[PATCH] gnu: clamav: Update to 0.103.6 [fixes CVE-2022-{20803,20770,20796,20771,20785,20792}].

  • Done
  • quality assurance status badge
Details
4 participants
  • Jonathan Brielmaier
  • kiasoc5
  • Ludovic Courtès
  • Maxim Cournoyer
Owner
unassigned
Submitted by
kiasoc5
Severity
normal
K
K
kiasoc5 wrote on 15 May 2022 22:12
(address . guix-patches@gnu.org)
f457d17cc9f404831f2b33869effb8d0661d2504@disroot.org
This patch updates clamav to the latest LTS version.
Per the release notes [1], a future update of clamav to 0.105+ will take some effort:

1. 0.105+ needs Rust 1.57+ to build.
2. The build should switch from tarball to git to avoid vendored crates.
3. 0.105+ works with llvm 8-12 (no more llvm 3.7).

I suggest we keep clamav on the LTS version until we update Rust.

PS: As you can see from the email address, I am migrating from Tutanota to Disroot.

K
K
kiasoc5 wrote on 16 May 2022 16:59
(address . 55437@debbugs.gnu.org)
27a9400c19672948e7e9624f547d05cd23738344@disroot.org
Mumi is not showing the patch, sending it inline.

From c453008d05f4bc897eecd6f2545ff8047dc4e1fd Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@disroot.org>
Date: Sun, 15 May 2022 03:37:58 -0400
Subject: [PATCH] gnu: clamav: Update to 0.103.6 [fixes
CVE-2022-{20803,20770,20796,20771,20785,20792}].

* gnu/packages/antivirus.scm (clamav): Update to 0.103.6.
---
gnu/packages/antivirus.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/antivirus.scm b/gnu/packages/antivirus.scm
index 80126a5b59..4a5f995e42 100644
--- a/gnu/packages/antivirus.scm
+++ b/gnu/packages/antivirus.scm
@@ -44,14 +44,14 @@ (define-module (gnu packages antivirus)
(define-public clamav
(package
(name "clamav")
- (version "0.103.3")
+ (version "0.103.6")
(source (origin
(method url-fetch)
(uri (string-append "https://www.clamav.net/downloads/production/"
"clamav-" version ".tar.gz"))
(sha256
(base32
- "1sba4zccgwjqk29b5qkgfc9gm794hmk6j7bpj8wilgcz8hc3svlz"))
+ "0cxsv5m9pqxxb56qd7hlj11pwmdgm07s3msh3hxk47czq4yjx8da"))
(modules '((guix build utils)))
(snippet
'(begin
--
2.36.1
M
M
Maxim Cournoyer wrote on 18 May 2022 06:37
Re: bug#55437: [PATCH] gnu: clamav: Update to 0.103.6 [fixes CVE-2022-{20803,20770,20796,20771,20785,20792}].
(address . kiasoc5@disroot.org)(address . 55437@debbugs.gnu.org)
87mtff1moi.fsf_-_@gmail.com
Hi,

kiasoc5@disroot.org writes:

Toggle quote (9 lines)
> This patch updates clamav to the latest LTS version.
> Per the release notes [1], a future update of clamav to 0.105+ will take some effort:
>
> 1. 0.105+ needs Rust 1.57+ to build.
> 2. The build should switch from tarball to git to avoid vendored crates.
> 3. 0.105+ works with llvm 8-12 (no more llvm 3.7).
>
> I suggest we keep clamav on the LTS version until we update Rust.

Sounds like a fine plan.

Toggle quote (4 lines)
> PS: As you can see from the email address, I am migrating from Tutanota to Disroot.
>
> [1] https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html#more

I see the following guix lint warnings:

Toggle snippet (8 lines)
clamav@0.103.6: label 'libcurl' does not match package name 'curl'
clamav@0.103.6: label 'libjson' does not match package name 'json-c'
clamav@0.103.6: label 'openssl' does not match package name 'libressl'
clamav@0.103.6: label 'sasl' does not match package name 'cyrus-sasl'
clamav@0.103.6: label 'xml' does not match package name 'libxml2'
clamav@0.103.6: updater 'generic-html' failed to find upstream releases

I'm not sure about the last one, but the other ones could be fixed
simply by updating to the new style (list input1 input2 ...) instead of
`(("input1" ,input1) ("input2" ,input2) ...).

Would you mind updating the patch with such changes?

Thanks!

Maxim
K
K
kiasoc5 wrote on 19 May 2022 05:05
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 55437@debbugs.gnu.org)
5a8edd0b540303d9ebd42880ad38d249d74a5457@disroot.org
From 151cbfbefd039ce28d38109493bf8b49f19a2edc Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@disroot.org>
Date: Wed, 18 May 2022 22:51:14 -0400
Subject: [PATCH 2/2] gnu: clamav: Use new style and G-expressions.

* gnu/packages/antivirus.scm (clamav)[source]: Remove trailing #t from snippet.
[inputs]: Use new input style.
[arguments]: Use G-expressions. Remove trailing #t from phases
[configure-flags]: Adjust to new input style.
---
gnu/packages/antivirus.scm | 128 ++++++++++++++++++-------------------
1 file changed, 64 insertions(+), 64 deletions(-)

Toggle diff (157 lines)
diff --git a/gnu/packages/antivirus.scm b/gnu/packages/antivirus.scm
index 4a5f995e42..cda3fc942b 100644
--- a/gnu/packages/antivirus.scm
+++ b/gnu/packages/antivirus.scm
@@ -21,6 +21,7 @@
(define-module (gnu packages antivirus)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix build-system gnu)
+ #:use-module (guix gexp)
#:use-module (guix packages)
#:use-module (guix download)
#:use-module (guix utils)
@@ -59,8 +60,7 @@ (define-public clamav
'("win32" ; unnecessary
"libclamav/c++/llvm" ; use system llvm
"libclamav/tomsfastmath" ; use system tomsfastmath
- "libclamunrar")) ; non-free license
- #t))
+ "libclamunrar")))) ; non-free license
(patches
(search-patches "clamav-system-tomsfastmath.patch"
"clamav-config-llvm-libs.patch"))))
@@ -72,70 +72,70 @@ (define-public clamav
libtool
pkg-config))
(inputs
- `(("bzip2" ,bzip2)
- ("libcurl" ,curl)
- ("libjson" ,json-c)
- ("libltdl" ,libltdl)
- ("libmspack" ,libmspack)
- ("llvm" ,llvm-3.6) ; requires <3.7, for JIT/verifier
- ("ncurses" ,ncurses)
- ("openssl" ,libressl)
- ("pcre2" ,pcre2)
- ("sasl" ,cyrus-sasl) ; for linking curl with libtool
- ("tomsfastmath" ,tomsfastmath)
- ("xml" ,libxml2)
- ("zlib" ,zlib)))
+ (list bzip2
+ curl
+ json-c
+ libltdl
+ libmspack
+ llvm-3.6 ; requires <3.7, for JIT/verifier
+ ncurses
+ libressl
+ pcre2
+ cyrus-sasl ; for linking curl with libtool
+ tomsfastmath
+ libxml2
+ zlib))
(arguments
- `(#:configure-flags
- (let-syntax ((with (syntax-rules ()
- ((_ name)
+ (list #:configure-flags
+ #~(let-syntax ((with (syntax-rules ()
+ ((_ name use)
(string-append "--with-" name "="
- (assoc-ref %build-inputs name))))))
- (list "--disable-unrar"
- "--enable-llvm"
- "--with-system-llvm"
- "--with-system-libmspack"
- "--without-included-ltdl"
- (with "xml")
- (with "openssl")
- (with "libjson")
- (with "pcre2")
- (with "zlib")
- (with "libcurl")
- ;; For sanity, specifying --enable-* flags turns
- ;; "support unavailable" warnings into errors.
- "--enable-bzip2"
- "--enable-check"
- "--sysconfdir=/etc/clamav"
- ;; Default database directory needs to be writeable
- "--with-dbdir=/var/db/clamav"))
- ;; install sample .conf files to %output/etc rather than /etc/clamav
- #:make-flags (list (string-append "sysconfdir=" %output "/etc"))
- #:phases (modify-phases %standard-phases
- ;; Regenerate configure script. Without this we don't get
- ;; the correct value for LLVM linker variables.
- (add-after 'unpack 'reconf
- (lambda _ (invoke "autoreconf" "-vfi")))
- (add-before 'configure 'patch-llvm-config
- (lambda _
- (substitute* '("libclamav/c++/detect.cpp"
- "libclamav/c++/ClamBCRTChecks.cpp"
- "libclamav/c++/bytecode2llvm.cpp")
- (("llvm/Config/config.h") "llvm/Config/llvm-config.h"))
- ;; `llvm-config --libfiles` inappropriately lists lib*.a
- ;; libraries, rather than the lib*.so's that our llvm
- ;; contains. They're used only for listing extra build
- ;; dependencies, so ignore them until that's fixed.
- (substitute* "libclamav/c++/Makefile.in"
- (("@LLVMCONFIG_LIBFILES@") ""))
- #t))
- (add-before 'check 'skip-clamd-tests
- ;; XXX: The check?_clamd tests fail inside the build
- ;; chroot, but pass outside.
- (lambda _
- (substitute* "unit_tests/Makefile"
- (("check2_clamd.sh.*check4_clamd.sh") ""))
- #t)))))
+ (assoc-ref %build-inputs use))))))
+ (list "--disable-unrar"
+ "--enable-llvm"
+ "--with-system-llvm"
+ "--with-system-libmspack"
+ "--without-included-ltdl"
+ (with "xml" "libxml2")
+ (with "openssl" "libressl")
+ (with "libjson" "json-c")
+ (with "pcre2" "pcre2")
+ (with "zlib" "zlib")
+ (with "libcurl" "curl")
+ ;; For sanity, specifying --enable-* flags turns
+ ;; "support unavailable" warnings into errors.
+ "--enable-bzip2"
+ "--enable-check"
+ "--sysconfdir=/etc/clamav"
+ ;; Default database directory needs to be writeable
+ "--with-dbdir=/var/db/clamav"))
+ ;; install sample .conf files to %output/etc rather than /etc/clamav
+ #:make-flags
+ #~(list (string-append "sysconfdir=" %output "/etc"))
+ #:phases
+ #~(modify-phases %standard-phases
+ ;; Regenerate configure script. Without this we don't get
+ ;; the correct value for LLVM linker variables.
+ (add-after 'unpack 'reconf
+ (lambda _ (invoke "autoreconf" "-vfi")))
+ (add-before 'configure 'patch-llvm-config
+ (lambda _
+ (substitute* '("libclamav/c++/detect.cpp"
+ "libclamav/c++/ClamBCRTChecks.cpp"
+ "libclamav/c++/bytecode2llvm.cpp")
+ (("llvm/Config/config.h") "llvm/Config/llvm-config.h"))
+ ;; `llvm-config --libfiles` inappropriately lists lib*.a
+ ;; libraries, rather than the lib*.so's that our llvm
+ ;; contains. They're used only for listing extra build
+ ;; dependencies, so ignore them until that's fixed.
+ (substitute* "libclamav/c++/Makefile.in"
+ (("@LLVMCONFIG_LIBFILES@") ""))))
+ (add-before 'check 'skip-clamd-tests
+ ;; XXX: The check?_clamd tests fail inside the build
+ ;; chroot, but pass outside.
+ (lambda _
+ (substitute* "unit_tests/Makefile"
+ (("check2_clamd.sh.*check4_clamd.sh") "")))))))
(home-page "https://www.clamav.net")
(synopsis "Antivirus engine")
(description
--
2.36.1
L
L
Ludovic Courtès wrote on 21 May 2022 00:01
(address . kiasoc5@disroot.org)(address . 55437-done@debbugs.gnu.org)
87y1yvvp6p.fsf_-_@gnu.org
Hi,

kiasoc5@disroot.org skribis:

Toggle quote (8 lines)
> From c453008d05f4bc897eecd6f2545ff8047dc4e1fd Mon Sep 17 00:00:00 2001
> From: kiasoc5 <kiasoc5@disroot.org>
> Date: Sun, 15 May 2022 03:37:58 -0400
> Subject: [PATCH] gnu: clamav: Update to 0.103.6 [fixes
> CVE-2022-{20803,20770,20796,20771,20785,20792}].
>
> * gnu/packages/antivirus.scm (clamav): Update to 0.103.6.

[...]

Toggle quote (10 lines)
>>From 151cbfbefd039ce28d38109493bf8b49f19a2edc Mon Sep 17 00:00:00 2001
> From: kiasoc5 <kiasoc5@disroot.org>
> Date: Wed, 18 May 2022 22:51:14 -0400
> Subject: [PATCH 2/2] gnu: clamav: Use new style and G-expressions.
>
> * gnu/packages/antivirus.scm (clamav)[source]: Remove trailing #t from snippet.
> [inputs]: Use new input style.
> [arguments]: Use G-expressions. Remove trailing #t from phases
> [configure-flags]: Adjust to new input style.

Applied, thanks!

Ludo’.
Closed
J
J
Jonathan Brielmaier wrote on 31 May 2022 23:06
[PATCH] gnu: clamav: Update to 0.103.6 [fixes CVE-2022-{20803,20770,20796,20771,20785,20792}].
(address . 55437@debbugs.gnu.org)
daa1da4c-b81d-81ea-d75f-f4b5ec9710b1@web.de
Hm, our rust is already at 1.57.0. So this requirement shouldn't be a
problem.
?
Your comment

This issue is archived.

To comment on this conversation send an email to 55437@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 55437
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch