---
- branch: MAIN
  date: Sun Feb 28 17:14:10 UTC 2021
  files:
  - new: '1.74'
    old: '1.73'
    path: pkgsrc/security/clamav/Makefile
    pathrev: pkgsrc/security/clamav/Makefile@1.74
    type: modified
  - new: '1.19'
    old: '1.18'
    path: pkgsrc/security/clamav/Makefile.common
    pathrev: pkgsrc/security/clamav/Makefile.common@1.19
    type: modified
  - new: '1.36'
    old: '1.35'
    path: pkgsrc/security/clamav/distinfo
    pathrev: pkgsrc/security/clamav/distinfo@1.36
    type: modified
  - new: '1.4'
    old: '1.3'
    path: pkgsrc/security/clamav/patches/patch-libclamav_fmap.c
    pathrev: pkgsrc/security/clamav/patches/patch-libclamav_fmap.c@1.4
    type: modified
  id: 20210228T171410Z.04c15da7eb5f0959cf13ce5de512d75ceae25a67
  log: |
    security/clamav: update to 0.103.1

    0.103.1 (2021-01-31)

    ClamAV 0.103.1 is a patch release with the following fixes and improvements.

    Notable changes

    * Added a new scan option to alert on broken media (graphics) file formats.
      This feature mitigates the risk of malformed media files intended to
      exploit vulnerabilities in other software.  At present media validation
      exists for JPEG, TIFF, PNG, and GIF files.  To enable this feature, set
      AlertBrokenMedia yes in clamd.conf, or use the --alert-broken-media option
      when using clamscan.  These options are disabled by default in this patch
      release, but may be enabled in a subsequent release.  Application
      developers may enable this scan option by enabling
      CL_SCAN_HEURISTIC_BROKEN_MEDIA for the heuristic scan option bit field.

    * Added CL_TYPE_TIFF, CL_TYPE_JPEG types to match GIF, PNG typing behavior.
      BMP and JPEG 2000 files will continue to detect as CL_TYPE_GRAPHICS
      because ClamAV does not yet have BMP or JPEG 2000 format checking
      capabilities.

    Bug fixes

    * Fixed PNG parser logic bugs that caused an excess of parsing errors and
      fixed a stack exhaustion issue affecting some systems when scanning PNG
      files.  PNG file type detection was disabled via signature database update
      for ClamAV version 0.103.0 to mitigate the effects from these bugs.

    * Fixed an issue where PNG and GIF files no longer work with Target:5
      graphics signatures if detected as CL_TYPE_PNG/GIF rather than as
      CL_TYPE_GRAPHICS.  Target types now support up to 10 possible file types
      to make way for additional graphics types in future releases.

    * Fixed clamonacc's --fdpass option.

    * File descriptor passing (or "fd-passing") is a mechanism by which
      clamonacc and clamdscan may transfer an open file to clamd to scan, even
      if clamd is running as a non-privileged user and wouldn't otherwise have
      read-access to the file.  This enables clamd to scan all files without
      having to run clamd as root.  If possible, clamd should never be run as
      root so as to mitigate the risk in case clamd is somehow compromised while
      scanning malware.

    * Interprocess file descriptor passing for clamonacc was broken since
      version 0.102.0 due to a bug introduced by the switch to curl for
      communicating with clamd.  On Linux, passing file descriptors from one
      process to another is handled by the kernel, so we reverted clamonacc to
      use standard system calls for socket communication when fd passing is
      enabled.

    * Fixed a clamonacc stack corruption issue on some systems when using an
      older version of libcurl.  Patch courtesy of Emilio Pozuelo Monfort.

    * Allow clamscan and clamdscan scans to proceed even if the realpath lookup
      failed.  This alleviates an issue on Windows scanning files hosted on
      file- systems that do not support the GetMappedFileNameW() API such as on
      ImDisk RAM-disks.

    * Fixed freshclam --on-update-execute=EXIT_1 temporary directory cleanup
      issue.

    * clamd's log output and VirusEvent now provide the scan target's file path
      instead of a file descriptor.  The clamd socket API for submitting a scan
      by FD-passing doesn't include a file path, this feature works by looking
      up the file path by file descriptor.  This feature works on Mac and Linux
      but is not yet implemented for other UNIX operating systems.  FD-passing
      is not available for Windows.

    * Fixed an issue where freshclam database validation didn't work correctly
      when run in daemon mode on Linux/Unix.

    Other improvements

    * Scanning JPEG, TIFF, PNG, and GIF files will no longer return "parse"
      errors when file format validation fails.  Instead, the scan will alert
      with the "Heuristics.Broken.Media" signature prefix and a descriptive
      suffix to indicate the issue, provided that the "alert broken media"
      feature is enabled.

    * GIF format validation will no longer fail if the GIF image is missing the
      trailer byte, as this appears to be a relatively common issue in otherwise
      functional GIF files.

    * Added a TIFF dynamic configuration (DCONF) option, which was missing.
      This will allow us to disable TIFF format validation via signature
      database update in the event that it proves to be problematic.  This
      feature already exists for many other file types.

    Acknowledgements

    The ClamAV team thanks the following individuals for their code submissions:

    Emilio Pozuelo Monfort
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/security/clamav'
  unixtime: '1614532450'
  user: taca