Bug#770664: unblock: libclamunrar/0.98.5-1

Sat, 22 Nov 2014 21:13:06 -0800 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package libclamunrar

Fixes RC security bug.  Also aligns how the package is built to clamav (from
which this is split for licensing issues).  This should reduce the risk of
problems between the two packages.

unblock libclamunrar/0.98.5-1

diff -Nru libclamunrar-0.98.1/clamav-config.h.in libclamunrar-0.98.5/clamav-config.h.in
--- libclamunrar-0.98.1/clamav-config.h.in	2014-04-24 17:43:57.000000000 -0400
+++ libclamunrar-0.98.5/clamav-config.h.in	2014-11-18 16:22:37.000000000 -0500
@@ -96,9 +96,6 @@
 /* file i/o buffer size */
 #undef FILEBUFF
 
-/* FPU byte ordering matches CPU */
-#undef FPU_WORDS_BIGENDIAN
-
 /* enable workaround for broken DNS servers */
 #undef FRESHCLAM_DNS_FIX
 
@@ -123,6 +120,10 @@
 /* ctime_r takes 3 arguments */
 #undef HAVE_CTIME_R_3
 
+/* Define to 1 if you have a deprecated version of the 'libjson' library
+   (-ljson). */
+#undef HAVE_DEPRECATED_JSON
+
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #undef HAVE_DLFCN_H
 
@@ -138,6 +139,9 @@
 /* have getaddrinfo() */
 #undef HAVE_GETADDRINFO
 
+/* Define to 1 if you have the `getnameinfo' function. */
+#undef HAVE_GETNAMEINFO
+
 /* Define to 1 if getpagesize() is available */
 #undef HAVE_GETPAGESIZE
 
@@ -162,6 +166,9 @@
 /* in_port_t is defined */
 #undef HAVE_IN_PORT_T
 
+/* Define to 1 if you have the 'libjson' library (-ljson). */
+#undef HAVE_JSON
+
 /* Define to '1' if you have the check.h library */
 #undef HAVE_LIBCHECK
 
@@ -174,6 +181,9 @@
 /* Define to '1' if you have the curses.h library */
 #undef HAVE_LIBPDCURSES
 
+/* Define to 1 if you have the `ssl' library (-lssl). */
+#undef HAVE_LIBSSL
+
 /* Define to 1 if you have the 'libxml2' library (-lxml2). */
 #undef HAVE_LIBXML2
 
@@ -220,6 +230,9 @@
 /* "pragma pack hppa/hp-ux style" */
 #undef HAVE_PRAGMA_PACK_HPPA
 
+/* Define to 1 if you have the <pthread.h> header file */
+#undef HAVE_PTHREAD_H
+
 /* Define to 1 if you have the `pthread_yield' function. */
 #undef HAVE_PTHREAD_YIELD
 
@@ -289,6 +302,9 @@
 /* Define to 1 if sysconf(_SC_PAGESIZE) is available */
 #undef HAVE_SYSCONF_SC_PAGESIZE
 
+/* Define to 1 if you have the `sysctlbyname' function. */
+#undef HAVE_SYSCTLBYNAME
+
 /* Define to 1 if you have the <sys/filio.h> header file. */
 #undef HAVE_SYS_FILIO_H
 
@@ -322,6 +338,9 @@
 /* Define to 1 if you have the <termios.h> header file. */
 #undef HAVE_TERMIOS_H
 
+/* Define to 1 if you have the `timegm' function. */
+#undef HAVE_TIMEGM
+
 /* Define this if uname(2) is POSIX */
 #undef HAVE_UNAME_SYSCALL
 
@@ -374,9 +393,6 @@
 /* Define to the version of this package. */
 #undef PACKAGE_VERSION
 
-/* scan buffer size */
-#undef SCANBUFF
-
 /* Define to 1 if the `setpgrp' function takes no argument. */
 #undef SETPGRP_VOID
 
@@ -407,6 +423,28 @@
 /* use syslog */
 #undef USE_SYSLOG
 
+/* Enable extensions on AIX 3, Interix.  */
+#ifndef _ALL_SOURCE
+# undef _ALL_SOURCE
+#endif
+/* Enable GNU extensions on systems that have them.  */
+#ifndef _GNU_SOURCE
+# undef _GNU_SOURCE
+#endif
+/* Enable threading extensions on Solaris.  */
+#ifndef _POSIX_PTHREAD_SEMANTICS
+# undef _POSIX_PTHREAD_SEMANTICS
+#endif
+/* Enable extensions on HP NonStop.  */
+#ifndef _TANDEM_SOURCE
+# undef _TANDEM_SOURCE
+#endif
+/* Enable general extensions on Solaris.  */
+#ifndef __EXTENSIONS__
+# undef __EXTENSIONS__
+#endif
+
+
 /* Version number of package */
 #undef VERSION
 
@@ -428,9 +466,19 @@
 /* Define to 1 to make fseeko visible on some hosts (e.g. glibc 2.2). */
 #undef _LARGEFILE_SOURCE
 
+/* Define to 1 if on MINIX. */
+#undef _MINIX
+
+/* Define to 2 if the system does not provide POSIX.1 features except with
+   this defined. */
+#undef _POSIX_1_SOURCE
+
 /* POSIX compatibility */
 #undef _POSIX_PII_SOCKET
 
+/* Define to 1 if you need to in order for `stat' and other things to work. */
+#undef _POSIX_SOURCE
+
 /* thread safe */
 #undef _REENTRANT
 
diff -Nru libclamunrar-0.98.1/config/test-driver libclamunrar-0.98.5/config/test-driver
--- libclamunrar-0.98.1/config/test-driver	1969-12-31 19:00:00.000000000 -0500
+++ libclamunrar-0.98.5/config/test-driver	2014-11-18 16:22:26.000000000 -0500
@@ -0,0 +1,127 @@
+#! /bin/sh
+# test-driver - basic testsuite driver script.
+
+scriptversion=2012-06-27.10; # UTC
+
+# Copyright (C) 2011-2013 Free Software Foundation, Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# As a special exception to the GNU General Public License, if you
+# distribute this file as part of a program that contains a
+# configuration script generated by Autoconf, you may include it under
+# the same distribution terms that you use for the rest of that program.
+
+# This file is maintained in Automake, please report
+# bugs to <bug-autom...@gnu.org> or send patches to
+# <automake-patc...@gnu.org>.
+
+# Make unconditional expansion of undefined variables an error.  This
+# helps a lot in preventing typo-related bugs.
+set -u
+
+usage_error ()
+{
+  echo "$0: $*" >&2
+  print_usage >&2
+  exit 2
+}
+
+print_usage ()
+{
+  cat <<END
+Usage:
+  test-driver --test-name=NAME --log-file=PATH --trs-file=PATH
+              [--expect-failure={yes|no}] [--color-tests={yes|no}]
+              [--enable-hard-errors={yes|no}] [--] TEST-SCRIPT
+The '--test-name', '--log-file' and '--trs-file' options are mandatory.
+END
+}
+
+# TODO: better error handling in option parsing (in particular, ensure
+# TODO: $log_file, $trs_file and $test_name are defined).
+test_name= # Used for reporting.
+log_file=  # Where to save the output of the test script.
+trs_file=  # Where to save the metadata of the test run.
+expect_failure=no
+color_tests=no
+enable_hard_errors=yes
+while test $# -gt 0; do
+  case $1 in
+  --help) print_usage; exit $?;;
+  --version) echo "test-driver $scriptversion"; exit $?;;
+  --test-name) test_name=$2; shift;;
+  --log-file) log_file=$2; shift;;
+  --trs-file) trs_file=$2; shift;;
+  --color-tests) color_tests=$2; shift;;
+  --expect-failure) expect_failure=$2; shift;;
+  --enable-hard-errors) enable_hard_errors=$2; shift;;
+  --) shift; break;;
+  -*) usage_error "invalid option: '$1'";;
+  esac
+  shift
+done
+
+if test $color_tests = yes; then
+  # Keep this in sync with 'lib/am/check.am:$(am__tty_colors)'.
+  red='' # Red.
+  grn='' # Green.
+  lgn='' # Light green.
+  blu='' # Blue.
+  mgn='' # Magenta.
+  std=''     # No color.
+else
+  red= grn= lgn= blu= mgn= std=
+fi
+
+do_exit='rm -f $log_file $trs_file; (exit $st); exit $st'
+trap "st=129; $do_exit" 1
+trap "st=130; $do_exit" 2
+trap "st=141; $do_exit" 13
+trap "st=143; $do_exit" 15
+
+# Test script is run here.
+"$@" >$log_file 2>&1
+estatus=$?
+if test $enable_hard_errors = no && test $estatus -eq 99; then
+  estatus=1
+fi
+
+case $estatus:$expect_failure in
+  0:yes) col=$red res=XPASS recheck=yes gcopy=yes;;
+  0:*)   col=$grn res=PASS  recheck=no  gcopy=no;;
+  77:*)  col=$blu res=SKIP  recheck=no  gcopy=yes;;
+  99:*)  col=$mgn res=ERROR recheck=yes gcopy=yes;;
+  *:yes) col=$lgn res=XFAIL recheck=no  gcopy=yes;;
+  *:*)   col=$red res=FAIL  recheck=yes gcopy=yes;;
+esac
+
+# Report outcome to console.
+echo "${col}${res}${std}: $test_name"
+
+# Register the test result, and other relevant metadata.
+echo ":test-result: $res" > $trs_file
+echo ":global-test-result: $res" >> $trs_file
+echo ":recheck: $recheck" >> $trs_file
+echo ":copy-in-global-log: $gcopy" >> $trs_file
+
+# Local Variables:
+# mode: shell-script
+# sh-indentation: 2
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "scriptversion="
+# time-stamp-format: "%:y-%02m-%02d.%02H"
+# time-stamp-time-zone: "UTC"
+# time-stamp-end: "; # UTC"
+# End:
diff -Nru libclamunrar-0.98.1/COPYING libclamunrar-0.98.5/COPYING
--- libclamunrar-0.98.1/COPYING	2014-04-24 17:43:38.000000000 -0400
+++ libclamunrar-0.98.5/COPYING	2014-11-18 16:22:26.000000000 -0500
@@ -338,3 +338,19 @@
 consider it more useful to permit linking proprietary applications with the
 library.  If this is what you want to do, use the GNU Library General
 Public License instead of this License.
+
+            REGARDING OPENSSL
+
+ In addition, as a special exception, the copyright holders give
+ permission to link the code of portions of this program with the
+ OpenSSL library under certain conditions as described in each
+ individual source file, and distribute linked combinations
+ including the two.
+
+ You must obey the GNU General Public License in all respects
+ for all of the code used other than OpenSSL.  If you modify
+ file(s) with this exception, you may extend this exception to your
+ version of the file(s), but you are not obligated to do so.  If you
+ do not wish to do so, delete this exception statement from your
+ version.  If you delete this exception statement from all source
+ files in the program, then also delete it here.
diff -Nru libclamunrar-0.98.1/debian/changelog libclamunrar-0.98.5/debian/changelog
--- libclamunrar-0.98.1/debian/changelog	2014-05-03 14:24:21.000000000 -0400
+++ libclamunrar-0.98.5/debian/changelog	2014-11-22 23:56:03.000000000 -0500
@@ -1,3 +1,20 @@
+libclamunrar (0.98.5-1) unstable; urgency=medium
+
+  [ Sebastian Andrzej Siewior ]
+  * Update to new upstream version.
+    - Finaly address "double-free error exists within the
+      unrar_extract_next_prepare()" (Closes: #770647)
+  * Drop automake workaround, the bug was fixed.
+  * Fix LFS support using the same approach as clamav for compatibility and
+    correctness
+
+  [ Scott Kitterman ]
+  * Add build-dep on libssl-dev, needed for configure even if not used
+    in libclamunrar
+  * Update debian/copyright to add openssl exception per COPYING
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc>  Sat, 22 Nov 2014 22:25:35 +0100
+
 libclamunrar (0.98.1-1) unstable; urgency=low
 
   * New upstream version
diff -Nru libclamunrar-0.98.1/debian/control libclamunrar-0.98.5/debian/control
--- libclamunrar-0.98.1/debian/control	2014-05-03 14:22:56.000000000 -0400
+++ libclamunrar-0.98.5/debian/control	2014-11-22 23:35:14.000000000 -0500
@@ -3,7 +3,7 @@
 Section: non-free/libs
 Maintainer: ClamAV Team <pkg-clamav-de...@lists.alioth.debian.org>
 Uploaders: Michael Tautschnig <m...@debian.org>, Stephen Gran <sg...@debian.org>, Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
-Build-Depends: debhelper (>= 8), autotools-dev, zlib1g-dev, libbz2-dev, dh-autoreconf, automake1.11
+Build-Depends: debhelper (>= 8), autotools-dev, zlib1g-dev, libbz2-dev, dh-autoreconf, automake, libssl-dev
 Standards-Version: 3.9.5
 Vcs-Git: git://anonscm.debian.org/pkg-clamav/libclamunrar.git
 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-clamav/libclamunrar.git;a=summary
diff -Nru libclamunrar-0.98.1/debian/copyright libclamunrar-0.98.5/debian/copyright
--- libclamunrar-0.98.1/debian/copyright	2014-05-03 14:22:56.000000000 -0400
+++ libclamunrar-0.98.5/debian/copyright	2014-11-22 23:55:44.000000000 -0500
@@ -26,6 +26,23 @@
 On Debian GNU/Linux systems, the complete text of the GNU General
 Public License can be found in `/usr/share/common-licenses/GPL-2'.
 
+            REGARDING OPENSSL
+
+ In addition, as a special exception, the copyright holders give
+ permission to link the code of portions of this program with the
+ OpenSSL library under certain conditions as described in each
+ individual source file, and distribute linked combinations
+ including the two.
+
+ You must obey the GNU General Public License in all respects
+ for all of the code used other than OpenSSL.  If you modify
+ file(s) with this exception, you may extend this exception to your
+ version of the file(s), but you are not obligated to do so.  If you
+ do not wish to do so, delete this exception statement from your
+ version.  If you delete this exception statement from all source
+ files in the program, then also delete it here.
+
+
 libclamunrar_iface/unrar_iface.c and libclamunrar_iface/unrar_iface.h are
 Copyright (C) 2007 Sourcefire, Inc.
 
diff -Nru libclamunrar-0.98.1/debian/rules libclamunrar-0.98.5/debian/rules
--- libclamunrar-0.98.1/debian/rules	2014-05-03 14:22:56.000000000 -0400
+++ libclamunrar-0.98.5/debian/rules	2014-11-22 23:31:37.000000000 -0500
@@ -1,12 +1,6 @@
 #!/usr/bin/make -f
 #export DH_VERBOSE=1
 
-# Use automake 1.11 due to bug in automake-1.14.
-# see: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=16375
-# TODO: Remove this, when the bug is fixed.
-export AUTOMAKE = automake-1.11
-export ACLOCAL = aclocal-1.11
-
 # The autotools in squeeze (Debian 6) are too old, so don't use autoreconf.
 ifeq ($(shell cut -c1 /etc/debian_version),6)
 AUTORECONF =
@@ -18,7 +12,8 @@
 	dh $@ --parallel $(AUTORECONF)
 
 override_dh_auto_configure:
-	dh_auto_configure -- $(shell DEB_LDFLAGS_MAINT_APPEND="-Wl,-z,defs" dpkg-buildflags --export=configure) \
+	dh_auto_configure -- $(shell DEB_LDFLAGS_MAINT_APPEND="-Wl,-z,defs" \
+		DEB_CFLAGS_MAINT_APPEND="-D_FILE_OFFSET_BITS=64" dpkg-buildflags --export=configure) \
 		--disable-clamav
 
 override_dh_auto_build-arch:
diff -Nru libclamunrar-0.98.1/libclamunrar_iface/unrar_iface.c libclamunrar-0.98.5/libclamunrar_iface/unrar_iface.c
--- libclamunrar-0.98.1/libclamunrar_iface/unrar_iface.c	2014-04-24 17:43:38.000000000 -0400
+++ libclamunrar-0.98.5/libclamunrar_iface/unrar_iface.c	2014-11-18 16:22:26.000000000 -0500
@@ -172,6 +172,7 @@
 	unrar_dbgmsg("UNRAR: Head Size: %.4x\n", file_header->head_size);
 	if(lseek(fd, file_header->next_offset, SEEK_SET) != file_header->next_offset) {
 	    unrar_dbgmsg("seek: %ld\n", file_header->next_offset);
+            free(file_header);
 	    return NULL;
 	}

Reply via email to