1 Topic by aloniv

  • aloniv
  • Hyper Expert
  • Offline
  • Registered: 2018-08-16
  • Posts: 153

Topic: [solved] ClamAV contains a remote code execution vulnerability

https://blog.clamav.net/2023/02/clamav- … patch.html

ClamAV 0.103.8 is a critical patch release with the following fixes:

    CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

    CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

    Update the vendored libmspack library to version 0.11alpha.

        GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/830

2 Reply by aloniv (edited by aloniv 2023-02-21 05:31:30)

  • aloniv
  • Hyper Expert
  • Offline
  • Registered: 2018-08-16
  • Posts: 153

Re: [solved] ClamAV contains a remote code execution vulnerability

Updated PKGBUILD (I removed mksource and copied the relevant part to prepare and to the list of sources)

# Maintainer (Arch): Levente Polyak <anthraxx[at]archlinux[dot]org>
# Maintainer (Arch): Giancarlo Razzolini <grazzolini@archlinux.org>
# Contributor (Arch): Dale Blount <dale@archlinux.org>
# Contributor (Arch): Gregor Ibic <gregor.ibic@intelicom.si>
# Contributor (Arch): Gaetan Bisson <bisson@archlinux.org>
# Maintainer (Parabola): Omar Vega Ramos <ovruni@gnu.org.pe>
# Contributor (Parabola): Isaac David <isacdaavid@at@isacdaavid@dot@info>
# Contributor (Artix): artoo <artoo@cromnix.org>
# Maintainer: André Silva <emulatorman@hyperbola.info>
# Contributor: Tobias Dausend <throgh@hyperbola.info>

pkgname=clamav
pkgver=0.103.8
_debver=$pkgver
_debrel=0
pkgrel=1
pkgdesc='Anti-virus toolkit for Unix'
url='https://www.clamav.net/'
license=('GPL-2' 'custom:bzip2' 'zlib' 'Simplified-BSD' 'Modified-BSD' 'Expat' 'LGPL-2.1' 'Apache-2.0' 'custom:Apache-2.0+LLVM-Exceptions' 'custom:Apache-2.0+YARA-Exceptions')
arch=('i686' 'x86_64')
depends=('bzip2' 'libltdl' 'libxml2' 'curl' 'pcre2' 'json-c' 'libmspack')
makedepends=('libmilter' 'quilt')
backup=('etc/clamav/clamd.conf'
        'etc/clamav/freshclam.conf'
        'etc/clamav/clamav-milter.conf'
        'etc/logrotate.d/clamav')
install=clamav.install
source=("https://www.clamav.net/downloads/production/${pkgname}-${pkgver}.tar.gz"{,.sig}
        "https://deb.debian.org/debian/pool/main/c/clamav/clamav_${_debver}+dfsg-${_debrel}+deb11u1.debian.tar.xz"
        "clamav-milter.conf"
        "clamav-milter.initd"
        "clamav-milter.run"
        "clamd.conf"
        "clamd.initd"
        "clamd.run"
        "freshclam.conf"
        "freshclam.initd"
        "freshclam.run"
        "clamav.logrotate")
sha512sums=('8e030fef5788cf4df8f4d878363df1e5d9abcaa209b9f998f57334ede481d755b33958b5e9bb82be9643cb7442814711e4c9978314cadd7eb9161fee03b74439'
            'SKIP'
            '721df9042117bb9878ef1a5a4f560b12bdc859d3775788699afc182013892ac2af75d9b5c2c38ee47e56e2355234a95ef4146cddccb89a5d5728665abc023b39'
            '5b4b411b813ed83507323e4a5c0033cb57024b28a20aeadbf7920cdb947cf22b076113890b1d428c1cc248e12531e4b1321e35afd53b74d7ef65affe7bd00856'
            'd45fe161088df88b887e11470c61bc785e8d5f0b6221e1a029f210a61501fe818166f579754ed0cc887ad9e2ffb580f44c9d8f0aed7b6b2302cb771d79e8c601'
            'aaffc1af5b54ea0448bb1f4c7371f3e18f58100ab4d03ba6f8637080a81400eb43b8dda06e83d5131c0b9628d9afa79db557f924a09dc7eb4ac43c2704fef296'
            '6b37da795e2167f43294d1919020037eeeab45fe02d2976bcfd02980ec124f8b25401bee8dcb87363a21626f96950e5d7913f9c6d09279a13ecd1f1da9046e6a'
            '8b1a8571bc1f5e8e81bc3a2c0223a60f7b8ac453ff58dc2b0474741664718cf5b9342fa2648417d937a656a8302aedd228134f22deb4653639d3ed8770e39af3'
            'c6082d4ce54e4080edbb03a292932daa9ad0cb954e60069deea2e66ca348d4db7a9c2170c88b52f386bd1f2c8386440e1cc0e892ead9a79f6a78286d216912e1'
            '5d8a65aa4e0b711b96103a29fdcd38d7438603257c3df424dfe9cc2cbfd94c4f07c45447808f6e6bf161e9f0b121d59d6423dab7ff889c9954576eac8760250b'
            '63352877dc4d17d427df9145ccd5d2992e6d11a551ee378e148635aa515fc1dfe3cea4acef85b9565a493cddce9cfa8adbce026b67abee67d2e6e3f7f87e3c31'
            '845534dbc2660e7ee14ef588936beb78be9ff663ba26bb9b099d7c9f57536ee11a4b4febde8a3b5f48c9ef2740ec3d075f5b2b070112a8a3e70df56f1f331d3e'
            'd64c5d714608ebe138dce10371c498f04153639c72f936d74ee8e1fe6f41f77a5e93560524f35b1e5d5a0d07ba133327ac0ae55661418f2e1251f8ae4bf71c06')
validpgpkeys=('E34DB95B374B31570496CD3F609B024F2B3EDD07'  # Talos (Talos, Cisco Systems Inc.) <research@sourcefire.com>
              'C92BAA713B8D53D3CAE63FC9E6974752F9704456') # André Silva


prepare() {
  cd "${srcdir}/${pkgname}-${pkgver}"
    
  # Remove nonfree unRAR utility files from the source
  rm -rv libclamunrar
  rm -v COPYING.unrar

  if [[ ${pkgver%.*} = ${_debver%.*} ]]; then
    # Debian patches
    export QUILT_PATCHES=debian/patches
    export QUILT_REFRESH_ARGS='-p ab --no-timestamps --no-index'
    export QUILT_DIFF_ARGS='--no-timestamps'

    mv "$srcdir"/debian .

    quilt push -av
  fi

  autoreconf -fiv
}

build() {
  cd "${srcdir}/${pkgname}-${pkgver}"

  # --disable-zlib-vcheck because the configure script thinks that
  # zlib 1.2.11 is older than 1.2.2
  ./configure \
    --prefix=/usr \
    --sysconfdir=/etc/clamav \
    --with-dbdir=/var/lib/clamav \
    --with-user=clamav \
    --with-group=clamav \
    --with-system-libmspack \
    --disable-rpath \
    --disable-clamav \
    --disable-llvm \
    --disable-unrar \
    --enable-zlib-vcheck \
    --enable-milter \
    --enable-clamdtop

  sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0/g' libtool
  make
}

package() {
  cd "${srcdir}/${pkgname}-${pkgver}"
  make DESTDIR="${pkgdir}" install

  install -Dm644 ${srcdir}/clamav-milter.conf "${pkgdir}"/etc/clamav/clamav-milter.conf
  install -Dm644 ${srcdir}/clamd.conf "${pkgdir}"/etc/clamav/clamd.conf
  install -Dm644 ${srcdir}/freshclam.conf "${pkgdir}"/etc/clamav/freshclam.conf
  for f in clamav-milter clamd freshclam; do
    install -Dm755 ${srcdir}/$f.initd "${pkgdir}"/etc/init.d/$f
  done
  install -Dm755 ${srcdir}/clamav-milter.run ${pkgdir}/etc/sv/clamav-milter/run
  install -Dm755 ${srcdir}/clamd.run ${pkgdir}/etc/sv/clamd/run
  install -Dm755 ${srcdir}/freshclam.run ${pkgdir}/etc/sv/freshclam/run
  install -Dm644 ${srcdir}/clamav.logrotate "${pkgdir}"/etc/logrotate.d/clamav

  install -d -o 64 -g 64 "${pkgdir}"/var/log/clamav
  install -d -o 64 -g 64 "${pkgdir}"/var/lib/clamav

  install -d -m755 "${pkgdir}"/usr/share/licenses/clamav
  install -m644 COPYING* "${pkgdir}"/usr/share/licenses/clamav
}

3 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,924

Re: [solved] ClamAV contains a remote code execution vulnerability

We cannot use this PKGBUILD as we need elementary mksource: Distributing the source with clamav contain non-free unrar violates our social contract and the FSDG itself. ClamAV will receive an update.

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

4 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,924

Re: [solved] ClamAV contains a remote code execution vulnerability

Fixed: https://git.hyperbola.info:50100/~team/ … 24157fce79

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!

5 Reply by aloniv

  • aloniv
  • Hyper Expert
  • Offline
  • Registered: 2018-08-16
  • Posts: 153

Re: [solved] ClamAV contains a remote code execution vulnerability

Thanks. Will it be part of the current repos of just in the next release?

6 Reply by throgh

  • throgh
  • throgh
  • Package Development and Community Coordinator
  • Offline
  • From: Planet Earth
  • Registered: 2017-12-28
  • Posts: 2,924

Re: [solved] ClamAV contains a remote code execution vulnerability

Yes, absolutely. smile

Human being in favor with clear principles and so also for freedom in soft- and hardware!

Certainly anyone who has the power to make you believe absurdities has the power to make you commit injustices: For a life of every being full with peace and kindness, including diversity and freedom. Capitalism is destroying our minds, the planet itself and the universe in the end!