GNU bug report logs - #55437
[PATCH] gnu: clamav: Update to 0.103.6 [fixes CVE-2022-{20803,20770,20796,20771,20785,20792}].

Previous Next

Package: guix-patches;

Reported by: kiasoc5 <at> disroot.org

Date: Sun, 15 May 2022 22:17:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 55437 in the body.
You can then email your comments to 55437 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to guix-patches <at> gnu.org:
bug#55437; Package guix-patches. (Sun, 15 May 2022 22:17:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to kiasoc5 <at> disroot.org:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Sun, 15 May 2022 22:17:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: kiasoc5 <at> disroot.org
To: guix-patches <at> gnu.org
Subject: [PATCH] gnu: clamav: Update to 0.103.6 [fixes
 CVE-2022-{20803,20770,20796,20771,20785,20792}].
Date: Sun, 15 May 2022 20:12:37 +0000
[Message part 1 (text/plain, inline)]
This patch updates clamav to the latest LTS version.
Per the release notes [1], a future update of clamav to 0.105+ will take some effort:

1. 0.105+ needs Rust 1.57+ to build.
2. The build should switch from tarball to git to avoid vendored crates.
3. 0.105+ works with llvm 8-12 (no more llvm 3.7).

I suggest we keep clamav on the LTS version until we update Rust.

PS: As you can see from the email address, I am migrating from Tutanota to Disroot.

[1] https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html#more
[0001-gnu-clamav-Update-to-0.103.6-fixes-CVE-2022-20803-20.patch (application/octet-stream, attachment)]

Information forwarded to guix-patches <at> gnu.org:
bug#55437; Package guix-patches. (Mon, 16 May 2022 15:26:01 GMT) Full text and rfc822 format available.

Message #8 received at 55437 <at> debbugs.gnu.org (full text, mbox):

From: kiasoc5 <at> disroot.org
To: 55437 <at> debbugs.gnu.org
Subject: re: [PATCH] gnu: clamav: Update to 0.103.6 [fixes
 CVE-2022-{20803,20770,20796,20771,20785,20792}].
Date: Mon, 16 May 2022 14:59:33 +0000
Mumi is not showing the patch, sending it inline.

From c453008d05f4bc897eecd6f2545ff8047dc4e1fd Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5 <at> disroot.org>
Date: Sun, 15 May 2022 03:37:58 -0400
Subject: [PATCH] gnu: clamav: Update to 0.103.6 [fixes
CVE-2022-{20803,20770,20796,20771,20785,20792}].

* gnu/packages/antivirus.scm (clamav): Update to 0.103.6.
---
gnu/packages/antivirus.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/antivirus.scm b/gnu/packages/antivirus.scm
index 80126a5b59..4a5f995e42 100644
--- a/gnu/packages/antivirus.scm
+++ b/gnu/packages/antivirus.scm
@@ -44,14 +44,14 @@ (define-module (gnu packages antivirus)
(define-public clamav
(package
(name "clamav")
- (version "0.103.3")
+ (version "0.103.6")
(source (origin
(method url-fetch)
(uri (string-append "https://www.clamav.net/downloads/production/"
"clamav-" version ".tar.gz"))
(sha256
(base32
- "1sba4zccgwjqk29b5qkgfc9gm794hmk6j7bpj8wilgcz8hc3svlz"))
+ "0cxsv5m9pqxxb56qd7hlj11pwmdgm07s3msh3hxk47czq4yjx8da"))
(modules '((guix build utils)))
(snippet
'(begin
-- 
2.36.1




Information forwarded to guix-patches <at> gnu.org:
bug#55437; Package guix-patches. (Wed, 18 May 2022 04:38:01 GMT) Full text and rfc822 format available.

Message #11 received at 55437 <at> debbugs.gnu.org (full text, mbox):

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: kiasoc5 <at> disroot.org
Cc: 55437 <at> debbugs.gnu.org
Subject: Re: bug#55437: [PATCH] gnu: clamav: Update to 0.103.6 [fixes
 CVE-2022-{20803,20770,20796,20771,20785,20792}].
Date: Wed, 18 May 2022 00:37:01 -0400
Hi,

kiasoc5 <at> disroot.org writes:

> This patch updates clamav to the latest LTS version.
> Per the release notes [1], a future update of clamav to 0.105+ will take some effort:
>
> 1. 0.105+ needs Rust 1.57+ to build.
> 2. The build should switch from tarball to git to avoid vendored crates.
> 3. 0.105+ works with llvm 8-12 (no more llvm 3.7).
>
> I suggest we keep clamav on the LTS version until we update Rust.

Sounds like a fine plan.

> PS: As you can see from the email address, I am migrating from Tutanota to Disroot.
>
> [1] https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html#more

I see the following guix lint warnings:

--8<---------------cut here---------------start------------->8---
clamav <at> 0.103.6: label 'libcurl' does not match package name 'curl'
clamav <at> 0.103.6: label 'libjson' does not match package name 'json-c'
clamav <at> 0.103.6: label 'openssl' does not match package name 'libressl'
clamav <at> 0.103.6: label 'sasl' does not match package name 'cyrus-sasl'
clamav <at> 0.103.6: label 'xml' does not match package name 'libxml2'
clamav <at> 0.103.6: updater 'generic-html' failed to find upstream releases
--8<---------------cut here---------------end--------------->8---

I'm not sure about the last one, but the other ones could be fixed
simply by updating to the new style (list input1 input2 ...) instead of
`(("input1" ,input1) ("input2" ,input2) ...).

Would you mind updating the patch with such changes?

Thanks!

Maxim




Information forwarded to guix-patches <at> gnu.org:
bug#55437; Package guix-patches. (Thu, 19 May 2022 03:06:02 GMT) Full text and rfc822 format available.

Message #14 received at 55437 <at> debbugs.gnu.org (full text, mbox):

From: kiasoc5 <at> disroot.org
To: "Maxim Cournoyer" <maxim.cournoyer <at> gmail.com>
Cc: 55437 <at> debbugs.gnu.org
Subject: Re: bug#55437: [PATCH] gnu: clamav: Update to 0.103.6 [fixes
 CVE-2022-{20803,20770,20796,20771,20785,20792}].
Date: Thu, 19 May 2022 03:05:08 +0000
From 151cbfbefd039ce28d38109493bf8b49f19a2edc Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5 <at> disroot.org>
Date: Wed, 18 May 2022 22:51:14 -0400
Subject: [PATCH 2/2] gnu: clamav: Use new style and G-expressions.

* gnu/packages/antivirus.scm (clamav)[source]: Remove trailing #t from snippet.
[inputs]: Use new input style.
[arguments]: Use G-expressions. Remove trailing #t from phases
[configure-flags]: Adjust to new input style.
---
 gnu/packages/antivirus.scm | 128 ++++++++++++++++++-------------------
 1 file changed, 64 insertions(+), 64 deletions(-)

diff --git a/gnu/packages/antivirus.scm b/gnu/packages/antivirus.scm
index 4a5f995e42..cda3fc942b 100644
--- a/gnu/packages/antivirus.scm
+++ b/gnu/packages/antivirus.scm
@@ -21,6 +21,7 @@
 (define-module (gnu packages antivirus)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix build-system gnu)
+  #:use-module (guix gexp)
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix utils)
@@ -59,8 +60,7 @@ (define-public clamav
                             '("win32"                  ; unnecessary
                               "libclamav/c++/llvm"     ; use system llvm
                               "libclamav/tomsfastmath" ; use system tomsfastmath
-                              "libclamunrar"))         ; non-free license
-                  #t))
+                              "libclamunrar"))))       ; non-free license
               (patches
                (search-patches "clamav-system-tomsfastmath.patch"
                                "clamav-config-llvm-libs.patch"))))
@@ -72,70 +72,70 @@ (define-public clamav
            libtool
            pkg-config))
     (inputs
-     `(("bzip2" ,bzip2)
-       ("libcurl" ,curl)
-       ("libjson" ,json-c)
-       ("libltdl" ,libltdl)
-       ("libmspack" ,libmspack)
-       ("llvm" ,llvm-3.6)               ; requires <3.7, for JIT/verifier
-       ("ncurses" ,ncurses)
-       ("openssl" ,libressl)
-       ("pcre2" ,pcre2)
-       ("sasl" ,cyrus-sasl)             ; for linking curl with libtool
-       ("tomsfastmath" ,tomsfastmath)
-       ("xml" ,libxml2)
-       ("zlib" ,zlib)))
+      (list bzip2
+            curl
+            json-c
+            libltdl
+            libmspack
+            llvm-3.6               ; requires <3.7, for JIT/verifier
+            ncurses
+            libressl
+            pcre2
+            cyrus-sasl             ; for linking curl with libtool
+            tomsfastmath
+            libxml2
+            zlib))
     (arguments
-     `(#:configure-flags
-       (let-syntax ((with (syntax-rules ()
-                            ((_ name)
+      (list #:configure-flags
+            #~(let-syntax ((with (syntax-rules ()
+                            ((_ name use)
                              (string-append "--with-" name "="
-                                            (assoc-ref %build-inputs name))))))
-         (list "--disable-unrar"
-               "--enable-llvm"
-               "--with-system-llvm"
-               "--with-system-libmspack"
-               "--without-included-ltdl"
-               (with "xml")
-               (with "openssl")
-               (with "libjson")
-               (with "pcre2")
-               (with "zlib")
-               (with "libcurl")
-               ;; For sanity, specifying --enable-* flags turns
-               ;; "support unavailable" warnings into errors.
-               "--enable-bzip2"
-               "--enable-check"
-               "--sysconfdir=/etc/clamav"
-               ;; Default database directory needs to be writeable
-               "--with-dbdir=/var/db/clamav"))
-       ;; install sample .conf files to %output/etc rather than /etc/clamav
-       #:make-flags (list (string-append "sysconfdir=" %output "/etc"))
-       #:phases (modify-phases %standard-phases
-                  ;; Regenerate configure script.  Without this we don't get
-                  ;; the correct value for LLVM linker variables.
-                  (add-after 'unpack 'reconf
-                    (lambda _ (invoke "autoreconf" "-vfi")))
-                  (add-before 'configure 'patch-llvm-config
-                    (lambda _
-                      (substitute* '("libclamav/c++/detect.cpp"
-                                     "libclamav/c++/ClamBCRTChecks.cpp"
-                                     "libclamav/c++/bytecode2llvm.cpp")
-                        (("llvm/Config/config.h") "llvm/Config/llvm-config.h"))
-                      ;; `llvm-config --libfiles` inappropriately lists lib*.a
-                      ;; libraries, rather than the lib*.so's that our llvm
-                      ;; contains.  They're used only for listing extra build
-                      ;; dependencies, so ignore them until that's fixed.
-                      (substitute* "libclamav/c++/Makefile.in"
-                        (("@LLVMCONFIG_LIBFILES@") ""))
-                      #t))
-                  (add-before 'check 'skip-clamd-tests
-                    ;; XXX: The check?_clamd tests fail inside the build
-                    ;; chroot, but pass outside.
-                    (lambda _
-                      (substitute* "unit_tests/Makefile"
-                        (("check2_clamd.sh.*check4_clamd.sh") ""))
-                      #t)))))
+                                            (assoc-ref %build-inputs use))))))
+              (list "--disable-unrar"
+                    "--enable-llvm"
+                    "--with-system-llvm"
+                    "--with-system-libmspack"
+                    "--without-included-ltdl"
+                    (with "xml" "libxml2")
+                    (with "openssl" "libressl")
+                    (with "libjson" "json-c")
+                    (with "pcre2" "pcre2")
+                    (with "zlib" "zlib")
+                    (with "libcurl" "curl")
+                    ;; For sanity, specifying --enable-* flags turns
+                    ;; "support unavailable" warnings into errors.
+                    "--enable-bzip2"
+                    "--enable-check"
+                    "--sysconfdir=/etc/clamav"
+                    ;; Default database directory needs to be writeable
+                    "--with-dbdir=/var/db/clamav"))
+            ;; install sample .conf files to %output/etc rather than /etc/clamav
+            #:make-flags
+            #~(list (string-append "sysconfdir=" %output "/etc"))
+            #:phases
+            #~(modify-phases %standard-phases
+                ;; Regenerate configure script.  Without this we don't get
+                ;; the correct value for LLVM linker variables.
+                (add-after 'unpack 'reconf
+                  (lambda _ (invoke "autoreconf" "-vfi")))
+                (add-before 'configure 'patch-llvm-config
+                  (lambda _
+                    (substitute* '("libclamav/c++/detect.cpp"
+                                   "libclamav/c++/ClamBCRTChecks.cpp"
+                                   "libclamav/c++/bytecode2llvm.cpp")
+                      (("llvm/Config/config.h") "llvm/Config/llvm-config.h"))
+                    ;; `llvm-config --libfiles` inappropriately lists lib*.a
+                    ;; libraries, rather than the lib*.so's that our llvm
+                    ;; contains.  They're used only for listing extra build
+                    ;; dependencies, so ignore them until that's fixed.
+                    (substitute* "libclamav/c++/Makefile.in"
+                      (("@LLVMCONFIG_LIBFILES@") ""))))
+                (add-before 'check 'skip-clamd-tests
+                  ;; XXX: The check?_clamd tests fail inside the build
+                  ;; chroot, but pass outside.
+                  (lambda _
+                    (substitute* "unit_tests/Makefile"
+                      (("check2_clamd.sh.*check4_clamd.sh") "")))))))
     (home-page "https://www.clamav.net")
     (synopsis "Antivirus engine")
     (description
-- 
2.36.1




Reply sent to Ludovic Courtès <ludo <at> gnu.org>:
You have taken responsibility. (Fri, 20 May 2022 22:02:02 GMT) Full text and rfc822 format available.

Notification sent to kiasoc5 <at> disroot.org:
bug acknowledged by developer. (Fri, 20 May 2022 22:02:02 GMT) Full text and rfc822 format available.

Message #19 received at 55437-done <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: kiasoc5 <at> disroot.org
Cc: 55437-done <at> debbugs.gnu.org
Subject: Re: bug#55437: [PATCH] gnu: clamav: Update to 0.103.6 [fixes
 CVE-2022-{20803,20770,20796,20771,20785,20792}].
Date: Sat, 21 May 2022 00:01:34 +0200
Hi,

kiasoc5 <at> disroot.org skribis:

> From c453008d05f4bc897eecd6f2545ff8047dc4e1fd Mon Sep 17 00:00:00 2001
> From: kiasoc5 <kiasoc5 <at> disroot.org>
> Date: Sun, 15 May 2022 03:37:58 -0400
> Subject: [PATCH] gnu: clamav: Update to 0.103.6 [fixes
>  CVE-2022-{20803,20770,20796,20771,20785,20792}].
>
> * gnu/packages/antivirus.scm (clamav): Update to 0.103.6.

[...]

>>From 151cbfbefd039ce28d38109493bf8b49f19a2edc Mon Sep 17 00:00:00 2001
> From: kiasoc5 <kiasoc5 <at> disroot.org>
> Date: Wed, 18 May 2022 22:51:14 -0400
> Subject: [PATCH 2/2] gnu: clamav: Use new style and G-expressions.
>
> * gnu/packages/antivirus.scm (clamav)[source]: Remove trailing #t from snippet.
> [inputs]: Use new input style.
> [arguments]: Use G-expressions. Remove trailing #t from phases
> [configure-flags]: Adjust to new input style.

Applied, thanks!

Ludo’.




Information forwarded to guix-patches <at> gnu.org:
bug#55437; Package guix-patches. (Tue, 31 May 2022 21:07:02 GMT) Full text and rfc822 format available.

Message #22 received at 55437 <at> debbugs.gnu.org (full text, mbox):

From: Jonathan Brielmaier <jonathan.brielmaier <at> web.de>
To: 55437 <at> debbugs.gnu.org
Subject: [PATCH] gnu: clamav: Update to 0.103.6 [fixes
 CVE-2022-{20803,20770,20796,20771,20785,20792}].
Date: Tue, 31 May 2022 23:06:18 +0200
Hm, our rust is already at 1.57.0. So this requirement shouldn't be a
problem.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 29 Jun 2022 11:24:06 GMT) Full text and rfc822 format available.

This bug report was last modified 1 year and 274 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.