--- - branch: MAIN date: Mon Aug 5 14:44:20 UTC 2019 files: - new: '1.51' old: '1.50' path: pkgsrc/security/clamav/Makefile pathrev: pkgsrc/security/clamav/Makefile@1.51 type: modified - new: '1.11' old: '1.10' path: pkgsrc/security/clamav/Makefile.common pathrev: pkgsrc/security/clamav/Makefile.common@1.11 type: modified - new: '1.7' old: '1.6' path: pkgsrc/security/clamav/PLIST pathrev: pkgsrc/security/clamav/PLIST@1.7 type: modified - new: '1.8' old: '1.7' path: pkgsrc/security/clamav/buildlink3.mk pathrev: pkgsrc/security/clamav/buildlink3.mk@1.8 type: modified - new: '1.28' old: '1.27' path: pkgsrc/security/clamav/distinfo pathrev: pkgsrc/security/clamav/distinfo@1.28 type: modified - new: '1.6' old: '1.5' path: pkgsrc/security/clamav/options.mk pathrev: pkgsrc/security/clamav/options.mk@1.6 type: modified - new: '1.5' old: '1.4' path: pkgsrc/security/clamav/patches/patch-Makefile.in pathrev: pkgsrc/security/clamav/patches/patch-Makefile.in@1.5 type: modified - new: '1.2' old: 1.1.1.1 path: pkgsrc/security/clamav/patches/patch-ab pathrev: pkgsrc/security/clamav/patches/patch-ab@1.2 type: modified id: 20190805T144420Z.62db9a22cb29d8980e2cd268daed7eb3d14ad402 log: | Update clamav to 0.101.2 Remove rar support to workaround PR pkg/54420 This release includes 3 extra security related bug fixes that do not apply to prior versions. In addition, it includes a number of minor bug fixes and improvements. * Fixes for the following vulnerabilities affecting 0.101.1 and prior: + CVE-2019-1787: An out-of-bounds heap read condition may occur when scanning PDF documents. The defect is a failure to correctly keep track of the number of bytes remaining in a buffer when indexing file data. + CVE-2019-1789: An out-of-bounds heap read condition may occur when scanning PE files (i.e. Windows EXE and DLL files) that have been packed using Aspack as a result of inadequate bound-checking. + CVE-2019-1788: An out-of-bounds heap write condition may occur when scanning OLE2 files such as Microsoft Office 97-2003 documents. The invalid write happens when an invalid pointer is mistakenly used to initialize a 32bit integer to zero. This is likely to crash the application. * Fixes for the following ClamAV vulnerabilities: + CVE-2018-15378: Vulnerability in ClamAV's MEW unpacking feature that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. Reported by Secunia Research at Flexera. + Fix for a 2-byte buffer over-read bug in ClamAV's PDF parsing code. Reported by Alex Gaynor. * Fixes for the following vulnerabilities in bundled third-party libraries: + CVE-2018-14680: An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames. + CVE-2018-14681: An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions could cause a one or two byte overwrite. + CVE-2018-14682: An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM decompression. + Additionally, 0.100.2 reverted 0.100.1's patch for CVE-2018-14679, and applied libmspack's version of the fix in its place. * Fixes for the following CVE's: + CVE-2017-16932: Vulnerability in libxml2 dependency (affects ClamAV on Windows only). + CVE-2018-0360: HWP integer overflow, infinite loop vulnerability. Reported by Secunia Research at Flexera. + CVE-2018-0361: ClamAV PDF object length check, unreasonably long time to parse relatively small file. Reported by aCaB. For the full release notes, see: https://github.com/Cisco-Talos/clamav-devel/blob/clamav-0.101.2/NEWS.md module: pkgsrc subject: 'CVS commit: pkgsrc/security/clamav' unixtime: '1565016260' user: prlw1