pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/security/clamav
Module Name: pkgsrc
Committed By: taca
Date: Sat Jul 4 04:00:48 UTC 2026
Modified Files:
pkgsrc/security/clamav: Makefile Makefile.common cargo-depends.mk
distinfo
Log Message:
lang/clamav: update to 1.4.5
ClamAV 1.4.5 (2026-07-01)
ClamAV 1.4.5 is a patch release with the following fixes:
* CVE-2026-20217: Fixed a bug in the PESpin unpacker cleanup path that could
free pointers into the scanned file buffer and crash the scanner.
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20217>
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back
as 2005. The fix is included in 1.5.3 and 1.4.5.
Thank you to Atuin - Automated Vulnerability Discovery Engine, Tianchu
Chen of Tencent Xuanwu Lab for identifying this issue.
* CVE-2026-20213: Fixed an integer overflow in PE rebuild size calculations
that could be reached through a malformed Aspack-packed PE file and lead
to a heap buffer overflow write.
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20213>
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back
as 2007. The fix is included in 1.5.3 and 1.4.5.
Thank you to Trail of Bits, in collaboration with Anthropic, for
identifying this issue.
* CVE-2026-20216: Fixed an InstallShield archive extraction limit bypass
that could write far more temporary data than intended and exhaust
temporary storage.
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20216>
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back
as 2009. The fix is included in 1.5.3 and 1.4.5.
Thank you to Mizu for identifying this issue.
* CVE-2026-20214: Fixed an FSG unpacker loop underflow that could write past
the section array while scanning a malformed PE file.
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20214>
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back
as 2004. The fix is included in 1.5.3 and 1.4.5.
Thank you to Trail of Bits, in collaboration with Anthropic, for
identifying this issue.
* CVE-2026-20243: Fixed ALZ parser size handling bugs that could cause
malformed ALZ archives to panic, abort the scanner, or skip expected
scan-limit handling.
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20243>
This issue affects ClamAV 1.5.0 through 1.5.2 and 1.4.0 through 1.4.4. The
fix is included in 1.5.3 and 1.4.5.
Thank you to Yazdan Soltani for identifying this issue.
* CVE-2026-20215: Fixed a 7z parser substream count overflow that could
under-allocate parser metadata arrays and write past them while reading a
malformed archive.
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20215>
This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions back to
2009. The fix is included in 1.5.3 and 1.4.5.
Thank you to Trail of Bits, in collaboration with Anthropic, for
identifying this issue.
* CVE-2026-20244: Fixed 32-bit DMG parser size checks that could let a short
mish stripe table pass validation and crash 32-bit scanner builds.
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20244>
This issue affects 32-bit ClamAV builds from 0.98.1 through 1.5.2,
including 1.4.0 through 1.4.4 and 1.5.0 through 1.5.2. It does not affect
64-bit builds. The fix is included in 1.5.3 and 1.4.5.
Thank you to Stanley John Tobias for identifying this issue.
* Hardened clamscan, clamdscan, and clamonacc quarantine actions against
time-of-check/time-of-use races that could redirect copied, moved, or
removed files under unsafe quarantine directory configurations.
Thank you to Hiroki Imai from Ricerca Security, Inc. for identifying this
issue.
* Raised the minimum required CMake version to 3.17 to fix Linux builds with
libcurl v8.21.0 when linking static library dependencies.
* ClamOnAcc: Fixed errors when recursively excluded paths are children of an
included path.
This fix is courtesy of sharkautarch.
To generate a diff of this commit:
cvs rdiff -u -r1.107 -r1.108 pkgsrc/security/clamav/Makefile
cvs rdiff -u -r1.30 -r1.31 pkgsrc/security/clamav/Makefile.common
cvs rdiff -u -r1.2 -r1.3 pkgsrc/security/clamav/cargo-depends.mk
cvs rdiff -u -r1.48 -r1.49 pkgsrc/security/clamav/distinfo
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/security/clamav/Makefile
diff -u pkgsrc/security/clamav/Makefile:1.107 pkgsrc/security/clamav/Makefile:1.108
--- pkgsrc/security/clamav/Makefile:1.107 Thu May 14 16:41:59 2026
+++ pkgsrc/security/clamav/Makefile Sat Jul 4 04:00:48 2026
@@ -1,6 +1,5 @@
-# $NetBSD: Makefile,v 1.107 2026/05/14 16:41:59 ryoon Exp $
+# $NetBSD: Makefile,v 1.108 2026/07/04 04:00:48 taca Exp $
-PKGREVISION= 1
.include "cargo-depends.mk"
.include "Makefile.common"
Index: pkgsrc/security/clamav/Makefile.common
diff -u pkgsrc/security/clamav/Makefile.common:1.30 pkgsrc/security/clamav/Makefile.common:1.31
--- pkgsrc/security/clamav/Makefile.common:1.30 Thu Mar 5 06:55:33 2026
+++ pkgsrc/security/clamav/Makefile.common Sat Jul 4 04:00:48 2026
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile.common,v 1.30 2026/03/05 06:55:33 taca Exp $
+# $NetBSD: Makefile.common,v 1.31 2026/07/04 04:00:48 taca Exp $
#
# used by security/clamav/Makefile
# used by security/clamav-doc/Makefile
-DISTNAME= clamav-1.4.4
+DISTNAME= clamav-1.4.5
CATEGORIES= security
MASTER_SITES= https://www.clamav.net/downloads/production/
Index: pkgsrc/security/clamav/cargo-depends.mk
diff -u pkgsrc/security/clamav/cargo-depends.mk:1.2 pkgsrc/security/clamav/cargo-depends.mk:1.3
--- pkgsrc/security/clamav/cargo-depends.mk:1.2 Thu Mar 5 06:55:33 2026
+++ pkgsrc/security/clamav/cargo-depends.mk Sat Jul 4 04:00:48 2026
@@ -1,7 +1,6 @@
-# $NetBSD: cargo-depends.mk,v 1.2 2026/03/05 06:55:33 taca Exp $
+# $NetBSD: cargo-depends.mk,v 1.3 2026/07/04 04:00:48 taca Exp $
CARGO_CRATE_DEPENDS+= adler2-2.0.1
-CARGO_CRATE_DEPENDS+= adler32-1.2.0
CARGO_CRATE_DEPENDS+= aho-corasick-1.1.3
CARGO_CRATE_DEPENDS+= aligned-0.4.3
CARGO_CRATE_DEPENDS+= aligned-vec-0.6.4
@@ -76,7 +75,6 @@ CARGO_CRATE_DEPENDS+= image-0.25.9
CARGO_CRATE_DEPENDS+= image-webp-0.2.4
CARGO_CRATE_DEPENDS+= imgref-1.12.0
CARGO_CRATE_DEPENDS+= indexmap-1.9.3
-CARGO_CRATE_DEPENDS+= inflate-0.4.5
CARGO_CRATE_DEPENDS+= interpolate_name-0.2.4
CARGO_CRATE_DEPENDS+= itertools-0.10.5
CARGO_CRATE_DEPENDS+= itertools-0.14.0
Index: pkgsrc/security/clamav/distinfo
diff -u pkgsrc/security/clamav/distinfo:1.48 pkgsrc/security/clamav/distinfo:1.49
--- pkgsrc/security/clamav/distinfo:1.48 Thu Mar 5 06:55:33 2026
+++ pkgsrc/security/clamav/distinfo Sat Jul 4 04:00:48 2026
@@ -1,11 +1,8 @@
-$NetBSD: distinfo,v 1.48 2026/03/05 06:55:33 taca Exp $
+$NetBSD: distinfo,v 1.49 2026/07/04 04:00:48 taca Exp $
BLAKE2s (adler2-2.0.1.crate) = 4d391e0fcde91c7435ee9a5503fee4a5346f549f1b45e482ce3e1e151d90f8f5
SHA512 (adler2-2.0.1.crate) = 555b2b7ba6f8116acccd0bcd16ed34cc78162c81023cff31a8566ffcd456c03832089fca2d5b668ceaac4fe8f922d31aa9c487f226a36cace294ff4a219bd91d
Size (adler2-2.0.1.crate) = 13366 bytes
-BLAKE2s (adler32-1.2.0.crate) = 8bc63ca383f40390bb522c750ef33e14b5e49bc48eb0ec33a140f615c598a6df
-SHA512 (adler32-1.2.0.crate) = 8ed72612fb78e213fc92963fdae0508ef26988656c939e6c9cddccbe2658d4a956a8ae934d9658262a8b2687dc446b3f1ee7614128b440487c81e606526dfda3
-Size (adler32-1.2.0.crate) = 6411 bytes
BLAKE2s (aho-corasick-1.1.3.crate) = 36150b5dacb72fa7cd0d33aee15e14857914224878f0af76eabcb9daa68e3ae0
SHA512 (aho-corasick-1.1.3.crate) = ba422a54688c4678fcf16e34fdf3ed06c333e6e3fc8b75af9272a215add494d43ebaef319021134b61327fd5d3572aec0dc655b714ffb3bc71ba3c265c9ebb69
Size (aho-corasick-1.1.3.crate) = 183311 bytes
@@ -105,9 +102,9 @@ Size (cfg-if-1.0.0.crate) = 7934 bytes
BLAKE2s (chrono-0.4.38.crate) = cd804c8f2c3ec8027f1a28fc2406b92e8cb27989956cf7e27fb98f6e338704cf
SHA512 (chrono-0.4.38.crate) = 858e47e3facebd5383e71898f26b27d92fe4a69027e2cc47da2af59975ead7767355e0b699f4228eabe76a3eff8b2519c7cecf8b60dc3fc60fbf9b28e2f3d4d9
Size (chrono-0.4.38.crate) = 220559 bytes
-BLAKE2s (clamav-1.4.4.tar.gz) = 242bf312218dedde01e1ee25ce814ea6afec262e255677bbcf1895d32a0788ab
-SHA512 (clamav-1.4.4.tar.gz) = a9372196076345dfafdef448fd94b19787c4aa7019cc9c0609b03cdaaa887b4a6941554305293d2c53000beb27ed2877207e531875830eebca399882da57e2ba
-Size (clamav-1.4.4.tar.gz) = 45268142 bytes
+BLAKE2s (clamav-1.4.5.tar.gz) = e1fda10df1b5546d7d4c7e581dc5cf8a5fc4cc46c22411611b683687ce25e885
+SHA512 (clamav-1.4.5.tar.gz) = 1b20b51c532892287dcefc7bdd4a154b33147bee3e39650993b6bbe93995ec3f3491c32d247b507cc2e5de42e7da98fc4060c3606e364c91bdd3425637b50d7c
+Size (clamav-1.4.5.tar.gz) = 46095554 bytes
BLAKE2s (clang-sys-1.7.0.crate) = e2d4f063bac7ae563cef9363b02884fc718864129c02ae62606757b232db9c22
SHA512 (clang-sys-1.7.0.crate) = e544984d5bd76824ea2093f43f98b59a99e1ca8a5de40e49164b870ed4a91a530f3492faf0678190b91e74aa5d122bdbb32c649998d0ce24912dfb0b83ed6b81
Size (clang-sys-1.7.0.crate) = 42088 bytes
@@ -231,9 +228,6 @@ Size (imgref-1.12.0.crate) = 66324 bytes
BLAKE2s (indexmap-1.9.3.crate) = fe9c741c1c6d6e741ce68d48bb49010f6c2c07169f76e07820305cf960ef2c72
SHA512 (indexmap-1.9.3.crate) = 2aa8069eb07a814c8fa3e11296c9f032ef60963520d7786ad20cca5cb7e73b8f76d97722a994d65295bb713020aadce5008cd3df5e99d8bd968ef1979f910a37
Size (indexmap-1.9.3.crate) = 54653 bytes
-BLAKE2s (inflate-0.4.5.crate) = 5ab133b3d231d9a863b8501bc9b1ba9e36bb556d6d9841786303a9506ab2c7e2
-SHA512 (inflate-0.4.5.crate) = 1392402f72a8463dc5cdaf815d8933e8dfcc914fb3a91e69c38e54deb7d55b5211e157b640b7cfa999400fb4d2e233a4a1a678147594dfa0be300894126d17f2
-Size (inflate-0.4.5.crate) = 17715 bytes
BLAKE2s (interpolate_name-0.2.4.crate) = 9fa9308fac01d346ad60826823aeb5b9524603f54fb65759bc4aa0c2bd09371d
SHA512 (interpolate_name-0.2.4.crate) = 87d2b732a9104d1a094a15ba6fa642641690aec10bec065d02aff5830f54a0fed02ff5de4bd5c237a91d34cd81da0ef11cc37ded3d4ac640de9dcb96fb73fe11
Size (interpolate_name-0.2.4.crate) = 4027 bytes
Home |
Main Index |
Thread Index |
Old Index