl enable C++
AC_PROG_CXX()
@@ -73,6 +75,7 @@
build_configure_args=`echo "$ac_configure_args" | sed -e 's/[\"]//g'`
AC_SUBST([BUILD_CONFIGURE_FLAGS], [$build_configure_args])
+m4_include([m4/reorganization/code_checks/fuzz.m4])
m4_include([m4/reorganization/code_checks/functions.m4])
m4_include([m4/reorganization/code_checks/mpool.m4])
m4_include([m4/reorganization/code_checks/unit_tests.m4])
diff -Nru libclamunrar-0.101.1/debian/changelog libclamunrar-0.101.2/debian/changelog
--- libclamunrar-0.101.1/debian/changelog 2019-02-28 23:57:23.000000000 +0100
+++ libclamunrar-0.101.2/debian/changelog 2019-03-30 16:37:10.000000000 +0100
@@ -1,3 +1,13 @@
+libclamunrar (0.101.2-1) unstable; urgency=high
+
+ * Import 0.101.2
+ - CVE-2019-1785 (A path-traversal write condition may occur as a result of
+ improper input validation when scanning RAR archives)
+ - CVE-2019-1798 (A use-after-free condition may occur as a result of
+ improper error handling when scanning nested RAR archives)
+
+ -- Sebastian Andrzej Siewior <sebastian at breakpoint.cc> Sat, 30 Mar 2019 16:37:10 +0100
+
libclamunrar (0.101.1-2) unstable; urgency=medium
* Upload to unstable.
diff -Nru libclamunrar-0.101.1/debian/.git-dpm libclamunrar-0.101.2/debian/.git-dpm
--- libclamunrar-0.101.1/debian/.git-dpm 2019-02-28 23:57:04.000000000 +0100
+++ libclamunrar-0.101.2/debian/.git-dpm 2019-03-30 16:37:10.000000000 +0100
@@ -1,8 +1,8 @@
# see git-dpm(1) from git-dpm package
-b6445e154030cecddc72fe76d3d2e18869b15118
-b6445e154030cecddc72fe76d3d2e18869b15118
-b6445e154030cecddc72fe76d3d2e18869b15118
-b6445e154030cecddc72fe76d3d2e18869b15118
-libclamunrar_0.101.1.orig.tar.xz
-446b41431eccef23f9d0ec5133eb964bc4a1776f
-491568
+a1d0c295832affbb17bd4c16432800ec3aade630
+a1d0c295832affbb17bd4c16432800ec3aade630
+a1d0c295832affbb17bd4c16432800ec3aade630
+a1d0c295832affbb17bd4c16432800ec3aade630
+libclamunrar_0.101.2.orig.tar.xz
+6f660fc27166a75b0e336b82769b242bf0471374
+487968
diff -Nru libclamunrar-0.101.1/libclamunrar_iface/Makefile.am libclamunrar-0.101.2/libclamunrar_iface/Makefile.am
--- libclamunrar-0.101.1/libclamunrar_iface/Makefile.am 2019-02-09 23:29:26.000000000 +0100
+++ libclamunrar-0.101.2/libclamunrar_iface/Makefile.am 2019-03-30 14:57:25.000000000 +0100
@@ -1,6 +1,7 @@
#
-# Copyright (C) 2002 - 2007 Tomasz Kojm <tkojm at clamav.net>
-# Copyright (C) 2008 - 2013 Sourcefire, Inc.
+# Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+# Copyright (C) 2007-2013 Sourcefire, Inc.
+# Copyright (C) 2002-2007 Tomasz Kojm <tkojm at clamav.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
diff -Nru libclamunrar-0.101.1/libclamunrar_iface/Makefile.in libclamunrar-0.101.2/libclamunrar_iface/Makefile.in
--- libclamunrar-0.101.1/libclamunrar_iface/Makefile.in 2019-02-09 23:29:31.000000000 +0100
+++ libclamunrar-0.101.2/libclamunrar_iface/Makefile.in 2019-03-30 14:57:30.000000000 +0100
@@ -15,8 +15,9 @@
@SET_MAKE@
#
-# Copyright (C) 2002 - 2007 Tomasz Kojm <tkojm at clamav.net>
-# Copyright (C) 2008 - 2013 Sourcefire, Inc.
+# Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+# Copyright (C) 2007-2013 Sourcefire, Inc.
+# Copyright (C) 2002-2007 Tomasz Kojm <tkojm at clamav.net>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
@@ -132,6 +133,7 @@
$(top_srcdir)/m4/reorganization/c_options.m4 \
$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+ $(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \
diff -Nru libclamunrar-0.101.1/libclamunrar_iface/unrar_iface.cpp libclamunrar-0.101.2/libclamunrar_iface/unrar_iface.cpp
--- libclamunrar-0.101.1/libclamunrar_iface/unrar_iface.cpp 2019-02-09 23:29:22.000000000 +0100
+++ libclamunrar-0.101.2/libclamunrar_iface/unrar_iface.cpp 2019-03-30 14:57:20.000000000 +0100
@@ -1,7 +1,9 @@
/*
* Interface to libclamunrar
- * Copyright (C) 2015-2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+ *
+ * Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
* Copyright (C) 2007-2013 Sourcefire, Inc.
+ *
* Authors: Trog, Torok Edvin, Tomasz Kojm, Micah Snyder
*
* Redistribution and use in source and binary forms, with or without
@@ -89,7 +91,7 @@
/**
* @brief Translate an ERAR_<code> to the appropriate UNRAR_<code>
- *
+ *
* @param errorCode ERAR_<code>
* @return cl_unrar_error_t UNRAR_OK, UNRAR_ENCRYPTED, or UNRAR_ERR.
*/
@@ -133,6 +135,7 @@
}
case ERAR_EOPEN: {
unrar_dbgmsg("unrar_retcode: Volume open error.\n");
+ status = UNRAR_EOPEN;
break;
}
case ERAR_ECREATE: {
@@ -289,7 +292,7 @@
/**
* @brief Get file metadata from the next file header.
- *
+ *
* @param hArchive Handle to the archive we're extracting.
* @param[in/out] file_metadata Pointer to a pre-allocated metadata structure.
* @return cl_unrar_error_t UNRAR_OK if metadata retrieved, UNRAR_BREAK if no more files, UNRAR_ENCRYPTED if header was encrypted, else maybe UNRAR_EMEM or UNRAR_ERR.
@@ -317,7 +320,7 @@
*/
headerData.CmtBuf = NULL;
headerData.CmtBufSize = 0;
-
+
headerData.RedirNameSize = 1024 * sizeof(wchar_t);
headerData.RedirName = (wchar_t*)&RedirName;
memset(headerData.RedirName, 0, headerData.RedirNameSize);
diff -Nru libclamunrar-0.101.1/libclamunrar_iface/unrar_iface.h libclamunrar-0.101.2/libclamunrar_iface/unrar_iface.h
--- libclamunrar-0.101.1/libclamunrar_iface/unrar_iface.h 2019-02-09 23:29:22.000000000 +0100
+++ libclamunrar-0.101.2/libclamunrar_iface/unrar_iface.h 2019-03-30 14:57:20.000000000 +0100
@@ -1,7 +1,9 @@
/*
* Interface to libclamunrar
- * Copyright (C) 2015-2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+ *
+ * Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
* Copyright (C) 2007-2013 Sourcefire, Inc.
+ *
* Authors: Trog, Torok Edvin, Tomasz Kojm, Micah Snyder
*
* Redistribution and use in source and binary forms, with or without
@@ -48,7 +50,8 @@
UNRAR_BREAK,
UNRAR_ENCRYPTED,
UNRAR_EMEM,
- UNRAR_ERR
+ UNRAR_ERR,
+ UNRAR_EOPEN
} cl_unrar_error_t;
typedef struct unrar_metadata_tag
diff -Nru libclamunrar-0.101.1/m4/reorganization/code_checks/functions.m4 libclamunrar-0.101.2/m4/reorganization/code_checks/functions.m4
--- libclamunrar-0.101.1/m4/reorganization/code_checks/functions.m4 2019-02-09 23:29:22.000000000 +0100
+++ libclamunrar-0.101.2/m4/reorganization/code_checks/functions.m4 2019-03-30 14:57:20.000000000 +0100
@@ -5,6 +5,7 @@
AC_CHECK_FUNCS_ONCE([poll setsid memcpy snprintf vsnprintf strerror_r strlcpy strlcat strcasestr inet_ntop setgroups initgroups ctime_r mkstemp mallinfo madvise getnameinfo])
AC_CHECK_FUNCS([strndup])
AC_CHECK_FUNCS([strnlen])
+AC_CHECK_FUNCS([strnstr])
AC_FUNC_FSEEKO
dnl Check if anon maps are available, check if we can determine the page size
diff -Nru libclamunrar-0.101.1/m4/reorganization/code_checks/fuzz.m4 libclamunrar-0.101.2/m4/reorganization/code_checks/fuzz.m4
--- libclamunrar-0.101.1/m4/reorganization/code_checks/fuzz.m4 1970-01-01 01:00:00.000000000 +0100
+++ libclamunrar-0.101.2/m4/reorganization/code_checks/fuzz.m4 2019-03-30 14:57:20.000000000 +0100
@@ -0,0 +1,11 @@
+AC_ARG_ENABLE(fuzz,
+ AC_HELP_STRING([--enable-fuzz],
+ [enable building standalone fuzz targets
+ @<:@default=no@:>@]),
+[enable_cov=$enableval],[enable_cov="no"])
+
+if test "x$enable_fuzz" = "xyes"; then
+ CXXFLAGS="-std=c++11 -stdlib=libc++ $CXXFLAGS"
+fi
+
+AM_CONDITIONAL(ENABLE_FUZZ, test "x$enable_fuzz" = "xyes")
diff -Nru libclamunrar-0.101.1/m4/reorganization/version.m4 libclamunrar-0.101.2/m4/reorganization/version.m4
--- libclamunrar-0.101.1/m4/reorganization/version.m4 2019-02-09 23:29:22.000000000 +0100
+++ libclamunrar-0.101.2/m4/reorganization/version.m4 2019-03-30 14:57:20.000000000 +0100
@@ -1,9 +1,9 @@
dnl change this on a release
dnl VERSION="devel-`date +%Y%m%d`"
-VERSION="0.101.1"
+VERSION="0.101.2"
LC_CURRENT=9
-LC_REVISION=1
+LC_REVISION=2
LC_AGE=0
LIBCLAMAV_VERSION="$LC_CURRENT":"$LC_REVISION":"$LC_AGE"
AC_SUBST([LIBCLAMAV_VERSION])
diff -Nru libclamunrar-0.101.1/Makefile.in libclamunrar-0.101.2/Makefile.in
--- libclamunrar-0.101.1/Makefile.in 2019-02-09 23:29:31.000000000 +0100
+++ libclamunrar-0.101.2/Makefile.in 2019-03-30 14:57:30.000000000 +0100
@@ -104,6 +104,7 @@
$(top_srcdir)/m4/reorganization/c_options.m4 \
$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+ $(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \
More information about the Pkg-clamav-devel
mailing list