PR/54420 CVS commit: [pkgsrc-2019Q2] pkgsrc/security/clamav

["Benny Siegert" <bsiegert%netbsd.org@localhost>]

The following reply was made to PR pkg/54420; it has been noted by GNATS.

From: "Benny Siegert" <bsiegert%netbsd.org@localhost>
To: gnats-bugs%gnats.NetBSD.org@localhost
Cc: 
Subject: PR/54420 CVS commit: [pkgsrc-2019Q2] pkgsrc/security/clamav
Date: Thu, 5 Sep 2019 09:26:26 +0000

 Module Name:	pkgsrc
 Committed By:	bsiegert
 Date:		Thu Sep  5 09:26:25 UTC 2019
 
 Modified Files:
 	pkgsrc/security/clamav [pkgsrc-2019Q2]: Makefile Makefile.common PLIST
 	    buildlink3.mk distinfo options.mk
 	pkgsrc/security/clamav/patches [pkgsrc-2019Q2]: patch-Makefile.in
 	    patch-ab
 
 Log Message:
 Pullup ticket #6036 - requested by taca
 security/clamav: security fix
 
 Revisions pulled up:
 - security/clamav/Makefile                                      1.51
 - security/clamav/Makefile.common                               1.11
 - security/clamav/PLIST                                         1.7
 - security/clamav/buildlink3.mk                                 1.8
 - security/clamav/distinfo                                      1.28
 - security/clamav/options.mk                                    1.6
 - security/clamav/patches/patch-Makefile.in                     1.5
 - security/clamav/patches/patch-ab                              1.2
 
 ---
    Module Name:	pkgsrc
    Committed By:	wiz
    Date:		Sat Jul 20 22:46:59 UTC 2019
 
    Modified Files:
 
    	pkgsrc/security/clamav: Makefile
 
    Log Message:
    *: recursive bump for nettle 3.5.1
 
 ---
    Module Name:	pkgsrc
    Committed By:	prlw1
    Date:		Mon Aug  5 14:44:20 UTC 2019
 
    Modified Files:
    	pkgsrc/security/clamav: Makefile Makefile.common PLIST buildlink3.mk
    	    distinfo options.mk
    	pkgsrc/security/clamav/patches: patch-Makefile.in patch-ab
 
    Log Message:
    Update clamav to 0.101.2
 
    Remove rar support to workaround PR pkg/54420
 
      This release includes 3 extra security related bug fixes that do not
       apply to prior versions. In addition, it includes a number of minor bug
       fixes and improvements.
         * Fixes for the following vulnerabilities affecting 0.101.1 and
           prior:
              + CVE-2019-1787: An out-of-bounds heap read condition may occur
                when scanning PDF documents. The defect is a failure to
                correctly keep track of the number of bytes remaining in a
                buffer when indexing file data.
              + CVE-2019-1789: An out-of-bounds heap read condition may occur
                when scanning PE files (i.e. Windows EXE and DLL files) that
                have been packed using Aspack as a result of inadequate
                bound-checking.
              + CVE-2019-1788: An out-of-bounds heap write condition may occur
                when scanning OLE2 files such as Microsoft Office 97-2003
                documents. The invalid write happens when an invalid pointer
                is mistakenly used to initialize a 32bit integer to zero. This
                is likely to crash the application.
         * Fixes for the following ClamAV vulnerabilities:
              + CVE-2018-15378: Vulnerability in ClamAV's MEW unpacking
                feature that could allow an unauthenticated, remote attacker
                to cause a denial of service (DoS) condition on an affected
                device. Reported by Secunia Research at Flexera.
              + Fix for a 2-byte buffer over-read bug in ClamAV's PDF parsing
                code. Reported by Alex Gaynor.
         * Fixes for the following vulnerabilities in bundled third-party
           libraries:
              + CVE-2018-14680: An issue was discovered in mspack/chmd.c in
                libmspack before 0.7alpha. It does not reject blank CHM
                filenames.
              + CVE-2018-14681: An issue was discovered in kwajd_read_headers
                in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file
                header extensions could cause a one or two byte overwrite.
              + CVE-2018-14682: An issue was discovered in mspack/chmd.c in
                libmspack before 0.7alpha. There is an off-by-one error in the
                TOLOWER() macro for CHM decompression.
              + Additionally, 0.100.2 reverted 0.100.1's patch for
                CVE-2018-14679, and applied libmspack's version of the fix in
                its place.
         * Fixes for the following CVE's:
              + CVE-2017-16932: Vulnerability in libxml2 dependency (affects
                ClamAV on Windows only).
              + CVE-2018-0360: HWP integer overflow, infinite loop
                vulnerability. Reported by Secunia Research at Flexera.
              + CVE-2018-0361: ClamAV PDF object length check, unreasonably
                long time to parse relatively small file. Reported by aCaB.
 
    For the full release notes, see:
    https://github.com/Cisco-Talos/clamav-devel/blob/clamav-0.101.2/NEWS.md
 
 
 To generate a diff of this commit:
 cvs rdiff -u -r1.48 -r1.48.2.1 pkgsrc/security/clamav/Makefile
 cvs rdiff -u -r1.10 -r1.10.12.1 pkgsrc/security/clamav/Makefile.common
 cvs rdiff -u -r1.6 -r1.6.44.1 pkgsrc/security/clamav/PLIST
 cvs rdiff -u -r1.7 -r1.7.18.1 pkgsrc/security/clamav/buildlink3.mk
 cvs rdiff -u -r1.27 -r1.27.2.1 pkgsrc/security/clamav/distinfo
 cvs rdiff -u -r1.5 -r1.5.30.1 pkgsrc/security/clamav/options.mk
 cvs rdiff -u -r1.4 -r1.4.28.1 \
     pkgsrc/security/clamav/patches/patch-Makefile.in
 cvs rdiff -u -r1.1.1.1 -r1.1.1.1.72.1 pkgsrc/security/clamav/patches/patch-ab
 
 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.