[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#926170: marked as done (unblock: libclamunrar/0.101.2-1)

Your message dated Mon, 01 Apr 2019 18:33:00 +0000
with message-id <a3c05904-a743-25a6-e95d-fdd0ac5bc43c@thykier.net>
and subject line Re: Bug#926170: unblock: libclamunrar/0.101.2-1
has caused the Debian Bug report #926170,
regarding unblock: libclamunrar/0.101.2-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
926170: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=926170
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package libclamunrar.
The new release is part of the new clamav release which fixes two RAR
related CVEs.

unblock libclamunrar/0.101.2-1

Sebastian

diff -Nru libclamunrar-0.101.1/clamav-config.h.in libclamunrar-0.101.2/clamav-config.h.in
--- libclamunrar-0.101.1/clamav-config.h.in	2019-02-09 23:29:30.000000000 +0100
+++ libclamunrar-0.101.2/clamav-config.h.in	2019-03-30 14:57:29.000000000 +0100
@@ -314,6 +314,9 @@
 /* Define to 1 if you have the `strnlen' function. */
 #undef HAVE_STRNLEN
 
+/* Define to 1 if you have the `strnstr' function. */
+#undef HAVE_STRNSTR
+
 /* Define to 1 if sysconf(_SC_PAGESIZE) is available */
 #undef HAVE_SYSCONF_SC_PAGESIZE
 
diff -Nru libclamunrar-0.101.1/configure libclamunrar-0.101.2/configure
--- libclamunrar-0.101.1/configure	2019-02-09 23:29:30.000000000 +0100
+++ libclamunrar-0.101.2/configure	2019-03-30 14:57:29.000000000 +0100
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for ClamAV 0.101.1.
+# Generated by GNU Autoconf 2.69 for ClamAV 0.101.2.
 #
 # Report bugs to <https://bugzilla.clamav.net/>.
 #
@@ -590,8 +590,8 @@
 # Identity of this package.
 PACKAGE_NAME='ClamAV'
 PACKAGE_TARNAME='clamav'
-PACKAGE_VERSION='0.101.1'
-PACKAGE_STRING='ClamAV 0.101.1'
+PACKAGE_VERSION='0.101.2'
+PACKAGE_STRING='ClamAV 0.101.2'
 PACKAGE_BUGREPORT='https://bugzilla.clamav.net/'
 PACKAGE_URL='https://www.clamav.net/'
 
@@ -753,6 +753,8 @@
 CHECK_CPPFLAGS
 CHECK_LIBS
 CHECK_CFLAGS
+ENABLE_FUZZ_FALSE
+ENABLE_FUZZ_TRUE
 BUILD_CONFIGURE_FLAGS
 VERSIONSCRIPT_FALSE
 VERSIONSCRIPT_TRUE
@@ -908,6 +910,7 @@
 enable_libtool_lock
 enable_gcc_vcheck
 enable_experimental
+enable_fuzz
 enable_mempool
 enable_check
 enable_rpath
@@ -1533,7 +1536,7 @@
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures ClamAV 0.101.1 to adapt to many kinds of systems.
+\`configure' configures ClamAV 0.101.2 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1605,7 +1608,7 @@
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of ClamAV 0.101.1:";;
+     short | recursive ) echo "Configuration of ClamAV 0.101.2:";;
    esac
   cat <<\_ACEOF
 
@@ -1626,6 +1629,7 @@
   --disable-libtool-lock  avoid locking (might break parallel builds)
   --disable-gcc-vcheck    do not check for buggy gcc version
   --enable-experimental   enable experimental code
+  --enable-fuzz           enable building standalone fuzz targets [default=no]
   --disable-mempool       do not use memory pools
   --enable-check          enable check unit tests [default=auto]
   --disable-rpath         do not hardcode runtime library paths
@@ -1819,7 +1823,7 @@
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-ClamAV configure 0.101.1
+ClamAV configure 0.101.2
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2363,7 +2367,7 @@
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by ClamAV $as_me 0.101.1, which was
+It was created by ClamAV $as_me 0.101.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -4120,7 +4124,7 @@
 
 # Define the identity of the package.
  PACKAGE='clamav'
- VERSION='0.101.1'
+ VERSION='0.101.2'
 
 
 # Some tools Automake needs.
@@ -5849,10 +5853,10 @@
 
 
 
-VERSION="0.101.1"
+VERSION="0.101.2"
 
 LC_CURRENT=9
-LC_REVISION=1
+LC_REVISION=2
 LC_AGE=0
 LIBCLAMAV_VERSION="$LC_CURRENT":"$LC_REVISION":"$LC_AGE"
 
@@ -19150,6 +19154,27 @@
 BUILD_CONFIGURE_FLAGS=$build_configure_args
 
 
+# Check whether --enable-fuzz was given.
+if test "${enable_fuzz+set}" = set; then :
+  enableval=$enable_fuzz; enable_cov=$enableval
+else
+  enable_cov="no"
+fi
+
+
+if test "x$enable_fuzz" = "xyes"; then
+    CXXFLAGS="-std=c++11 -stdlib=libc++ $CXXFLAGS"
+fi
+
+ if test "x$enable_fuzz" = "xyes"; then
+  ENABLE_FUZZ_TRUE=
+  ENABLE_FUZZ_FALSE='#'
+else
+  ENABLE_FUZZ_TRUE='#'
+  ENABLE_FUZZ_FALSE=
+fi
+
+
 
   { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether uname(2) is POSIX" >&5
 $as_echo_n "checking whether uname(2) is POSIX... " >&6; }
@@ -19357,6 +19382,17 @@
 fi
 done
 
+for ac_func in strnstr
+do :
+  ac_fn_c_check_func "$LINENO" "strnstr" "ac_cv_func_strnstr"
+if test "x$ac_cv_func_strnstr" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_STRNSTR 1
+_ACEOF
+
+fi
+done
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for _LARGEFILE_SOURCE value needed for large files" >&5
 $as_echo_n "checking for _LARGEFILE_SOURCE value needed for large files... " >&6; }
 if ${ac_cv_sys_largefile_source+:} false; then :
@@ -28120,6 +28156,10 @@
   as_fn_error $? "conditional \"VERSIONSCRIPT\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
 fi
+if test -z "${ENABLE_FUZZ_TRUE}" && test -z "${ENABLE_FUZZ_FALSE}"; then
+  as_fn_error $? "conditional \"ENABLE_FUZZ\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
 if test -z "${HAVE_LIBCHECK_TRUE}" && test -z "${HAVE_LIBCHECK_FALSE}"; then
   as_fn_error $? "conditional \"HAVE_LIBCHECK\" was never defined.
 Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -28577,7 +28617,7 @@
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by ClamAV $as_me 0.101.1, which was
+This file was extended by ClamAV $as_me 0.101.2, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -28644,7 +28684,7 @@
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-ClamAV config.status 0.101.1
+ClamAV config.status 0.101.2
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff -Nru libclamunrar-0.101.1/configure.ac libclamunrar-0.101.2/configure.ac
--- libclamunrar-0.101.1/configure.ac	2019-02-09 23:29:26.000000000 +0100
+++ libclamunrar-0.101.2/configure.ac	2019-03-30 14:57:25.000000000 +0100
@@ -1,4 +1,6 @@
-dnl   Copyright (C) 2002 - 2006 Tomasz Kojm <tkojm@clamav.net>
+dnl   Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+dnl   Copyright (C) 2007-2013 Sourcefire, Inc.
+dnl   Copyright (C) 2002-2007 Tomasz Kojm <tkojm@clamav.net>
 dnl   readdir_r checks (c) COPYRIGHT MIT 1995
 dnl   socklen_t check (c) Alexander V. Lukyanov <lav@yars.free.net>
 dnl
@@ -20,7 +22,7 @@
 AC_PREREQ([2.59])
 dnl For a release change [devel] to the real version [0.xy]
 dnl also change VERSION below
-AC_INIT([ClamAV], [0.101.1], [https://bugzilla.clamav.net/], [clamav], [https://www.clamav.net/])
+AC_INIT([ClamAV], [0.101.2], [https://bugzilla.clamav.net/], [clamav], [https://www.clamav.net/])
 
 dnl enable C++
 AC_PROG_CXX()
@@ -73,6 +75,7 @@
 build_configure_args=`echo "$ac_configure_args" | sed -e 's/[\"]//g'`
 AC_SUBST([BUILD_CONFIGURE_FLAGS], [$build_configure_args])
 
+m4_include([m4/reorganization/code_checks/fuzz.m4])
 m4_include([m4/reorganization/code_checks/functions.m4])
 m4_include([m4/reorganization/code_checks/mpool.m4])
 m4_include([m4/reorganization/code_checks/unit_tests.m4])
diff -Nru libclamunrar-0.101.1/debian/changelog libclamunrar-0.101.2/debian/changelog
--- libclamunrar-0.101.1/debian/changelog	2019-02-28 23:57:23.000000000 +0100
+++ libclamunrar-0.101.2/debian/changelog	2019-03-30 16:37:10.000000000 +0100
@@ -1,3 +1,13 @@
+libclamunrar (0.101.2-1) unstable; urgency=high
+
+  * Import 0.101.2
+    - CVE-2019-1785 (A path-traversal write condition may occur as a result of
+      improper input validation when scanning RAR archives)
+    - CVE-2019-1798 (A use-after-free condition may occur as a result of
+      improper error handling when scanning nested RAR archives)
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Sat, 30 Mar 2019 16:37:10 +0100
+
 libclamunrar (0.101.1-2) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru libclamunrar-0.101.1/debian/.git-dpm libclamunrar-0.101.2/debian/.git-dpm
--- libclamunrar-0.101.1/debian/.git-dpm	2019-02-28 23:57:04.000000000 +0100
+++ libclamunrar-0.101.2/debian/.git-dpm	2019-03-30 16:37:10.000000000 +0100
@@ -1,8 +1,8 @@
 # see git-dpm(1) from git-dpm package
-b6445e154030cecddc72fe76d3d2e18869b15118
-b6445e154030cecddc72fe76d3d2e18869b15118
-b6445e154030cecddc72fe76d3d2e18869b15118
-b6445e154030cecddc72fe76d3d2e18869b15118
-libclamunrar_0.101.1.orig.tar.xz
-446b41431eccef23f9d0ec5133eb964bc4a1776f
-491568
+a1d0c295832affbb17bd4c16432800ec3aade630
+a1d0c295832affbb17bd4c16432800ec3aade630
+a1d0c295832affbb17bd4c16432800ec3aade630
+a1d0c295832affbb17bd4c16432800ec3aade630
+libclamunrar_0.101.2.orig.tar.xz
+6f660fc27166a75b0e336b82769b242bf0471374
+487968
diff -Nru libclamunrar-0.101.1/libclamunrar_iface/Makefile.am libclamunrar-0.101.2/libclamunrar_iface/Makefile.am
--- libclamunrar-0.101.1/libclamunrar_iface/Makefile.am	2019-02-09 23:29:26.000000000 +0100
+++ libclamunrar-0.101.2/libclamunrar_iface/Makefile.am	2019-03-30 14:57:25.000000000 +0100
@@ -1,6 +1,7 @@
 #
-#  Copyright (C) 2002 - 2007 Tomasz Kojm <tkojm@clamav.net>
-#  Copyright (C) 2008 - 2013 Sourcefire, Inc.
+#  Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+#  Copyright (C) 2007-2013 Sourcefire, Inc.
+#  Copyright (C) 2002-2007 Tomasz Kojm <tkojm@clamav.net>
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
diff -Nru libclamunrar-0.101.1/libclamunrar_iface/Makefile.in libclamunrar-0.101.2/libclamunrar_iface/Makefile.in
--- libclamunrar-0.101.1/libclamunrar_iface/Makefile.in	2019-02-09 23:29:31.000000000 +0100
+++ libclamunrar-0.101.2/libclamunrar_iface/Makefile.in	2019-03-30 14:57:30.000000000 +0100
@@ -15,8 +15,9 @@
 @SET_MAKE@
 
 #
-#  Copyright (C) 2002 - 2007 Tomasz Kojm <tkojm@clamav.net>
-#  Copyright (C) 2008 - 2013 Sourcefire, Inc.
+#  Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+#  Copyright (C) 2007-2013 Sourcefire, Inc.
+#  Copyright (C) 2002-2007 Tomasz Kojm <tkojm@clamav.net>
 #
 #  This program is free software; you can redistribute it and/or modify
 #  it under the terms of the GNU General Public License as published by
@@ -132,6 +133,7 @@
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \
diff -Nru libclamunrar-0.101.1/libclamunrar_iface/unrar_iface.cpp libclamunrar-0.101.2/libclamunrar_iface/unrar_iface.cpp
--- libclamunrar-0.101.1/libclamunrar_iface/unrar_iface.cpp	2019-02-09 23:29:22.000000000 +0100
+++ libclamunrar-0.101.2/libclamunrar_iface/unrar_iface.cpp	2019-03-30 14:57:20.000000000 +0100
@@ -1,7 +1,9 @@
 /*
  * Interface to libclamunrar
- * Copyright (C) 2015-2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+ *
+ * Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
  * Copyright (C) 2007-2013 Sourcefire, Inc.
+ *
  * Authors: Trog, Torok Edvin, Tomasz Kojm, Micah Snyder
  *
  * Redistribution and use in source and binary forms, with or without
@@ -89,7 +91,7 @@
 
 /**
  * @brief  Translate an ERAR_<code> to the appropriate UNRAR_<code>
- * 
+ *
  * @param errorCode ERAR_<code>
  * @return cl_unrar_error_t UNRAR_OK, UNRAR_ENCRYPTED, or UNRAR_ERR.
  */
@@ -133,6 +135,7 @@
     }
     case ERAR_EOPEN: {
         unrar_dbgmsg("unrar_retcode: Volume open error.\n");
+        status = UNRAR_EOPEN;
         break;
     }
     case ERAR_ECREATE: {
@@ -289,7 +292,7 @@
 
 /**
  * @brief  Get file metadata from the next file header.
- * 
+ *
  * @param hArchive              Handle to the archive we're extracting.
  * @param[in/out] file_metadata Pointer to a pre-allocated metadata structure.
  * @return cl_unrar_error_t     UNRAR_OK if metadata retrieved, UNRAR_BREAK if no more files, UNRAR_ENCRYPTED if header was encrypted, else maybe UNRAR_EMEM or UNRAR_ERR.
@@ -317,7 +320,7 @@
      */
     headerData.CmtBuf = NULL;
     headerData.CmtBufSize = 0;
-    
+
     headerData.RedirNameSize = 1024 * sizeof(wchar_t);
     headerData.RedirName = (wchar_t*)&RedirName;
     memset(headerData.RedirName, 0, headerData.RedirNameSize);
diff -Nru libclamunrar-0.101.1/libclamunrar_iface/unrar_iface.h libclamunrar-0.101.2/libclamunrar_iface/unrar_iface.h
--- libclamunrar-0.101.1/libclamunrar_iface/unrar_iface.h	2019-02-09 23:29:22.000000000 +0100
+++ libclamunrar-0.101.2/libclamunrar_iface/unrar_iface.h	2019-03-30 14:57:20.000000000 +0100
@@ -1,7 +1,9 @@
 /*
  * Interface to libclamunrar
- * Copyright (C) 2015-2018 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
+ *
+ * Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
  * Copyright (C) 2007-2013 Sourcefire, Inc.
+ *
  * Authors: Trog, Torok Edvin, Tomasz Kojm, Micah Snyder
  *
  * Redistribution and use in source and binary forms, with or without
@@ -48,7 +50,8 @@
     UNRAR_BREAK,
     UNRAR_ENCRYPTED,
     UNRAR_EMEM,
-    UNRAR_ERR
+    UNRAR_ERR,
+    UNRAR_EOPEN
 } cl_unrar_error_t;
 
 typedef struct unrar_metadata_tag
diff -Nru libclamunrar-0.101.1/m4/reorganization/code_checks/functions.m4 libclamunrar-0.101.2/m4/reorganization/code_checks/functions.m4
--- libclamunrar-0.101.1/m4/reorganization/code_checks/functions.m4	2019-02-09 23:29:22.000000000 +0100
+++ libclamunrar-0.101.2/m4/reorganization/code_checks/functions.m4	2019-03-30 14:57:20.000000000 +0100
@@ -5,6 +5,7 @@
 AC_CHECK_FUNCS_ONCE([poll setsid memcpy snprintf vsnprintf strerror_r strlcpy strlcat strcasestr inet_ntop setgroups initgroups ctime_r mkstemp mallinfo madvise getnameinfo])
 AC_CHECK_FUNCS([strndup])
 AC_CHECK_FUNCS([strnlen])
+AC_CHECK_FUNCS([strnstr])
 AC_FUNC_FSEEKO
 
 dnl Check if anon maps are available, check if we can determine the page size
diff -Nru libclamunrar-0.101.1/m4/reorganization/code_checks/fuzz.m4 libclamunrar-0.101.2/m4/reorganization/code_checks/fuzz.m4
--- libclamunrar-0.101.1/m4/reorganization/code_checks/fuzz.m4	1970-01-01 01:00:00.000000000 +0100
+++ libclamunrar-0.101.2/m4/reorganization/code_checks/fuzz.m4	2019-03-30 14:57:20.000000000 +0100
@@ -0,0 +1,11 @@
+AC_ARG_ENABLE(fuzz,
+	      AC_HELP_STRING([--enable-fuzz],
+			     [enable building standalone fuzz targets
+			      @<:@default=no@:>@]),
+[enable_cov=$enableval],[enable_cov="no"])
+
+if test "x$enable_fuzz" = "xyes"; then
+    CXXFLAGS="-std=c++11 -stdlib=libc++ $CXXFLAGS"
+fi
+
+AM_CONDITIONAL(ENABLE_FUZZ, test "x$enable_fuzz" = "xyes")
diff -Nru libclamunrar-0.101.1/m4/reorganization/version.m4 libclamunrar-0.101.2/m4/reorganization/version.m4
--- libclamunrar-0.101.1/m4/reorganization/version.m4	2019-02-09 23:29:22.000000000 +0100
+++ libclamunrar-0.101.2/m4/reorganization/version.m4	2019-03-30 14:57:20.000000000 +0100
@@ -1,9 +1,9 @@
 dnl change this on a release
 dnl VERSION="devel-`date +%Y%m%d`"
-VERSION="0.101.1"
+VERSION="0.101.2"
 
 LC_CURRENT=9
-LC_REVISION=1
+LC_REVISION=2
 LC_AGE=0
 LIBCLAMAV_VERSION="$LC_CURRENT":"$LC_REVISION":"$LC_AGE"
 AC_SUBST([LIBCLAMAV_VERSION])
diff -Nru libclamunrar-0.101.1/Makefile.in libclamunrar-0.101.2/Makefile.in
--- libclamunrar-0.101.1/Makefile.in	2019-02-09 23:29:31.000000000 +0100
+++ libclamunrar-0.101.2/Makefile.in	2019-03-30 14:57:30.000000000 +0100
@@ -104,6 +104,7 @@
 	$(top_srcdir)/m4/reorganization/c_options.m4 \
 	$(top_srcdir)/m4/reorganization/compiler_checks.m4 \
 	$(top_srcdir)/m4/reorganization/linker_checks.m4 \
+	$(top_srcdir)/m4/reorganization/code_checks/fuzz.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/functions.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/mpool.m4 \
 	$(top_srcdir)/m4/reorganization/code_checks/unit_tests.m4 \

--- End Message ---
--- Begin Message --- 
Sebastian Andrzej Siewior:
> Package: release.debian.org
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> Severity: normal
> 
> Please unblock package libclamunrar.
> The new release is part of the new clamav release which fixes two RAR
> related CVEs.
> 
> unblock libclamunrar/0.101.2-1
> 
> Sebastian
> 

Unblocked, thanks.
~Niels

--- End Message ---
Reply to: