[PATCH] gnu: clamav: Update to 0.103.6 [fixes CVE-2022-{20803,20770,20796,20771,20785,20792}].

DoneSubmitted by kiasoc5.
Details
4 participants
  • Jonathan Brielmaier
  • kiasoc5
  • Ludovic Courtès
  • Maxim Cournoyer
Owner
unassigned
Severity
normal
K
K
kiasoc5 wrote on 15 May 22:12 +0200
(address . guix-patches@gnu.org)
f457d17cc9f404831f2b33869effb8d0661d2504@disroot.org
This patch updates clamav to the latest LTS version.
Per the release notes [1], a future update of clamav to 0.105+ will take some effort:

1. 0.105+ needs Rust 1.57+ to build.
2. The build should switch from tarball to git to avoid vendored crates.
3. 0.105+ works with llvm 8-12 (no more llvm 3.7).

I suggest we keep clamav on the LTS version until we update Rust.

PS: As you can see from the email address, I am migrating from Tutanota to Disroot.

K
K
kiasoc5 wrote on 16 May 16:59 +0200
(address . 55437@debbugs.gnu.org)
27a9400c19672948e7e9624f547d05cd23738344@disroot.org
Mumi is not showing the patch, sending it inline.

From c453008d05f4bc897eecd6f2545ff8047dc4e1fd Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@disroot.org>
Date: Sun, 15 May 2022 03:37:58 -0400
Subject: [PATCH] gnu: clamav: Update to 0.103.6 [fixes
CVE-2022-{20803,20770,20796,20771,20785,20792}].

* gnu/packages/antivirus.scm (clamav): Update to 0.103.6.
---
gnu/packages/antivirus.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/antivirus.scm b/gnu/packages/antivirus.scm
index 80126a5b59..4a5f995e42 100644
--- a/gnu/packages/antivirus.scm
+++ b/gnu/packages/antivirus.scm
@@ -44,14 +44,14 @@ (define-module (gnu packages antivirus)
(define-public clamav
(package
(name "clamav")
- (version "0.103.3")
+ (version "0.103.6")
(source (origin
(method url-fetch)
(uri (string-append "https://www.clamav.net/downloads/production/"
"clamav-" version ".tar.gz"))
(sha256
(base32
- "1sba4zccgwjqk29b5qkgfc9gm794hmk6j7bpj8wilgcz8hc3svlz"))
+ "0cxsv5m9pqxxb56qd7hlj11pwmdgm07s3msh3hxk47czq4yjx8da"))
(modules '((guix build utils)))
(snippet
'(begin
-- 
2.36.1
M
M
Maxim Cournoyer wrote on 18 May 06:37 +0200
Re: bug#55437: [PATCH] gnu: clamav: Update to 0.103.6 [fixes CVE-2022-{20803,20770,20796,20771,20785,20792}].
(address . kiasoc5@disroot.org)(address . 55437@debbugs.gnu.org)
87mtff1moi.fsf_-_@gmail.com
Hi,

kiasoc5@disroot.org writes:

Toggle quote (9 lines)
> This patch updates clamav to the latest LTS version.
> Per the release notes [1], a future update of clamav to 0.105+ will take some effort:
>
> 1. 0.105+ needs Rust 1.57+ to build.
> 2. The build should switch from tarball to git to avoid vendored crates.
> 3. 0.105+ works with llvm 8-12 (no more llvm 3.7).
>
> I suggest we keep clamav on the LTS version until we update Rust.

Sounds like a fine plan.

Toggle quote (4 lines)
> PS: As you can see from the email address, I am migrating from Tutanota to Disroot.
>
> [1] https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html#more

I see the following guix lint warnings:

Toggle snippet (8 lines)
clamav@0.103.6: label 'libcurl' does not match package name 'curl'
clamav@0.103.6: label 'libjson' does not match package name 'json-c'
clamav@0.103.6: label 'openssl' does not match package name 'libressl'
clamav@0.103.6: label 'sasl' does not match package name 'cyrus-sasl'
clamav@0.103.6: label 'xml' does not match package name 'libxml2'
clamav@0.103.6: updater 'generic-html' failed to find upstream releases

I'm not sure about the last one, but the other ones could be fixed
simply by updating to the new style (list input1 input2 ...) instead of
`(("input1" ,input1) ("input2" ,input2) ...).

Would you mind updating the patch with such changes?

Thanks!

Maxim
K
K
kiasoc5 wrote on 19 May 05:05 +0200
(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)(address . 55437@debbugs.gnu.org)
5a8edd0b540303d9ebd42880ad38d249d74a5457@disroot.org
From 151cbfbefd039ce28d38109493bf8b49f19a2edc Mon Sep 17 00:00:00 2001
From: kiasoc5 <kiasoc5@disroot.org>
Date: Wed, 18 May 2022 22:51:14 -0400
Subject: [PATCH 2/2] gnu: clamav: Use new style and G-expressions.

* gnu/packages/antivirus.scm (clamav)[source]: Remove trailing #t from snippet.
[inputs]: Use new input style.
[arguments]: Use G-expressions. Remove trailing #t from phases
[configure-flags]: Adjust to new input style.
---
gnu/packages/antivirus.scm | 128 ++++++++++++++++++-------------------
1 file changed, 64 insertions(+), 64 deletions(-)

Toggle diff (157 lines)
diff --git a/gnu/packages/antivirus.scm b/gnu/packages/antivirus.scm
index 4a5f995e42..cda3fc942b 100644
--- a/gnu/packages/antivirus.scm
+++ b/gnu/packages/antivirus.scm
@@ -21,6 +21,7 @@
 (define-module (gnu packages antivirus)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix build-system gnu)
+  #:use-module (guix gexp)
   #:use-module (guix packages)
   #:use-module (guix download)
   #:use-module (guix utils)
@@ -59,8 +60,7 @@ (define-public clamav
                             '("win32"                  ; unnecessary
                               "libclamav/c++/llvm"     ; use system llvm
                               "libclamav/tomsfastmath" ; use system tomsfastmath
-                              "libclamunrar"))         ; non-free license
-                  #t))
+                              "libclamunrar"))))       ; non-free license
               (patches
                (search-patches "clamav-system-tomsfastmath.patch"
                                "clamav-config-llvm-libs.patch"))))
@@ -72,70 +72,70 @@ (define-public clamav
            libtool
            pkg-config))
     (inputs
-     `(("bzip2" ,bzip2)
-       ("libcurl" ,curl)
-       ("libjson" ,json-c)
-       ("libltdl" ,libltdl)
-       ("libmspack" ,libmspack)
-       ("llvm" ,llvm-3.6)               ; requires <3.7, for JIT/verifier
-       ("ncurses" ,ncurses)
-       ("openssl" ,libressl)
-       ("pcre2" ,pcre2)
-       ("sasl" ,cyrus-sasl)             ; for linking curl with libtool
-       ("tomsfastmath" ,tomsfastmath)
-       ("xml" ,libxml2)
-       ("zlib" ,zlib)))
+      (list bzip2
+            curl
+            json-c
+            libltdl
+            libmspack
+            llvm-3.6               ; requires <3.7, for JIT/verifier
+            ncurses
+            libressl
+            pcre2
+            cyrus-sasl             ; for linking curl with libtool
+            tomsfastmath
+            libxml2
+            zlib))
     (arguments
-     `(#:configure-flags
-       (let-syntax ((with (syntax-rules ()
-                            ((_ name)
+      (list #:configure-flags
+            #~(let-syntax ((with (syntax-rules ()
+                            ((_ name use)
                              (string-append "--with-" name "="
-                                            (assoc-ref %build-inputs name))))))
-         (list "--disable-unrar"
-               "--enable-llvm"
-               "--with-system-llvm"
-               "--with-system-libmspack"
-               "--without-included-ltdl"
-               (with "xml")
-               (with "openssl")
-               (with "libjson")
-               (with "pcre2")
-               (with "zlib")
-               (with "libcurl")
-               ;; For sanity, specifying --enable-* flags turns
-               ;; "support unavailable" warnings into errors.
-               "--enable-bzip2"
-               "--enable-check"
-               "--sysconfdir=/etc/clamav"
-               ;; Default database directory needs to be writeable
-               "--with-dbdir=/var/db/clamav"))
-       ;; install sample .conf files to %output/etc rather than /etc/clamav
-       #:make-flags (list (string-append "sysconfdir=" %output "/etc"))
-       #:phases (modify-phases %standard-phases
-                  ;; Regenerate configure script.  Without this we don't get
-                  ;; the correct value for LLVM linker variables.
-                  (add-after 'unpack 'reconf
-                    (lambda _ (invoke "autoreconf" "-vfi")))
-                  (add-before 'configure 'patch-llvm-config
-                    (lambda _
-                      (substitute* '("libclamav/c++/detect.cpp"
-                                     "libclamav/c++/ClamBCRTChecks.cpp"
-                                     "libclamav/c++/bytecode2llvm.cpp")
-                        (("llvm/Config/config.h") "llvm/Config/llvm-config.h"))
-                      ;; `llvm-config --libfiles` inappropriately lists lib*.a
-                      ;; libraries, rather than the lib*.so's that our llvm
-                      ;; contains.  They're used only for listing extra build
-                      ;; dependencies, so ignore them until that's fixed.
-                      (substitute* "libclamav/c++/Makefile.in"
-                        (("@LLVMCONFIG_LIBFILES@") ""))
-                      #t))
-                  (add-before 'check 'skip-clamd-tests
-                    ;; XXX: The check?_clamd tests fail inside the build
-                    ;; chroot, but pass outside.
-                    (lambda _
-                      (substitute* "unit_tests/Makefile"
-                        (("check2_clamd.sh.*check4_clamd.sh") ""))
-                      #t)))))
+                                            (assoc-ref %build-inputs use))))))
+              (list "--disable-unrar"
+                    "--enable-llvm"
+                    "--with-system-llvm"
+                    "--with-system-libmspack"
+                    "--without-included-ltdl"
+                    (with "xml" "libxml2")
+                    (with "openssl" "libressl")
+                    (with "libjson" "json-c")
+                    (with "pcre2" "pcre2")
+                    (with "zlib" "zlib")
+                    (with "libcurl" "curl")
+                    ;; For sanity, specifying --enable-* flags turns
+                    ;; "support unavailable" warnings into errors.
+                    "--enable-bzip2"
+                    "--enable-check"
+                    "--sysconfdir=/etc/clamav"
+                    ;; Default database directory needs to be writeable
+                    "--with-dbdir=/var/db/clamav"))
+            ;; install sample .conf files to %output/etc rather than /etc/clamav
+            #:make-flags
+            #~(list (string-append "sysconfdir=" %output "/etc"))
+            #:phases
+            #~(modify-phases %standard-phases
+                ;; Regenerate configure script.  Without this we don't get
+                ;; the correct value for LLVM linker variables.
+                (add-after 'unpack 'reconf
+                  (lambda _ (invoke "autoreconf" "-vfi")))
+                (add-before 'configure 'patch-llvm-config
+                  (lambda _
+                    (substitute* '("libclamav/c++/detect.cpp"
+                                   "libclamav/c++/ClamBCRTChecks.cpp"
+                                   "libclamav/c++/bytecode2llvm.cpp")
+                      (("llvm/Config/config.h") "llvm/Config/llvm-config.h"))
+                    ;; `llvm-config --libfiles` inappropriately lists lib*.a
+                    ;; libraries, rather than the lib*.so's that our llvm
+                    ;; contains.  They're used only for listing extra build
+                    ;; dependencies, so ignore them until that's fixed.
+                    (substitute* "libclamav/c++/Makefile.in"
+                      (("@LLVMCONFIG_LIBFILES@") ""))))
+                (add-before 'check 'skip-clamd-tests
+                  ;; XXX: The check?_clamd tests fail inside the build
+                  ;; chroot, but pass outside.
+                  (lambda _
+                    (substitute* "unit_tests/Makefile"
+                      (("check2_clamd.sh.*check4_clamd.sh") "")))))))
     (home-page "https://www.clamav.net")
     (synopsis "Antivirus engine")
     (description
-- 
2.36.1
L
L
Ludovic Courtès wrote on 21 May 00:01 +0200
(address . kiasoc5@disroot.org)(address . 55437-done@debbugs.gnu.org)
87y1yvvp6p.fsf_-_@gnu.org
Hi,

kiasoc5@disroot.org skribis:

Toggle quote (8 lines)
> From c453008d05f4bc897eecd6f2545ff8047dc4e1fd Mon Sep 17 00:00:00 2001
> From: kiasoc5 <kiasoc5@disroot.org>
> Date: Sun, 15 May 2022 03:37:58 -0400
> Subject: [PATCH] gnu: clamav: Update to 0.103.6 [fixes
> CVE-2022-{20803,20770,20796,20771,20785,20792}].
>
> * gnu/packages/antivirus.scm (clamav): Update to 0.103.6.

[...]

Toggle quote (10 lines)
>>From 151cbfbefd039ce28d38109493bf8b49f19a2edc Mon Sep 17 00:00:00 2001
> From: kiasoc5 <kiasoc5@disroot.org>
> Date: Wed, 18 May 2022 22:51:14 -0400
> Subject: [PATCH 2/2] gnu: clamav: Use new style and G-expressions.
>
> * gnu/packages/antivirus.scm (clamav)[source]: Remove trailing #t from snippet.
> [inputs]: Use new input style.
> [arguments]: Use G-expressions. Remove trailing #t from phases
> [configure-flags]: Adjust to new input style.

Applied, thanks!

Ludo’.
Closed
J
J
Jonathan Brielmaier wrote on 31 May 23:06 +0200
[PATCH] gnu: clamav: Update to 0.103.6 [fixes CVE-2022-{20803,20770,20796,20771,20785,20792}].
(address . 55437@debbugs.gnu.org)
daa1da4c-b81d-81ea-d75f-f4b5ec9710b1@web.de
Hm, our rust is already at 1.57.0. So this requirement shouldn't be a
problem.
?
Your comment

This issue is archived.

To comment on this conversation send email to 55437@debbugs.gnu.org