On 2009/04/08 12:37, b...@openbsd.rutgers.edu wrote: > http://openbsd.rutgers.edu/4.4-stable/diffs/security,clamav-0.94.2p0.diff > > Sent to mbalmer@ earlier, but I suspect he's working on a proper update > to 0.95. > > This fixes the security issue by applying the patch found here: > > https://wwws.clamav.net/bugzilla/attachment.cgi?id=978 > > I have the resulting package in production on amd64 for nearly a week > under heavy load with no issues.
here's an evil update to 0.95. (note the nasty LIBTOOL= line...) Index: Makefile =================================================================== RCS file: /cvs/ports/security/clamav/Makefile,v retrieving revision 1.41 diff -N -u -p Makefile --- Makefile 13 Dec 2008 10:19:09 -0000 1.41 +++ Makefile 8 Apr 2009 16:47:25 -0000 @@ -1,11 +1,11 @@ # $OpenBSD: Makefile,v 1.41 2008/12/13 10:19:09 mbalmer Exp $ COMMENT= virus scanner -DISTNAME= clamav-0.94.2 +DISTNAME= clamav-0.95 CATEGORIES= security -SHARED_LIBS= clamav 10.0 \ - clamunrar 1.0 \ - clamunrar_iface 1.0 +SHARED_LIBS= clamav 11.0 \ + clamunrar 2.0 \ + clamunrar_iface 2.0 HOMEPAGE= http://www.clamav.net/ @@ -17,12 +17,11 @@ PERMIT_PACKAGE_FTP= Yes PERMIT_DISTFILES_CDROM= Yes PERMIT_DISTFILES_FTP= Yes -WANTLIB= c milter pthread wrap z +WANTLIB= c milter ncurses pthread z BUILD_DEPENDS= ::devel/check -LIB_DEPENDS= gmp.>=6::devel/gmp \ - bz2.>=10::archivers/bzip2 \ +LIB_DEPENDS= bz2.>=10::archivers/bzip2 \ iconv.>=4::converters/libiconv RUN_DEPENDS= :lha-*:archivers/lha \ @@ -31,9 +30,9 @@ RUN_DEPENDS= :lha-*:archivers/lha \ :unzip-*:archivers/unzip USE_LIBTOOL= Yes +LIBTOOL= ${WRKSRC}/libtool -MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=clamav/} \ - ${HOMEPAGE} +MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=clamav/} CONFIGURE_STYLE= gnu CONFIGURE_ARGS+= ${CONFIGURE_SHARED} @@ -49,7 +48,7 @@ CONFIGURE_ARGS+= --disable-clamav \ REGRESS_TARGET= check -CONFIGURE_ENV+= LDFLAGS="-pthread -L/usr/lib -L../libclamav/.libs -L${LOCALBASE}/lib" \ +CONFIGURE_ENV+= LDFLAGS="-pthread -L/usr/lib -L${WRKSRC}/libclamav/.libs -L${LOCALBASE}/lib" \ CPPFLAGS="-I/usr/include -I${LOCALBASE}/include" DOCS= clamav-mirror-howto.pdf clamdoc.pdf signatures.pdf @@ -58,8 +57,8 @@ post-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/clamav \ ${PREFIX}/share/examples/clamav cd ${WRKSRC}/docs; ${INSTALL_DATA} ${DOCS} ${PREFIX}/share/doc/clamav - cd ${WRKSRC}/etc; ${INSTALL_DATA} clamd.conf \ - freshclam.conf ${PREFIX}/share/examples/clamav + cd ${WRKSRC}/etc; ${INSTALL_DATA} clamd.conf freshclam.conf \ + clamav-milter.conf ${PREFIX}/share/examples/clamav cd ${WRKSRC}/examples; ${INSTALL_DATA} ex1.c \ ${PREFIX}/share/examples/clamav Index: distinfo =================================================================== RCS file: /cvs/ports/security/clamav/distinfo,v retrieving revision 1.29 diff -N -u -p distinfo --- distinfo 13 Dec 2008 10:19:09 -0000 1.29 +++ distinfo 8 Apr 2009 16:47:25 -0000 @@ -1,5 +1,5 @@ -MD5 (clamav-0.94.2.tar.gz) = EYHm1iNBuEcI8SbMNT9+vw== -RMD160 (clamav-0.94.2.tar.gz) = rnXl9Ub5a3/Q923Pn0l37JW6Tbo= -SHA1 (clamav-0.94.2.tar.gz) = gjc9JduLg2/YiyQU30O7DHGSzO0= -SHA256 (clamav-0.94.2.tar.gz) = Gux/7P83WVjQZ6zuuXgtP/C+fBO+0O7PYkD7CJ+NJow= -SIZE (clamav-0.94.2.tar.gz) = 22107637 +MD5 (clamav-0.95.tar.gz) = mFkDhrqaaQOVgLG/SMoDiw== +RMD160 (clamav-0.95.tar.gz) = vSQx0S87t0Ciz1NdpL5RKqm6LBQ= +SHA1 (clamav-0.95.tar.gz) = hVC3ncam6aB4LuW9Apu9EH+eCFo= +SHA256 (clamav-0.95.tar.gz) = TxJuz9IAhsRS8lrrZ1eiAPaOh9qCqjlUJSBDXi99Mac= +SIZE (clamav-0.95.tar.gz) = 24104169 Index: patches/patch-clamav_milter-clamav_milter_c =================================================================== RCS file: /cvs/ports/security/clamav/patches/patch-clamav_milter-clamav_milter_c,v retrieving revision 1.11 diff -N -u -p patches/patch-clamav_milter-clamav_milter_c --- patches/patch-clamav_milter-clamav_milter_c 7 Nov 2008 22:33:06 -0000 1.11 +++ /dev/null 1 Nov 2007 14:18:14 -0000 @@ -1,20 +0,0 @@ ---- clamav-milter/clamav-milter.c.orig Thu Oct 16 09:29:55 2008 -+++ clamav-milter/clamav-milter.c Fri Nov 7 02:29:18 2008 -@@ -1204,7 +1204,7 @@ main(int argc, char **argv) - * uid == 0 for that - */ - on = 1; -- if(setsockopt(broadcastSock, SOL_SOCKET, SO_BROADCAST, (int *)&on, sizeof(on)) < 0) { -+ if(setsockopt(broadcastSock, SOL_SOCKET, 0, (int *)&on, sizeof(on)) < 0) { - perror("setsockopt"); - return EX_UNAVAILABLE; - } -@@ -1227,7 +1227,7 @@ main(int argc, char **argv) - memset(&ifr, '\0', sizeof(struct ifreq)); - strncpy(ifr.ifr_name, iface, sizeof(ifr.ifr_name) - 1); - ifr.ifr_name[sizeof(ifr.ifr_name)-1]='\0'; -- if(setsockopt(broadcastSock, SOL_SOCKET, SO_BINDTODEVICE, &ifr, sizeof(ifr)) < 0) { -+ if(setsockopt(broadcastSock, SOL_SOCKET, 0, &ifr, sizeof(ifr)) < 0) { - perror(iface); - return EX_CONFIG; - } Index: patches/patch-clamd_Makefile_in =================================================================== RCS file: /cvs/ports/security/clamav/patches/patch-clamd_Makefile_in,v retrieving revision 1.9 diff -N -u -p patches/patch-clamd_Makefile_in --- patches/patch-clamd_Makefile_in 7 Nov 2008 22:33:06 -0000 1.9 +++ patches/patch-clamd_Makefile_in 8 Apr 2009 16:47:25 -0000 @@ -1,7 +1,7 @@ $OpenBSD: patch-clamd_Makefile_in,v 1.9 2008/11/07 22:33:06 sthen Exp $ ---- clamd/Makefile.in.orig Thu Oct 30 16:13:30 2008 -+++ clamd/Makefile.in Fri Nov 7 02:30:10 2008 -@@ -157,7 +157,9 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ +--- clamd/Makefile.in.orig Mon Mar 23 17:09:28 2009 ++++ clamd/Makefile.in Tue Mar 24 22:43:14 2009 +@@ -159,7 +159,9 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LCOV = @LCOV@ LD = @LD@ @@ -9,6 +9,6 @@ $OpenBSD: patch-clamd_Makefile_in,v 1.9 2008/11/07 22: +# Do not generate "LDFLAGS = -L/usr/local/lib" to build on systems that have +# have an older libclamav installed. +# LDFLAGS = @LDFLAGS@ - LIBBZ2 = @LIBBZ2@ - LIBBZ2_PREFIX = @LIBBZ2_PREFIX@ - LIBCLAMAV_LIBS = @LIBCLAMAV_LIBS@ + LIBADD_DL = @LIBADD_DL@ + LIBADD_DLD_LINK = @LIBADD_DLD_LINK@ + LIBADD_DLOPEN = @LIBADD_DLOPEN@ Index: patches/patch-database_Makefile_in =================================================================== RCS file: /cvs/ports/security/clamav/patches/patch-database_Makefile_in,v retrieving revision 1.4 diff -N -u -p patches/patch-database_Makefile_in --- patches/patch-database_Makefile_in 7 Nov 2008 22:33:06 -0000 1.4 +++ patches/patch-database_Makefile_in 8 Apr 2009 16:47:25 -0000 @@ -1,7 +1,7 @@ $OpenBSD: patch-database_Makefile_in,v 1.4 2008/11/07 22:33:06 sthen Exp $ ---- database/Makefile.in.orig Thu Oct 30 16:13:31 2008 -+++ database/Makefile.in Fri Nov 7 02:29:18 2008 -@@ -382,21 +382,7 @@ uninstall-am: +--- database/Makefile.in.orig Mon Mar 23 17:09:28 2009 ++++ database/Makefile.in Tue Mar 24 00:43:32 2009 +@@ -396,21 +396,7 @@ uninstall-am: install-data-local: Index: patches/patch-etc-clamd_conf =================================================================== RCS file: /cvs/ports/security/clamav/patches/patch-etc-clamd_conf,v retrieving revision 1.5 diff -N -u -p patches/patch-etc-clamd_conf --- patches/patch-etc-clamd_conf 14 Sep 2008 15:00:43 -0000 1.5 +++ patches/patch-etc-clamd_conf 8 Apr 2009 16:47:25 -0000 @@ -1,5 +1,5 @@ ---- etc/clamd.conf.orig Tue Sep 2 12:59:05 2008 -+++ etc/clamd.conf Fri Sep 5 02:32:34 2008 +--- etc/clamd.conf.orig Mon Mar 16 18:37:27 2009 ++++ etc/clamd.conf Tue Mar 24 00:43:32 2009 @@ -11,7 +11,7 @@ Example # LogFile must be writable for the user running daemon. # A full path is required. @@ -16,8 +16,8 @@ -#DatabaseDirectory /var/lib/clamav +#DatabaseDirectory /var/db/clamav - # The daemon works in a local OR a network mode. Due to security reasons we - # recommend the local mode. + # The daemon can work in local mode, network mode or both. + # Due to security reasons we recommend the local mode. @@ -147,7 +147,7 @@ LocalSocket /tmp/clamd.socket # Run as another user (clamd must be started by root for this option to work) Index: patches/patch-etc_Makefile_in =================================================================== RCS file: /cvs/ports/security/clamav/patches/patch-etc_Makefile_in,v retrieving revision 1.4 diff -N -u -p patches/patch-etc_Makefile_in --- patches/patch-etc_Makefile_in 7 Nov 2008 22:33:06 -0000 1.4 +++ patches/patch-etc_Makefile_in 8 Apr 2009 16:47:25 -0000 @@ -1,7 +1,7 @@ $OpenBSD: patch-etc_Makefile_in,v 1.4 2008/11/07 22:33:06 sthen Exp $ ---- etc/Makefile.in.orig Thu Oct 30 16:13:31 2008 -+++ etc/Makefile.in Fri Nov 7 02:29:18 2008 -@@ -381,11 +381,7 @@ uninstall-am: +--- etc/Makefile.in.orig Mon Mar 23 17:09:28 2009 ++++ etc/Makefile.in Tue Mar 24 09:18:51 2009 +@@ -395,13 +395,7 @@ uninstall-am: install-data-local: @@ -10,6 +10,8 @@ $OpenBSD: patch-etc_Makefile_in,v 1.4 2008/11/07 22:33 - $(INSTALL_DATA) $(srcdir)/clamd.conf $(DESTDIR)$(CFGINST) - @test -f $(DESTDIR)$(CFGINST)/freshclam.conf || \ - $(INSTALL_DATA) $(srcdir)/freshclam.conf $(DESTDIR)$(CFGINST) +...@build_clamd_true@@HAVE_MILTER_TRUE@ @test -f $(DESTDIR)$(CFGINST)/clamav-milter.conf || \ +...@build_clamd_true@@HAVE_MILTER_TRUE@ $(INSTALL_DATA) $(srcdir)/clamav-milter.conf $(DESTDIR)$(CFGINST) + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. Index: patches/patch-libclamav_Makefile_am =================================================================== RCS file: /cvs/ports/security/clamav/patches/patch-libclamav_Makefile_am,v retrieving revision 1.8 diff -N -u -p patches/patch-libclamav_Makefile_am --- patches/patch-libclamav_Makefile_am 7 Nov 2008 22:33:06 -0000 1.8 +++ /dev/null 1 Nov 2007 14:18:14 -0000 @@ -1,12 +0,0 @@ -$OpenBSD: patch-libclamav_Makefile_am,v 1.8 2008/11/07 22:33:06 sthen Exp $ ---- libclamav/Makefile.am.orig Tue Oct 7 09:19:25 2008 -+++ libclamav/Makefile.am Fri Nov 7 02:29:18 2008 -@@ -22,7 +22,7 @@ AM_CPPFLAGS = -I$(top_srcdir) -...@srcdir@/nsis -...@srcdi - - libclamav_la_LIBADD = lzma/liblzma.la @CLAMAV_UNRAR_LIBS@ @LIBCLAMAV_LIBS@ @THREAD_LIBS@ - --libclamav_la_LDFLAGS = @TH_SAFE@ -version-info @LIBCLAMAV_VERSION@ -no-undefined -+libclamav_la_LDFLAGS = @TH_SAFE@ $(LIBclamav_LTVERSION) -no-undefined - - if VERSIONSCRIPT - libclamav_la_LDFLAGS += -Wl,@VERSIONSCRIPTFLAG@,@top_srcdir@/libclamav/libclamav.map Index: patches/patch-libclamav_Makefile_in =================================================================== RCS file: /cvs/ports/security/clamav/patches/patch-libclamav_Makefile_in,v retrieving revision 1.9 diff -N -u -p patches/patch-libclamav_Makefile_in --- patches/patch-libclamav_Makefile_in 7 Nov 2008 22:33:06 -0000 1.9 +++ patches/patch-libclamav_Makefile_in 8 Apr 2009 16:47:25 -0000 @@ -1,12 +1,30 @@ $OpenBSD: patch-libclamav_Makefile_in,v 1.9 2008/11/07 22:33:06 sthen Exp $ ---- libclamav/Makefile.in.orig Thu Oct 30 16:13:31 2008 -+++ libclamav/Makefile.in Fri Nov 7 02:31:12 2008 -@@ -283,7 +283,7 @@ top_srcdir = @top_srcdir@ - SUBDIRS = lzma . - AM_CPPFLAGS = -I$(top_srcdir) -...@srcdir@/nsis -...@srcdir@/lzma - libclamav_la_LIBADD = lzma/liblzma.la @CLAMAV_UNRAR_LIBS@ @LIBCLAMAV_LIBS@ @THREAD_LIBS@ +--- libclamav/Makefile.in.orig Mon Mar 23 17:09:29 2009 ++++ libclamav/Makefile.in Tue Mar 24 22:52:35 2009 +@@ -401,7 +401,7 @@ EXTRA_DIST = $(am__append_4) regex/engine.c libclamav. + jsparse/generated/operators.h jsparse/generated/keywords.h \ + jsparse/future_reserved_words.list jsparse/keywords.list \ + jsparse/special_keywords.list jsparse/operators.gperf +...@enable_unrar_true@libclamunrar_la_LDFLAGS = @TH_SAFE@ -version-info \ +...@enable_unrar_true@libclamunrar_la_LDFLAGS = @TH_SAFE@ $(LIBclamunrar_LTVERSION) \ + @ENABLE_UNRAR_TRUE@ @LIBCLAMAV_VERSION@ -no-undefined \ + @ENABLE_UNRAR_TRUE@ $(am__append_2) + @enable_unrar_t...@libclamunrar_la_sources = \ +@@ -425,7 +425,7 @@ EXTRA_DIST = $(am__append_4) regex/engine.c libclamav. + + @enable_unrar_t...@libclamunrar_iface_la_libadd = libclamunrar.la + @enable_unrar_t...@libclamunrar_iface_la_ldflags = -module @TH_SAFE@ \ +...@enable_unrar_true@ -version-info @LIBCLAMAV_VERSION@ \ +...@enable_unrar_true@ $(LIBclamunrar_iface_LTVERSION) @LIBCLAMAV_VERSION@ \ + @ENABLE_UNRAR_TRUE@ -no-undefined $(am__append_5) + @enable_unrar_t...@libclamunrar_iface_la_sources = \ + @ENABLE_UNRAR_TRUE@ ../libclamunrar_iface/unrar_iface.c \ +@@ -473,7 +473,7 @@ libclamav_internal_utils_nothreads_la_LDFLAGS = -stati + libclamav_internal_utils_nothreads_la_CFLAGS = -DCL_NOTHREADS + libclamav_la_LIBADD = @LIBLTDL@ $(IFACELIBADD) lzma/liblzma.la libclamav_internal_utils.la @LIBCLAMAV_LIBS@ @THREAD_LIBS@ + libclamav_la_DEPENDENCIES = @LTDLDEPS@ $(IFACEDEP) libclamav_internal_utils.la -libclamav_la_LDFLAGS = @TH_SAFE@ -version-info @LIBCLAMAV_VERSION@ \ +libclamav_la_LDFLAGS = @TH_SAFE@ $(LIBclamav_LTVERSION) @LIBCLAMAV_VERSION@ \ - -no-undefined $(am__append_1) + -no-undefined $(am__append_6) include_HEADERS = clamav.h - libclamav_la_SOURCES = \ + libclamav_la_SOURCES = clamav.h matcher-ac.c matcher-ac.h matcher-bm.c \ Index: patches/patch-libclamav_mbox_c =================================================================== RCS file: /cvs/ports/security/clamav/patches/patch-libclamav_mbox_c,v retrieving revision 1.6 diff -N -u -p patches/patch-libclamav_mbox_c --- patches/patch-libclamav_mbox_c 16 Apr 2008 19:46:02 -0000 1.6 +++ patches/patch-libclamav_mbox_c 8 Apr 2009 16:47:25 -0000 @@ -1,7 +1,7 @@ ---- libclamav/mbox.c.orig Wed Apr 9 17:29:28 2008 -+++ libclamav/mbox.c Mon Apr 14 18:41:12 2008 -@@ -32,11 +32,6 @@ static char const rcsid[] = "$Id: mbox.c,v 1.381 2007/ - #define NDEBUG /* map CLAMAV debug onto standard */ +--- libclamav/mbox.c.orig Mon Mar 23 12:48:33 2009 ++++ libclamav/mbox.c Tue Mar 24 00:43:32 2009 +@@ -28,11 +28,6 @@ static char const rcsid[] = "$Id: mbox.c,v 1.381 2007/ + #include "clamav-config.h" #endif -#ifdef CL_THREAD_SAFE Index: patches/patch-libclamav_str_c =================================================================== RCS file: /cvs/ports/security/clamav/patches/patch-libclamav_str_c,v retrieving revision 1.5 diff -N -u -p patches/patch-libclamav_str_c --- patches/patch-libclamav_str_c 7 Nov 2008 22:33:06 -0000 1.5 +++ patches/patch-libclamav_str_c 8 Apr 2009 16:47:25 -0000 @@ -1,7 +1,7 @@ $OpenBSD: patch-libclamav_str_c,v 1.5 2008/11/07 22:33:06 sthen Exp $ ---- libclamav/str.c.orig Thu Oct 16 09:29:55 2008 -+++ libclamav/str.c Fri Nov 7 02:29:18 2008 -@@ -152,9 +152,9 @@ char *cli_hex2str(const char *hex) +--- libclamav/str.c.orig Mon Mar 16 18:37:27 2009 ++++ libclamav/str.c Tue Mar 24 00:43:32 2009 +@@ -166,9 +166,9 @@ int cli_hex2str_to(const char *hex, unsigned char *ptr for(i = 0; i < len; i += 2) { if((c = cli_hex2int(hex[i])) >= 0) { @@ -11,5 +11,5 @@ $OpenBSD: patch-libclamav_str_c,v 1.5 2008/11/07 22:33 - val = (val << 4) + c; + val = (val << 4) + (char)c; } else { - free(str); - return NULL; + return -1; + } Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/security/clamav/pkg/PLIST,v retrieving revision 1.11 diff -N -u -p pkg/PLIST --- pkg/PLIST 8 Jul 2008 22:38:12 -0000 1.11 +++ pkg/PLIST 8 Apr 2009 16:47:25 -0000 @@ -4,6 +4,7 @@ bin/clamav-config @bin bin/clamconf @bin bin/clamdscan +...@bin bin/clamdtop @bin bin/clamscan @bin bin/freshclam @bin bin/sigtool @@ -18,6 +19,7 @@ lib/pkgconfig/ lib/pkgconfig/libclamav.pc @man man/man1/clamconf.1 @man man/man1/clamdscan.1 +...@man man/man1/clamdtop.1 @man man/man1/clamscan.1 @man man/man1/freshclam.1 @man man/man1/sigtool.1 @@ -32,11 +34,8 @@ share/doc/clamav/clamav-mirror-howto.pdf share/doc/clamav/clamdoc.pdf share/doc/clamav/signatures.pdf share/examples/clamav/ -share/examples/clamav/clamd.conf -...@sample ${SYSCONFDIR}/clamd.conf -share/examples/clamav/ex1.c -share/examples/clamav/freshclam.conf -...@sample ${SYSCONFDIR}/freshclam.conf +share/examples/clamav/clamav-milter.conf +...@sample ${SYSCONFDIR}/clamav-milter.conf %%SHARED%% @owner _clamav @group _clamav @@ -49,3 +48,11 @@ share/examples/clamav/freshclam.conf @extraunexec rm -fr /var/db/clamav/* @extraunexec rm -fr /var/spool/clamav/* @extraunexec rm -fr /var/clamav/* +...@mode +...@owner +...@group +share/examples/clamav/clamd.conf +...@sample ${SYSCONFDIR}/clamd.conf +share/examples/clamav/ex1.c +share/examples/clamav/freshclam.conf +...@sample ${SYSCONFDIR}/freshclam.conf
