pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2026Q2] pkgsrc/security



Module Name:    pkgsrc
Committed By:   bsiegert
Date:           Mon Jul 13 14:08:44 UTC 2026

Modified Files:
        pkgsrc/security/clamav [pkgsrc-2026Q2]: Makefile Makefile.common
            cargo-depends.mk distinfo
        pkgsrc/security/clamav-doc [pkgsrc-2026Q2]: PLIST

Log Message:
Pullup ticket #7162 - requested by taca
security/clamav: security fix

Revisions pulled up:
- security/clamav-doc/PLIST                                     1.14
- security/clamav/Makefile                                      1.108
- security/clamav/Makefile.common                               1.31
- security/clamav/cargo-depends.mk                              1.3
- security/clamav/distinfo                                      1.49

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Sat Jul  4 04:00:48 UTC 2026

   Modified Files:
        pkgsrc/security/clamav: Makefile Makefile.common cargo-depends.mk
            distinfo

   Log Message:
   lang/clamav: update to 1.4.5

   ClamAV 1.4.5 (2026-07-01)

   ClamAV 1.4.5 is a patch release with the following fixes:

   * CVE-2026-20217: Fixed a bug in the PESpin unpacker cleanup path that could
     free pointers into the scanned file buffer and crash the scanner.
     <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20217>

     This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back
     as 2005. The fix is included in 1.5.3 and 1.4.5.

     Thank you to Atuin - Automated Vulnerability Discovery Engine, Tianchu
     Chen of Tencent Xuanwu Lab for identifying this issue.

   * CVE-2026-20213: Fixed an integer overflow in PE rebuild size calculations
     that could be reached through a malformed Aspack-packed PE file and lead
     to a heap buffer overflow write.
     <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20213>

     This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back
     as 2007. The fix is included in 1.5.3 and 1.4.5.

     Thank you to Trail of Bits, in collaboration with Anthropic, for
     identifying this issue.

   * CVE-2026-20216: Fixed an InstallShield archive extraction limit bypass
     that could write far more temporary data than intended and exhaust
     temporary storage.
     <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20216>

     This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back
     as 2009. The fix is included in 1.5.3 and 1.4.5.

     Thank you to Mizu for identifying this issue.

   * CVE-2026-20214: Fixed an FSG unpacker loop underflow that could write past
     the section array while scanning a malformed PE file.
     <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20214>

     This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back
     as 2004. The fix is included in 1.5.3 and 1.4.5.

     Thank you to Trail of Bits, in collaboration with Anthropic, for
     identifying this issue.

   * CVE-2026-20243: Fixed ALZ parser size handling bugs that could cause
     malformed ALZ archives to panic, abort the scanner, or skip expected
     scan-limit handling.
     <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20243>

     This issue affects ClamAV 1.5.0 through 1.5.2 and 1.4.0 through 1.4.4. The
     fix is included in 1.5.3 and 1.4.5.

     Thank you to Yazdan Soltani for identifying this issue.

   * CVE-2026-20215: Fixed a 7z parser substream count overflow that could
     under-allocate parser metadata arrays and write past them while reading a
     malformed archive.
     <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20215>

     This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions back to
     2009. The fix is included in 1.5.3 and 1.4.5.

     Thank you to Trail of Bits, in collaboration with Anthropic, for
     identifying this issue.

   * CVE-2026-20244: Fixed 32-bit DMG parser size checks that could let a short
     mish stripe table pass validation and crash 32-bit scanner builds.
     <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20244>

     This issue affects 32-bit ClamAV builds from 0.98.1 through 1.5.2,
     including 1.4.0 through 1.4.4 and 1.5.0 through 1.5.2.  It does not affect
     64-bit builds.  The fix is included in 1.5.3 and 1.4.5.

     Thank you to Stanley John Tobias for identifying this issue.

   * Hardened clamscan, clamdscan, and clamonacc quarantine actions against
     time-of-check/time-of-use races that could redirect copied, moved, or
     removed files under unsafe quarantine directory configurations.

     Thank you to Hiroki Imai from Ricerca Security, Inc. for identifying this
     issue.

   * Raised the minimum required CMake version to 3.17 to fix Linux builds with
     libcurl v8.21.0 when linking static library dependencies.

   * ClamOnAcc: Fixed errors when recursively excluded paths are children of an
     included path.

     This fix is courtesy of sharkautarch.

---
   Module Name: pkgsrc
   Committed By:        taca
   Date:                Sat Jul  4 04:01:33 UTC 2026

   Modified Files:
        pkgsrc/security/clamav-doc: PLIST

   Log Message:
   lang/clamav-doc: update to 1.4.5

   Documentation update.


To generate a diff of this commit:
cvs rdiff -u -r1.107 -r1.107.2.1 pkgsrc/security/clamav/Makefile
cvs rdiff -u -r1.30 -r1.30.4.1 pkgsrc/security/clamav/Makefile.common
cvs rdiff -u -r1.2 -r1.2.4.1 pkgsrc/security/clamav/cargo-depends.mk
cvs rdiff -u -r1.48 -r1.48.4.1 pkgsrc/security/clamav/distinfo
cvs rdiff -u -r1.13 -r1.13.4.1 pkgsrc/security/clamav-doc/PLIST

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/clamav/Makefile
diff -u pkgsrc/security/clamav/Makefile:1.107 pkgsrc/security/clamav/Makefile:1.107.2.1
--- pkgsrc/security/clamav/Makefile:1.107       Thu May 14 16:41:59 2026
+++ pkgsrc/security/clamav/Makefile     Mon Jul 13 14:08:44 2026
@@ -1,6 +1,5 @@
-# $NetBSD: Makefile,v 1.107 2026/05/14 16:41:59 ryoon Exp $
+# $NetBSD: Makefile,v 1.107.2.1 2026/07/13 14:08:44 bsiegert Exp $
 
-PKGREVISION= 1
 .include "cargo-depends.mk"
 .include "Makefile.common"
 

Index: pkgsrc/security/clamav/Makefile.common
diff -u pkgsrc/security/clamav/Makefile.common:1.30 pkgsrc/security/clamav/Makefile.common:1.30.4.1
--- pkgsrc/security/clamav/Makefile.common:1.30 Thu Mar  5 06:55:33 2026
+++ pkgsrc/security/clamav/Makefile.common      Mon Jul 13 14:08:44 2026
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile.common,v 1.30 2026/03/05 06:55:33 taca Exp $
+# $NetBSD: Makefile.common,v 1.30.4.1 2026/07/13 14:08:44 bsiegert Exp $
 #
 # used by security/clamav/Makefile
 # used by security/clamav-doc/Makefile
 
-DISTNAME=      clamav-1.4.4
+DISTNAME=      clamav-1.4.5
 CATEGORIES=    security
 MASTER_SITES=  https://www.clamav.net/downloads/production/
 

Index: pkgsrc/security/clamav/cargo-depends.mk
diff -u pkgsrc/security/clamav/cargo-depends.mk:1.2 pkgsrc/security/clamav/cargo-depends.mk:1.2.4.1
--- pkgsrc/security/clamav/cargo-depends.mk:1.2 Thu Mar  5 06:55:33 2026
+++ pkgsrc/security/clamav/cargo-depends.mk     Mon Jul 13 14:08:44 2026
@@ -1,7 +1,6 @@
-# $NetBSD: cargo-depends.mk,v 1.2 2026/03/05 06:55:33 taca Exp $
+# $NetBSD: cargo-depends.mk,v 1.2.4.1 2026/07/13 14:08:44 bsiegert Exp $
 
 CARGO_CRATE_DEPENDS+=  adler2-2.0.1
-CARGO_CRATE_DEPENDS+=  adler32-1.2.0
 CARGO_CRATE_DEPENDS+=  aho-corasick-1.1.3
 CARGO_CRATE_DEPENDS+=  aligned-0.4.3
 CARGO_CRATE_DEPENDS+=  aligned-vec-0.6.4
@@ -76,7 +75,6 @@ CARGO_CRATE_DEPENDS+= image-0.25.9
 CARGO_CRATE_DEPENDS+=  image-webp-0.2.4
 CARGO_CRATE_DEPENDS+=  imgref-1.12.0
 CARGO_CRATE_DEPENDS+=  indexmap-1.9.3
-CARGO_CRATE_DEPENDS+=  inflate-0.4.5
 CARGO_CRATE_DEPENDS+=  interpolate_name-0.2.4
 CARGO_CRATE_DEPENDS+=  itertools-0.10.5
 CARGO_CRATE_DEPENDS+=  itertools-0.14.0

Index: pkgsrc/security/clamav/distinfo
diff -u pkgsrc/security/clamav/distinfo:1.48 pkgsrc/security/clamav/distinfo:1.48.4.1
--- pkgsrc/security/clamav/distinfo:1.48        Thu Mar  5 06:55:33 2026
+++ pkgsrc/security/clamav/distinfo     Mon Jul 13 14:08:44 2026
@@ -1,11 +1,8 @@
-$NetBSD: distinfo,v 1.48 2026/03/05 06:55:33 taca Exp $
+$NetBSD: distinfo,v 1.48.4.1 2026/07/13 14:08:44 bsiegert Exp $
 
 BLAKE2s (adler2-2.0.1.crate) = 4d391e0fcde91c7435ee9a5503fee4a5346f549f1b45e482ce3e1e151d90f8f5
 SHA512 (adler2-2.0.1.crate) = 555b2b7ba6f8116acccd0bcd16ed34cc78162c81023cff31a8566ffcd456c03832089fca2d5b668ceaac4fe8f922d31aa9c487f226a36cace294ff4a219bd91d
 Size (adler2-2.0.1.crate) = 13366 bytes
-BLAKE2s (adler32-1.2.0.crate) = 8bc63ca383f40390bb522c750ef33e14b5e49bc48eb0ec33a140f615c598a6df
-SHA512 (adler32-1.2.0.crate) = 8ed72612fb78e213fc92963fdae0508ef26988656c939e6c9cddccbe2658d4a956a8ae934d9658262a8b2687dc446b3f1ee7614128b440487c81e606526dfda3
-Size (adler32-1.2.0.crate) = 6411 bytes
 BLAKE2s (aho-corasick-1.1.3.crate) = 36150b5dacb72fa7cd0d33aee15e14857914224878f0af76eabcb9daa68e3ae0
 SHA512 (aho-corasick-1.1.3.crate) = ba422a54688c4678fcf16e34fdf3ed06c333e6e3fc8b75af9272a215add494d43ebaef319021134b61327fd5d3572aec0dc655b714ffb3bc71ba3c265c9ebb69
 Size (aho-corasick-1.1.3.crate) = 183311 bytes
@@ -105,9 +102,9 @@ Size (cfg-if-1.0.0.crate) = 7934 bytes
 BLAKE2s (chrono-0.4.38.crate) = cd804c8f2c3ec8027f1a28fc2406b92e8cb27989956cf7e27fb98f6e338704cf
 SHA512 (chrono-0.4.38.crate) = 858e47e3facebd5383e71898f26b27d92fe4a69027e2cc47da2af59975ead7767355e0b699f4228eabe76a3eff8b2519c7cecf8b60dc3fc60fbf9b28e2f3d4d9
 Size (chrono-0.4.38.crate) = 220559 bytes
-BLAKE2s (clamav-1.4.4.tar.gz) = 242bf312218dedde01e1ee25ce814ea6afec262e255677bbcf1895d32a0788ab
-SHA512 (clamav-1.4.4.tar.gz) = a9372196076345dfafdef448fd94b19787c4aa7019cc9c0609b03cdaaa887b4a6941554305293d2c53000beb27ed2877207e531875830eebca399882da57e2ba
-Size (clamav-1.4.4.tar.gz) = 45268142 bytes
+BLAKE2s (clamav-1.4.5.tar.gz) = e1fda10df1b5546d7d4c7e581dc5cf8a5fc4cc46c22411611b683687ce25e885
+SHA512 (clamav-1.4.5.tar.gz) = 1b20b51c532892287dcefc7bdd4a154b33147bee3e39650993b6bbe93995ec3f3491c32d247b507cc2e5de42e7da98fc4060c3606e364c91bdd3425637b50d7c
+Size (clamav-1.4.5.tar.gz) = 46095554 bytes
 BLAKE2s (clang-sys-1.7.0.crate) = e2d4f063bac7ae563cef9363b02884fc718864129c02ae62606757b232db9c22
 SHA512 (clang-sys-1.7.0.crate) = e544984d5bd76824ea2093f43f98b59a99e1ca8a5de40e49164b870ed4a91a530f3492faf0678190b91e74aa5d122bdbb32c649998d0ce24912dfb0b83ed6b81
 Size (clang-sys-1.7.0.crate) = 42088 bytes
@@ -231,9 +228,6 @@ Size (imgref-1.12.0.crate) = 66324 bytes
 BLAKE2s (indexmap-1.9.3.crate) = fe9c741c1c6d6e741ce68d48bb49010f6c2c07169f76e07820305cf960ef2c72
 SHA512 (indexmap-1.9.3.crate) = 2aa8069eb07a814c8fa3e11296c9f032ef60963520d7786ad20cca5cb7e73b8f76d97722a994d65295bb713020aadce5008cd3df5e99d8bd968ef1979f910a37
 Size (indexmap-1.9.3.crate) = 54653 bytes
-BLAKE2s (inflate-0.4.5.crate) = 5ab133b3d231d9a863b8501bc9b1ba9e36bb556d6d9841786303a9506ab2c7e2
-SHA512 (inflate-0.4.5.crate) = 1392402f72a8463dc5cdaf815d8933e8dfcc914fb3a91e69c38e54deb7d55b5211e157b640b7cfa999400fb4d2e233a4a1a678147594dfa0be300894126d17f2
-Size (inflate-0.4.5.crate) = 17715 bytes
 BLAKE2s (interpolate_name-0.2.4.crate) = 9fa9308fac01d346ad60826823aeb5b9524603f54fb65759bc4aa0c2bd09371d
 SHA512 (interpolate_name-0.2.4.crate) = 87d2b732a9104d1a094a15ba6fa642641690aec10bec065d02aff5830f54a0fed02ff5de4bd5c237a91d34cd81da0ef11cc37ded3d4ac640de9dcb96fb73fe11
 Size (interpolate_name-0.2.4.crate) = 4027 bytes

Index: pkgsrc/security/clamav-doc/PLIST
diff -u pkgsrc/security/clamav-doc/PLIST:1.13 pkgsrc/security/clamav-doc/PLIST:1.13.4.1
--- pkgsrc/security/clamav-doc/PLIST:1.13       Thu Mar  5 06:56:13 2026
+++ pkgsrc/security/clamav-doc/PLIST    Mon Jul 13 14:08:44 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.13 2026/03/05 06:56:13 taca Exp $
+@comment $NetBSD: PLIST,v 1.13.4.1 2026/07/13 14:08:44 bsiegert Exp $
 share/doc/clamav/html/404.html
 share/doc/clamav/html/Introduction.html
 share/doc/clamav/html/ace-2a3cd908.js
@@ -102,6 +102,7 @@ share/doc/clamav/html/manual/Signatures/
 share/doc/clamav/html/manual/Signatures/SignatureNames.html
 share/doc/clamav/html/manual/Signatures/YaraRules.html
 share/doc/clamav/html/manual/Usage.html
+share/doc/clamav/html/manual/Usage/ClamdProtocol.html
 share/doc/clamav/html/manual/Usage/Configuration.html
 share/doc/clamav/html/manual/Usage/ReportABug.html
 share/doc/clamav/html/manual/Usage/Scanning.html
@@ -109,13 +110,15 @@ share/doc/clamav/html/manual/Usage/Servi
 share/doc/clamav/html/manual/Usage/SignatureManagement.html
 share/doc/clamav/html/manual/cisco-talos.gpg
 share/doc/clamav/html/mark-09e88c2c.min.js
+share/doc/clamav/html/mermaid-eefea253.min.js
+share/doc/clamav/html/mermaid-init-ccf746f1.js
 share/doc/clamav/html/mode-rust-2c9d5c9a.js
 share/doc/clamav/html/print.html
-share/doc/clamav/html/searcher-c2a407aa.js
-share/doc/clamav/html/searchindex-1b5ba28b.js
+share/doc/clamav/html/searcher-09f2665d.js
+share/doc/clamav/html/searchindex-d348bbbb.js
 share/doc/clamav/html/sitemap.xml
 share/doc/clamav/html/theme-dawn-4493f9c8.js
 share/doc/clamav/html/theme-tomorrow_night-9dbe62a9.js
-share/doc/clamav/html/toc-cbaddea7.js
+share/doc/clamav/html/toc-0c194aa2.js
 share/doc/clamav/html/toc.html
 share/doc/clamav/html/tomorrow-night-4c0ae647.css



Home | Main Index | Thread Index | Old Index