pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/security/clamav



Module Name:    pkgsrc
Committed By:   taca
Date:           Sat Jul  4 04:00:48 UTC 2026

Modified Files:
        pkgsrc/security/clamav: Makefile Makefile.common cargo-depends.mk
            distinfo

Log Message:
lang/clamav: update to 1.4.5

ClamAV 1.4.5 (2026-07-01)

ClamAV 1.4.5 is a patch release with the following fixes:

* CVE-2026-20217: Fixed a bug in the PESpin unpacker cleanup path that could
  free pointers into the scanned file buffer and crash the scanner.
  <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20217>

  This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back
  as 2005. The fix is included in 1.5.3 and 1.4.5.

  Thank you to Atuin - Automated Vulnerability Discovery Engine, Tianchu
  Chen of Tencent Xuanwu Lab for identifying this issue.

* CVE-2026-20213: Fixed an integer overflow in PE rebuild size calculations
  that could be reached through a malformed Aspack-packed PE file and lead
  to a heap buffer overflow write.
  <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20213>

  This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back
  as 2007. The fix is included in 1.5.3 and 1.4.5.

  Thank you to Trail of Bits, in collaboration with Anthropic, for
  identifying this issue.

* CVE-2026-20216: Fixed an InstallShield archive extraction limit bypass
  that could write far more temporary data than intended and exhaust
  temporary storage.
  <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20216>

  This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back
  as 2009. The fix is included in 1.5.3 and 1.4.5.

  Thank you to Mizu for identifying this issue.

* CVE-2026-20214: Fixed an FSG unpacker loop underflow that could write past
  the section array while scanning a malformed PE file.
  <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20214>

  This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back
  as 2004. The fix is included in 1.5.3 and 1.4.5.

  Thank you to Trail of Bits, in collaboration with Anthropic, for
  identifying this issue.

* CVE-2026-20243: Fixed ALZ parser size handling bugs that could cause
  malformed ALZ archives to panic, abort the scanner, or skip expected
  scan-limit handling.
  <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20243>

  This issue affects ClamAV 1.5.0 through 1.5.2 and 1.4.0 through 1.4.4. The
  fix is included in 1.5.3 and 1.4.5.

  Thank you to Yazdan Soltani for identifying this issue.

* CVE-2026-20215: Fixed a 7z parser substream count overflow that could
  under-allocate parser metadata arrays and write past them while reading a
  malformed archive.
  <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20215>

  This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions back to
  2009. The fix is included in 1.5.3 and 1.4.5.

  Thank you to Trail of Bits, in collaboration with Anthropic, for
  identifying this issue.

* CVE-2026-20244: Fixed 32-bit DMG parser size checks that could let a short
  mish stripe table pass validation and crash 32-bit scanner builds.
  <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20244>

  This issue affects 32-bit ClamAV builds from 0.98.1 through 1.5.2,
  including 1.4.0 through 1.4.4 and 1.5.0 through 1.5.2.  It does not affect
  64-bit builds.  The fix is included in 1.5.3 and 1.4.5.

  Thank you to Stanley John Tobias for identifying this issue.

* Hardened clamscan, clamdscan, and clamonacc quarantine actions against
  time-of-check/time-of-use races that could redirect copied, moved, or
  removed files under unsafe quarantine directory configurations.

  Thank you to Hiroki Imai from Ricerca Security, Inc. for identifying this
  issue.

* Raised the minimum required CMake version to 3.17 to fix Linux builds with
  libcurl v8.21.0 when linking static library dependencies.

* ClamOnAcc: Fixed errors when recursively excluded paths are children of an
  included path.

  This fix is courtesy of sharkautarch.


To generate a diff of this commit:
cvs rdiff -u -r1.107 -r1.108 pkgsrc/security/clamav/Makefile
cvs rdiff -u -r1.30 -r1.31 pkgsrc/security/clamav/Makefile.common
cvs rdiff -u -r1.2 -r1.3 pkgsrc/security/clamav/cargo-depends.mk
cvs rdiff -u -r1.48 -r1.49 pkgsrc/security/clamav/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/clamav/Makefile
diff -u pkgsrc/security/clamav/Makefile:1.107 pkgsrc/security/clamav/Makefile:1.108
--- pkgsrc/security/clamav/Makefile:1.107       Thu May 14 16:41:59 2026
+++ pkgsrc/security/clamav/Makefile     Sat Jul  4 04:00:48 2026
@@ -1,6 +1,5 @@
-# $NetBSD: Makefile,v 1.107 2026/05/14 16:41:59 ryoon Exp $
+# $NetBSD: Makefile,v 1.108 2026/07/04 04:00:48 taca Exp $
 
-PKGREVISION= 1
 .include "cargo-depends.mk"
 .include "Makefile.common"
 

Index: pkgsrc/security/clamav/Makefile.common
diff -u pkgsrc/security/clamav/Makefile.common:1.30 pkgsrc/security/clamav/Makefile.common:1.31
--- pkgsrc/security/clamav/Makefile.common:1.30 Thu Mar  5 06:55:33 2026
+++ pkgsrc/security/clamav/Makefile.common      Sat Jul  4 04:00:48 2026
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile.common,v 1.30 2026/03/05 06:55:33 taca Exp $
+# $NetBSD: Makefile.common,v 1.31 2026/07/04 04:00:48 taca Exp $
 #
 # used by security/clamav/Makefile
 # used by security/clamav-doc/Makefile
 
-DISTNAME=      clamav-1.4.4
+DISTNAME=      clamav-1.4.5
 CATEGORIES=    security
 MASTER_SITES=  https://www.clamav.net/downloads/production/
 

Index: pkgsrc/security/clamav/cargo-depends.mk
diff -u pkgsrc/security/clamav/cargo-depends.mk:1.2 pkgsrc/security/clamav/cargo-depends.mk:1.3
--- pkgsrc/security/clamav/cargo-depends.mk:1.2 Thu Mar  5 06:55:33 2026
+++ pkgsrc/security/clamav/cargo-depends.mk     Sat Jul  4 04:00:48 2026
@@ -1,7 +1,6 @@
-# $NetBSD: cargo-depends.mk,v 1.2 2026/03/05 06:55:33 taca Exp $
+# $NetBSD: cargo-depends.mk,v 1.3 2026/07/04 04:00:48 taca Exp $
 
 CARGO_CRATE_DEPENDS+=  adler2-2.0.1
-CARGO_CRATE_DEPENDS+=  adler32-1.2.0
 CARGO_CRATE_DEPENDS+=  aho-corasick-1.1.3
 CARGO_CRATE_DEPENDS+=  aligned-0.4.3
 CARGO_CRATE_DEPENDS+=  aligned-vec-0.6.4
@@ -76,7 +75,6 @@ CARGO_CRATE_DEPENDS+= image-0.25.9
 CARGO_CRATE_DEPENDS+=  image-webp-0.2.4
 CARGO_CRATE_DEPENDS+=  imgref-1.12.0
 CARGO_CRATE_DEPENDS+=  indexmap-1.9.3
-CARGO_CRATE_DEPENDS+=  inflate-0.4.5
 CARGO_CRATE_DEPENDS+=  interpolate_name-0.2.4
 CARGO_CRATE_DEPENDS+=  itertools-0.10.5
 CARGO_CRATE_DEPENDS+=  itertools-0.14.0

Index: pkgsrc/security/clamav/distinfo
diff -u pkgsrc/security/clamav/distinfo:1.48 pkgsrc/security/clamav/distinfo:1.49
--- pkgsrc/security/clamav/distinfo:1.48        Thu Mar  5 06:55:33 2026
+++ pkgsrc/security/clamav/distinfo     Sat Jul  4 04:00:48 2026
@@ -1,11 +1,8 @@
-$NetBSD: distinfo,v 1.48 2026/03/05 06:55:33 taca Exp $
+$NetBSD: distinfo,v 1.49 2026/07/04 04:00:48 taca Exp $
 
 BLAKE2s (adler2-2.0.1.crate) = 4d391e0fcde91c7435ee9a5503fee4a5346f549f1b45e482ce3e1e151d90f8f5
 SHA512 (adler2-2.0.1.crate) = 555b2b7ba6f8116acccd0bcd16ed34cc78162c81023cff31a8566ffcd456c03832089fca2d5b668ceaac4fe8f922d31aa9c487f226a36cace294ff4a219bd91d
 Size (adler2-2.0.1.crate) = 13366 bytes
-BLAKE2s (adler32-1.2.0.crate) = 8bc63ca383f40390bb522c750ef33e14b5e49bc48eb0ec33a140f615c598a6df
-SHA512 (adler32-1.2.0.crate) = 8ed72612fb78e213fc92963fdae0508ef26988656c939e6c9cddccbe2658d4a956a8ae934d9658262a8b2687dc446b3f1ee7614128b440487c81e606526dfda3
-Size (adler32-1.2.0.crate) = 6411 bytes
 BLAKE2s (aho-corasick-1.1.3.crate) = 36150b5dacb72fa7cd0d33aee15e14857914224878f0af76eabcb9daa68e3ae0
 SHA512 (aho-corasick-1.1.3.crate) = ba422a54688c4678fcf16e34fdf3ed06c333e6e3fc8b75af9272a215add494d43ebaef319021134b61327fd5d3572aec0dc655b714ffb3bc71ba3c265c9ebb69
 Size (aho-corasick-1.1.3.crate) = 183311 bytes
@@ -105,9 +102,9 @@ Size (cfg-if-1.0.0.crate) = 7934 bytes
 BLAKE2s (chrono-0.4.38.crate) = cd804c8f2c3ec8027f1a28fc2406b92e8cb27989956cf7e27fb98f6e338704cf
 SHA512 (chrono-0.4.38.crate) = 858e47e3facebd5383e71898f26b27d92fe4a69027e2cc47da2af59975ead7767355e0b699f4228eabe76a3eff8b2519c7cecf8b60dc3fc60fbf9b28e2f3d4d9
 Size (chrono-0.4.38.crate) = 220559 bytes
-BLAKE2s (clamav-1.4.4.tar.gz) = 242bf312218dedde01e1ee25ce814ea6afec262e255677bbcf1895d32a0788ab
-SHA512 (clamav-1.4.4.tar.gz) = a9372196076345dfafdef448fd94b19787c4aa7019cc9c0609b03cdaaa887b4a6941554305293d2c53000beb27ed2877207e531875830eebca399882da57e2ba
-Size (clamav-1.4.4.tar.gz) = 45268142 bytes
+BLAKE2s (clamav-1.4.5.tar.gz) = e1fda10df1b5546d7d4c7e581dc5cf8a5fc4cc46c22411611b683687ce25e885
+SHA512 (clamav-1.4.5.tar.gz) = 1b20b51c532892287dcefc7bdd4a154b33147bee3e39650993b6bbe93995ec3f3491c32d247b507cc2e5de42e7da98fc4060c3606e364c91bdd3425637b50d7c
+Size (clamav-1.4.5.tar.gz) = 46095554 bytes
 BLAKE2s (clang-sys-1.7.0.crate) = e2d4f063bac7ae563cef9363b02884fc718864129c02ae62606757b232db9c22
 SHA512 (clang-sys-1.7.0.crate) = e544984d5bd76824ea2093f43f98b59a99e1ca8a5de40e49164b870ed4a91a530f3492faf0678190b91e74aa5d122bdbb32c649998d0ce24912dfb0b83ed6b81
 Size (clang-sys-1.7.0.crate) = 42088 bytes
@@ -231,9 +228,6 @@ Size (imgref-1.12.0.crate) = 66324 bytes
 BLAKE2s (indexmap-1.9.3.crate) = fe9c741c1c6d6e741ce68d48bb49010f6c2c07169f76e07820305cf960ef2c72
 SHA512 (indexmap-1.9.3.crate) = 2aa8069eb07a814c8fa3e11296c9f032ef60963520d7786ad20cca5cb7e73b8f76d97722a994d65295bb713020aadce5008cd3df5e99d8bd968ef1979f910a37
 Size (indexmap-1.9.3.crate) = 54653 bytes
-BLAKE2s (inflate-0.4.5.crate) = 5ab133b3d231d9a863b8501bc9b1ba9e36bb556d6d9841786303a9506ab2c7e2
-SHA512 (inflate-0.4.5.crate) = 1392402f72a8463dc5cdaf815d8933e8dfcc914fb3a91e69c38e54deb7d55b5211e157b640b7cfa999400fb4d2e233a4a1a678147594dfa0be300894126d17f2
-Size (inflate-0.4.5.crate) = 17715 bytes
 BLAKE2s (interpolate_name-0.2.4.crate) = 9fa9308fac01d346ad60826823aeb5b9524603f54fb65759bc4aa0c2bd09371d
 SHA512 (interpolate_name-0.2.4.crate) = 87d2b732a9104d1a094a15ba6fa642641690aec10bec065d02aff5830f54a0fed02ff5de4bd5c237a91d34cd81da0ef11cc37ded3d4ac640de9dcb96fb73fe11
 Size (interpolate_name-0.2.4.crate) = 4027 bytes



Home | Main Index | Thread Index | Old Index