[PATCH] gnu: clamav: Update to 0.103.6 [fixes CVE-2022-{20803,20770,20796,20771,20785,20792}].

kiasoc5 wrote on 15 May 2022 22:12

Recipients:(address . guix-patches@gnu.org)

Message-ID:f457d17cc9f404831f2b33869effb8d0661d2504@disroot.org

This patch updates clamav to the latest LTS version.

Per the release notes [1], a future update of clamav to 0.105+ will take some effort:

1. 0.105+ needs Rust 1.57+ to build.

2. The build should switch from tarball to git to avoid vendored crates.

3. 0.105+ works with llvm 8-12 (no more llvm 3.7).

I suggest we keep clamav on the LTS version until we update Rust.

PS: As you can see from the email address, I am migrating from Tutanota to Disroot.

[1] https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html#more

Attachment: 0001-gnu-clamav-Update-to-0.103.6-fixes-CVE-2022-20803-20.patch

kiasoc5 wrote on 16 May 2022 16:59

Recipients:(address . 55437@debbugs.gnu.org)

Message-ID:27a9400c19672948e7e9624f547d05cd23738344@disroot.org

Mumi is not showing the patch, sending it inline.

From c453008d05f4bc897eecd6f2545ff8047dc4e1fd Mon Sep 17 00:00:00 2001

CVE-2022-{20803,20770,20796,20771,20785,20792}].

* gnu/packages/antivirus.scm (clamav): Update to 0.103.6.

---

gnu/packages/antivirus.scm | 4 ++--

1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)diff --git a/gnu/packages/antivirus.scm b/gnu/packages/antivirus.scm
index 80126a5b59..4a5f995e42 100644
--- a/gnu/packages/antivirus.scm
+++ b/gnu/packages/antivirus.scm
@@ -44,14 +44,14 @@ (define-module (gnu packages antivirus)
(define-public clamav
(package
(name "clamav")
- (version "0.103.3")
+ (version "0.103.6")
(source (origin
(method url-fetch)
(uri (string-append "https://www.clamav.net/downloads/production/"
"clamav-" version ".tar.gz"))
(sha256
(base32
- "1sba4zccgwjqk29b5qkgfc9gm794hmk6j7bpj8wilgcz8hc3svlz"))
+ "0cxsv5m9pqxxb56qd7hlj11pwmdgm07s3msh3hxk47czq4yjx8da"))
(modules '((guix build utils)))
(snippet
'(begin
-- 
2.36.1

Maxim Cournoyer wrote on 18 May 2022 06:37

Re: bug#55437: [PATCH] gnu: clamav: Update to 0.103.6 [fixes CVE-2022-{20803,20770,20796,20771,20785,20792}].

Recipients:(address . kiasoc5@disroot.org)(address . 55437@debbugs.gnu.org)

Message-ID:87mtff1moi.fsf_-_@gmail.com

Hi,

kiasoc5@disroot.org writes:

Toggle quote (9 lines)

> This patch updates clamav to the latest LTS version.

> Per the release notes [1], a future update of clamav to 0.105+ will take some effort:

> 1. 0.105+ needs Rust 1.57+ to build.

> 2. The build should switch from tarball to git to avoid vendored crates.

> 3. 0.105+ works with llvm 8-12 (no more llvm 3.7).

> I suggest we keep clamav on the LTS version until we update Rust.

Sounds like a fine plan.

Toggle quote (4 lines)

> PS: As you can see from the email address, I am migrating from Tutanota to Disroot.

> [1] https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html#more

I see the following guix lint warnings:

Toggle snippet (8 lines)

clamav@0.103.6: label 'libcurl' does not match package name 'curl'

clamav@0.103.6: label 'libjson' does not match package name 'json-c'

clamav@0.103.6: label 'openssl' does not match package name 'libressl'

clamav@0.103.6: label 'sasl' does not match package name 'cyrus-sasl'

clamav@0.103.6: label 'xml' does not match package name 'libxml2'

clamav@0.103.6: updater 'generic-html' failed to find upstream releases

I'm not sure about the last one, but the other ones could be fixed

simply by updating to the new style (list input1 input2 ...) instead of

`(("input1" ,input1) ("input2" ,input2) ...).

Would you mind updating the patch with such changes?

Thanks!

Maxim

kiasoc5 wrote on 19 May 2022 05:05

Recipients:(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 55437@debbugs.gnu.org)

Message-ID:5a8edd0b540303d9ebd42880ad38d249d74a5457@disroot.org

From 151cbfbefd039ce28d38109493bf8b49f19a2edc Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@disroot.org>
Date: Wed, 18 May 2022 22:51:14 -0400
Subject: [PATCH 2/2] gnu: clamav: Use new style and G-expressions.

* gnu/packages/antivirus.scm (clamav)[source]: Remove trailing #t from snippet.
[inputs]: Use new input style.
[arguments]: Use G-expressions. Remove trailing #t from phases
[configure-flags]: Adjust to new input style.
---
 gnu/packages/antivirus.scm | 128 ++++++++++++++++++-------------------
 1 file changed, 64 insertions(+), 64 deletions(-)

Toggle diff (157 lines)diff --git a/gnu/packages/antivirus.scm b/gnu/packages/antivirus.scm
index 4a5f995e42..cda3fc942b 100644
--- a/gnu/packages/antivirus.scm
+++ b/gnu/packages/antivirus.scm
@@ -21,6 +21,7 @@
 (define-module (gnu packages antivirus)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix build-system gnu)
+  #:use-module (guix gexp)
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix utils)
@@ -59,8 +60,7 @@ (define-public clamav
                             '("win32"                  ; unnecessary
                               "libclamav/c++/llvm"     ; use system llvm
                               "libclamav/tomsfastmath" ; use system tomsfastmath
-                              "libclamunrar"))         ; non-free license
-                  #t))
+                              "libclamunrar"))))       ; non-free license
               (patches
                (search-patches "clamav-system-tomsfastmath.patch"
                                "clamav-config-llvm-libs.patch"))))
@@ -72,70 +72,70 @@ (define-public clamav
            libtool
            pkg-config))
     (inputs
-     `(("bzip2" ,bzip2)
-       ("libcurl" ,curl)
-       ("libjson" ,json-c)
-       ("libltdl" ,libltdl)
-       ("libmspack" ,libmspack)
-       ("llvm" ,llvm-3.6)               ; requires <3.7, for JIT/verifier
-       ("ncurses" ,ncurses)
-       ("openssl" ,libressl)
-       ("pcre2" ,pcre2)
-       ("sasl" ,cyrus-sasl)             ; for linking curl with libtool
-       ("tomsfastmath" ,tomsfastmath)
-       ("xml" ,libxml2)
-       ("zlib" ,zlib)))
+      (list bzip2
+            curl
+            json-c
+            libltdl
+            libmspack
+            llvm-3.6               ; requires <3.7, for JIT/verifier
+            ncurses
+            libressl
+            pcre2
+            cyrus-sasl             ; for linking curl with libtool
+            tomsfastmath
+            libxml2
+            zlib))
     (arguments
-     `(#:configure-flags
-       (let-syntax ((with (syntax-rules ()
-                            ((_ name)
+      (list #:configure-flags
+            #~(let-syntax ((with (syntax-rules ()
+                            ((_ name use)
                              (string-append "--with-" name "="
-                                            (assoc-ref %build-inputs name))))))
-         (list "--disable-unrar"
-               "--enable-llvm"
-               "--with-system-llvm"
-               "--with-system-libmspack"
-               "--without-included-ltdl"
-               (with "xml")
-               (with "openssl")
-               (with "libjson")
-               (with "pcre2")
-               (with "zlib")
-               (with "libcurl")
-               ;; For sanity, specifying --enable-* flags turns
-               ;; "support unavailable" warnings into errors.
-               "--enable-bzip2"
-               "--enable-check"
-               "--sysconfdir=/etc/clamav"
-               ;; Default database directory needs to be writeable
-               "--with-dbdir=/var/db/clamav"))
-       ;; install sample .conf files to %output/etc rather than /etc/clamav
-       #:make-flags (list (string-append "sysconfdir=" %output "/etc"))
-       #:phases (modify-phases %standard-phases
-                  ;; Regenerate configure script.  Without this we don't get
-                  ;; the correct value for LLVM linker variables.
-                  (add-after 'unpack 'reconf
-                    (lambda _ (invoke "autoreconf" "-vfi")))
-                  (add-before 'configure 'patch-llvm-config
-                    (lambda _
-                      (substitute* '("libclamav/c++/detect.cpp"
-                                     "libclamav/c++/ClamBCRTChecks.cpp"
-                                     "libclamav/c++/bytecode2llvm.cpp")
-                        (("llvm/Config/config.h") "llvm/Config/llvm-config.h"))
-                      ;; `llvm-config --libfiles` inappropriately lists lib*.a
-                      ;; libraries, rather than the lib*.so's that our llvm
-                      ;; contains.  They're used only for listing extra build
-                      ;; dependencies, so ignore them until that's fixed.
-                      (substitute* "libclamav/c++/Makefile.in"
-                        (("@LLVMCONFIG_LIBFILES@") ""))
-                      #t))
-                  (add-before 'check 'skip-clamd-tests
-                    ;; XXX: The check?_clamd tests fail inside the build
-                    ;; chroot, but pass outside.
-                    (lambda _
-                      (substitute* "unit_tests/Makefile"
-                        (("check2_clamd.sh.*check4_clamd.sh") ""))
-                      #t)))))
+                                            (assoc-ref %build-inputs use))))))
+              (list "--disable-unrar"
+                    "--enable-llvm"
+                    "--with-system-llvm"
+                    "--with-system-libmspack"
+                    "--without-included-ltdl"
+                    (with "xml" "libxml2")
+                    (with "openssl" "libressl")
+                    (with "libjson" "json-c")
+                    (with "pcre2" "pcre2")
+                    (with "zlib" "zlib")
+                    (with "libcurl" "curl")
+                    ;; For sanity, specifying --enable-* flags turns
+                    ;; "support unavailable" warnings into errors.
+                    "--enable-bzip2"
+                    "--enable-check"
+                    "--sysconfdir=/etc/clamav"
+                    ;; Default database directory needs to be writeable
+                    "--with-dbdir=/var/db/clamav"))
+            ;; install sample .conf files to %output/etc rather than /etc/clamav
+            #:make-flags
+            #~(list (string-append "sysconfdir=" %output "/etc"))
+            #:phases
+            #~(modify-phases %standard-phases
+                ;; Regenerate configure script.  Without this we don't get
+                ;; the correct value for LLVM linker variables.
+                (add-after 'unpack 'reconf
+                  (lambda _ (invoke "autoreconf" "-vfi")))
+                (add-before 'configure 'patch-llvm-config
+                  (lambda _
+                    (substitute* '("libclamav/c++/detect.cpp"
+                                   "libclamav/c++/ClamBCRTChecks.cpp"
+                                   "libclamav/c++/bytecode2llvm.cpp")
+                      (("llvm/Config/config.h") "llvm/Config/llvm-config.h"))
+                    ;; `llvm-config --libfiles` inappropriately lists lib*.a
+                    ;; libraries, rather than the lib*.so's that our llvm
+                    ;; contains.  They're used only for listing extra build
+                    ;; dependencies, so ignore them until that's fixed.
+                    (substitute* "libclamav/c++/Makefile.in"
+                      (("@LLVMCONFIG_LIBFILES@") ""))))
+                (add-before 'check 'skip-clamd-tests
+                  ;; XXX: The check?_clamd tests fail inside the build
+                  ;; chroot, but pass outside.
+                  (lambda _
+                    (substitute* "unit_tests/Makefile"
+                      (("check2_clamd.sh.*check4_clamd.sh") "")))))))
     (home-page "https://www.clamav.net")
     (synopsis "Antivirus engine")
     (description
-- 
2.36.1

Ludovic Courtès wrote on 21 May 2022 00:01

Recipients:(address . kiasoc5@disroot.org)(address . 55437-done@debbugs.gnu.org)

Message-ID:87y1yvvp6p.fsf_-_@gnu.org

Hi,

kiasoc5@disroot.org skribis:

Toggle quote (8 lines)

> From c453008d05f4bc897eecd6f2545ff8047dc4e1fd Mon Sep 17 00:00:00 2001

> From: kiasoc5 <kiasoc5@disroot.org>

> Date: Sun, 15 May 2022 03:37:58 -0400

> Subject: [PATCH] gnu: clamav: Update to 0.103.6 [fixes

> CVE-2022-{20803,20770,20796,20771,20785,20792}].

> * gnu/packages/antivirus.scm (clamav): Update to 0.103.6.

[...]

Toggle quote (10 lines)>>From 151cbfbefd039ce28d38109493bf8b49f19a2edc Mon Sep 17 00:00:00 2001
> From: kiasoc5 <kiasoc5@disroot.org>
> Date: Wed, 18 May 2022 22:51:14 -0400
> Subject: [PATCH 2/2] gnu: clamav: Use new style and G-expressions.
>
> * gnu/packages/antivirus.scm (clamav)[source]: Remove trailing #t from snippet.
> [inputs]: Use new input style.
> [arguments]: Use G-expressions. Remove trailing #t from phases
> [configure-flags]: Adjust to new input style.

Applied, thanks!

Ludo’.

Closed

Jonathan Brielmaier wrote on 31 May 2022 23:06

[PATCH] gnu: clamav: Update to 0.103.6 [fixes CVE-2022-{20803,20770,20796,20771,20785,20792}].

Recipients:(address . 55437@debbugs.gnu.org)

Message-ID:daa1da4c-b81d-81ea-d75f-f4b5ec9710b1@web.de

Hm, our rust is already at 1.57.0. So this requirement shouldn't be a

problem.

Your comment

This issue is archived.

To comment on this conversation send an email to 55437@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date