app-antivirus/clamav: Rev bump to add patch for CVE-2012-6706

...aka VMSF_DELTA Filter Signedness Error.

Bug: https://bugs.gentoo.org/623534
Package-Manager: Portage-2.3.24, Repoman-2.3.6

2 files changed, 346 insertions, 0 deletions

diff --git a/app-antivirus/clamav/clamav-0.99.3-r2.ebuild b/app-antivirus/clamav/clamav-0.99.3-r2.ebuild
new file mode 100644
index 000000000000..f0977dc5f0ff
--- /dev/null
+++ b/app-antivirus/clamav/clamav-0.99.3-r2.ebuild
@@ -0,0 +1,160 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+inherit autotools eutils flag-o-matic user systemd
+
+DESCRIPTION="Clam Anti-Virus Scanner"
+HOMEPAGE="http://www.clamav.net/"
+SRC_URI="https://www.clamav.net/downloads/production/${P}.tar.gz"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~ppc ~ppc64 ~sparc ~x86 ~x86-fbsd ~amd64-linux ~x86-linux ~ppc-macos ~sparc-solaris ~x86-solaris"
+IUSE="bzip2 clamdtop iconv ipv6 libressl milter metadata-analysis-api selinux static-libs uclibc"
+
+CDEPEND="bzip2? ( app-arch/bzip2 )
+	clamdtop? ( sys-libs/ncurses:0 )
+	iconv? ( virtual/libiconv )
+	metadata-analysis-api? ( dev-libs/json-c:= )
+	milter? ( || ( mail-filter/libmilter mail-mta/sendmail ) )
+	dev-libs/libtommath
+	>=sys-libs/zlib-1.2.2:=
+	!libressl? ( dev-libs/openssl:0= )
+	libressl? ( dev-libs/libressl:0= )
+	sys-devel/libtool
+	|| ( dev-libs/libpcre2 >dev-libs/libpcre-6 )
+	!!<app-antivirus/clamav-0.99"
+# hard block clamav < 0.99 due to linking problems Bug #567680
+# openssl is now *required* see this link as to why
+# http://blog.clamav.net/2014/02/introducing-openssl-as-dependency-to.html
+DEPEND="${CDEPEND}
+	virtual/pkgconfig"
+RDEPEND="${CDEPEND}
+	selinux? ( sec-policy/selinux-clamav )"
+
+DOCS=( AUTHORS BUGS ChangeLog FAQ INSTALL NEWS README UPGRADE )
+PATCHES=(
+	"${FILESDIR}"/${PN}-0.99.2-gcc-6.patch
+	"${FILESDIR}"/${PN}-0.99.2-tinfo.patch
+	"${FILESDIR}"/${PN}-0.99.2-bytecode_api.patch
+	"${FILESDIR}"/${PN}-0.99.2-pcre2-compile-erroffset.patch
+	"${FILESDIR}"/${PN}-0.99.3-fix-fd-leaks-in-cli_scanscript.patch
+	"${FILESDIR}"/${PN}-0.99.3-VMSF_DELTA-fix-CVE-2012-6706.patch
+)
+
+pkg_setup() {
+	enewgroup clamav
+	enewuser clamav -1 -1 /dev/null clamav
+}
+
+src_prepare() {
+	default
+
+	eautoconf
+}
+
+src_configure() {
+	use ppc64 && append-flags -mminimal-toc
+	use uclibc && export ac_cv_type_error_t=yes
+
+	econf \
+		$(use_enable bzip2) \
+		$(use_enable clamdtop) \
+		$(use_enable ipv6) \
+		$(use_enable milter) \
+		$(use_enable static-libs static) \
+		$(use_with iconv) \
+		$(use_with metadata-analysis-api libjson /usr) \
+		--cache-file="${S}"/config.cache \
+		--disable-experimental \
+		--disable-gcc-vcheck \
+		--disable-zlib-vcheck \
+		--enable-id-check \
+		--with-dbdir="${EPREFIX}"/var/lib/clamav \
+		--with-system-tommath \
+		--with-zlib="${EPREFIX}"/usr
+}
+
+src_install() {
+	default
+
+	rm -rf "${ED}"/var/lib/clamav
+	newinitd "${FILESDIR}"/clamd.initd-r6 clamd
+	newconfd "${FILESDIR}"/clamd.conf-r1 clamd
+
+	systemd_dotmpfilesd "${FILESDIR}/tmpfiles.d/clamav.conf"
+	systemd_newunit "${FILESDIR}/clamd_at.service" "clamd@.service"
+	systemd_dounit "${FILESDIR}/clamd.service"
+	systemd_dounit "${FILESDIR}/freshclamd.service"
+
+	keepdir /var/lib/clamav
+	fowners clamav:clamav /var/lib/clamav
+	keepdir /var/log/clamav
+	fowners clamav:clamav /var/log/clamav
+
+	dodir /etc/logrotate.d
+	insinto /etc/logrotate.d
+	newins "${FILESDIR}"/clamav.logrotate clamav
+
+	# Modify /etc/{clamd,freshclam}.conf to be usable out of the box
+	sed -i -e "s:^\(Example\):\# \1:" \
+		-e "s:.*\(PidFile\) .*:\1 ${EPREFIX}/var/run/clamav/clamd.pid:" \
+		-e "s:.*\(LocalSocket\) .*:\1 ${EPREFIX}/var/run/clamav/clamd.sock:" \
+		-e "s:.*\(User\) .*:\1 clamav:" \
+		-e "s:^\#\(LogFile\) .*:\1 ${EPREFIX}/var/log/clamav/clamd.log:" \
+		-e "s:^\#\(LogTime\).*:\1 yes:" \
+		-e "s:^\#\(AllowSupplementaryGroups\).*:\1 yes:" \
+		"${ED}"/etc/clamd.conf.sample || die
+	sed -i -e "s:^\(Example\):\# \1:" \
+		-e "s:.*\(PidFile\) .*:\1 ${EPREFIX}/var/run/clamav/freshclam.pid:" \
+		-e "s:.*\(DatabaseOwner\) .*:\1 clamav:" \
+		-e "s:^\#\(UpdateLogFile\) .*:\1 ${EPREFIX}/var/log/clamav/freshclam.log:" \
+		-e "s:^\#\(NotifyClamd\).*:\1 ${EPREFIX}/etc/clamd.conf:" \
+		-e "s:^\#\(ScriptedUpdates\).*:\1 yes:" \
+		-e "s:^\#\(AllowSupplementaryGroups\).*:\1 yes:" \
+		"${ED}"/etc/freshclam.conf.sample || die
+
+	if use milter ; then
+		# MilterSocket one to include ' /' because there is a 2nd line for
+		# inet: which we want to leave
+		dodoc "${FILESDIR}"/clamav-milter.README.gentoo
+		sed -i -e "s:^\(Example\):\# \1:" \
+			-e "s:.*\(PidFile\) .*:\1 ${EPREFIX}/var/run/clamav/clamav-milter.pid:" \
+			-e "s+^\#\(ClamdSocket\) .*+\1 unix:${EPREFIX}/var/run/clamav/clamd.sock+" \
+			-e "s:.*\(User\) .*:\1 clamav:" \
+			-e "s+^\#\(MilterSocket\) /.*+\1 unix:${EPREFIX}/var/run/clamav/clamav-milter.sock+" \
+			-e "s:^\#\(AllowSupplementaryGroups\).*:\1 yes:" \
+			-e "s:^\#\(LogFile\) .*:\1 ${EPREFIX}/var/log/clamav/clamav-milter.log:" \
+			"${ED}"/etc/clamav-milter.conf.sample || die
+		cat >> "${ED}"/etc/conf.d/clamd <<-EOF
+			MILTER_NICELEVEL=19
+			START_MILTER=no
+		EOF
+
+		systemd_newunit "${FILESDIR}/clamav-milter.service-r1" clamav-milter.service
+	fi
+
+	for i in clamd freshclam clamav-milter
+	do
+		[[ -f "${D}"/etc/"${i}".conf.sample ]] && mv "${D}"/etc/"${i}".conf{.sample,}
+	done
+
+	prune_libtool_files --all
+}
+
+src_test() {
+	emake quick-check
+}
+
+pkg_postinst() {
+	if use milter ; then
+		elog "For simple instructions how to setup the clamav-milter read the"
+		elog "clamav-milter.README.gentoo in /usr/share/doc/${PF}"
+	fi
+	if test -z $(find "${ROOT}"var/lib/clamav -maxdepth 1 -name 'main.c*' -print -quit) ; then
+		ewarn "You must run freshclam manually to populate the virus database files"
+		ewarn "before starting clamav for the first time.\n"
+	fi
+}
diff --git a/app-antivirus/clamav/files/clamav-0.99.3-VMSF_DELTA-fix-CVE-2012-6706.patch b/app-antivirus/clamav/files/clamav-0.99.3-VMSF_DELTA-fix-CVE-2012-6706.patch
new file mode 100644
index 000000000000..90facf6eae06
--- /dev/null
+++ b/app-antivirus/clamav/files/clamav-0.99.3-VMSF_DELTA-fix-CVE-2012-6706.patch
@@ -0,0 +1,186 @@
+Apply proposed changes to fix RAR VMSF_DELTA Filter Signedness error (CVE-2012-6706)
+
+Cherry picked from commit a7d8447bd9a4d5ae1fa970c1849c8caeb5f1a805 [Link 1] and
+d4699442bce76574573dc564e7f2177d679b88bd [Link 2].
+
+Link 1: https://github.com/Cisco-Talos/clamav-devel/commit/a7d8447bd9a4d5ae1fa970c1849c8caeb5f1a805
+Link 2: https://github.com/Cisco-Talos/clamav-devel/commit/d4699442bce76574573dc564e7f2177d679b88bd
+
+--- a/libclamunrar/unrarvm.c
++++ b/libclamunrar/unrarvm.c
+@@ -213,17 +213,20 @@ void rarvm_addbits(rarvm_input_t *rarvm_input, int bits)
+ 
+ unsigned int rarvm_getbits(rarvm_input_t *rarvm_input)
+ {
+-	unsigned int bit_field;
++        unsigned int bit_field = 0;
+ 
+-	if (rarvm_input->in_addr+2 < rarvm_input->buf_size) {
++        if (rarvm_input->in_addr < rarvm_input->buf_size) {
+             bit_field = (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr] << 16;
+-            bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+1] << 8;
+-            bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+2];
+-            bit_field >>= (8-rarvm_input->in_bit);
+-
+-            return (bit_field & 0xffff);
++            if (rarvm_input->in_addr+1 < rarvm_input->buf_size) {
++                bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+1] << 8;
++                if (rarvm_input->in_addr+2 < rarvm_input->buf_size) {
++                    bit_field |= (unsigned int) rarvm_input->in_buf[rarvm_input->in_addr+2];
++                }
++            }
+         }
+-        return 0;
++        bit_field >>= (8-rarvm_input->in_bit);
++
++        return (bit_field & 0xffff);
+ }
+ 
+ unsigned int rarvm_read_data(rarvm_input_t *rarvm_input)
+@@ -311,10 +314,10 @@ static unsigned int *rarvm_get_operand(rarvm_data_t *rarvm_data,
+ 	}
+ }
+ 
+-static unsigned int filter_itanium_getbits(unsigned char *data, int bit_pos, int bit_count)
++static unsigned int filter_itanium_getbits(unsigned char *data, unsigned int bit_pos, unsigned int bit_count)
+ {
+-	int in_addr=bit_pos/8;
+-	int in_bit=bit_pos&7;
++	unsigned int in_addr=bit_pos/8;
++	unsigned int in_bit=bit_pos&7;
+ 	unsigned int bit_field=(unsigned int)data[in_addr++];
+ 	bit_field|=(unsigned int)data[in_addr++] << 8;
+ 	bit_field|=(unsigned int)data[in_addr++] << 16;
+@@ -323,10 +326,10 @@ static unsigned int filter_itanium_getbits(unsigned char *data, int bit_pos, int
+ 	return(bit_field & (0xffffffff>>(32-bit_count)));
+ }
+ 
+-static void filter_itanium_setbits(unsigned char *data, unsigned int bit_field, int bit_pos, int bit_count)
++static void filter_itanium_setbits(unsigned char *data, unsigned int bit_field, unsigned int bit_pos, unsigned int bit_count)
+ {
+-	int i, in_addr=bit_pos/8;
+-	int in_bit=bit_pos&7;
++	unsigned int i, in_addr=bit_pos/8;
++	unsigned int in_bit=bit_pos&7;
+ 	unsigned int and_mask=0xffffffff>>(32-bit_count);
+ 	and_mask=~(and_mask<<in_bit);
+ 
+@@ -343,11 +346,12 @@ static void filter_itanium_setbits(unsigned char *data, unsigned int bit_field,
+ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_filters_t filter_type)
+ {
+ 	unsigned char *data, cmp_byte2, cur_byte, *src_data, *dest_data;
+-	int i, j, data_size, channels, src_pos, dest_pos, border, width, PosR;
+-	int op_type, cur_channel, byte_count, start_pos, pa, pb, pc;
++	unsigned int i, j, data_size, channels, src_pos, dest_pos, border, width, PosR;
++	unsigned int op_type, cur_channel, byte_count, start_pos;
++	int pa, pb, pc;
+ 	unsigned int file_offset, cur_pos, predicted;
+-	int32_t offset, addr;
+-	const int file_size=0x1000000;
++	uint32_t offset, addr;
++	const unsigned int file_size=0x1000000;
+ 
+ 	switch(filter_type) {
+ 	case VMSF_E8:
+@@ -356,7 +360,7 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 		data_size = rarvm_data->R[4];
+ 		file_offset = rarvm_data->R[6];
+ 
+-		if (((unsigned int)data_size >= VM_GLOBALMEMADDR) || (data_size < 4)) {
++		if ((data_size > VM_GLOBALMEMADDR) || (data_size < 4)) {
+ 			break;
+ 		}
+ 
+@@ -367,12 +371,14 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 			if (cur_byte==0xe8 || cur_byte==cmp_byte2) {
+ 				offset = cur_pos+file_offset;
+ 				addr = GET_VALUE(FALSE, data);
+-				if (addr < 0) {
+-					if (addr+offset >=0 ) {
++				// We check 0x80000000 bit instead of '< 0' comparison
++				// not assuming int32 presence or uint size and endianness.
++				if ((addr & 0x80000000)!=0) {              // addr<0
++					if (((addr+offset) & 0x80000000)==0) {   // addr+offset>=0
+ 						SET_VALUE(FALSE, data, addr+file_size);
+ 					}
+ 				} else {
+-					if (addr<file_size) {
++					if (((addr-file_size) & 0x80000000)!=0) { // addr<file_size
+ 						SET_VALUE(FALSE, data, addr-offset);
+ 					}
+ 				}
+@@ -386,7 +392,7 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 		data_size = rarvm_data->R[4];
+ 		file_offset = rarvm_data->R[6];
+ 		
+-		if (((unsigned int)data_size >= VM_GLOBALMEMADDR) || (data_size < 21)) {
++		if ((data_size > VM_GLOBALMEMADDR) || (data_size < 21)) {
+ 			break;
+ 		}
+ 		
+@@ -429,7 +435,7 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 		border = data_size*2;
+ 		
+ 		SET_VALUE(FALSE, &rarvm_data->mem[VM_GLOBALMEMADDR+0x20], data_size);
+-		if ((unsigned int)data_size >= VM_GLOBALMEMADDR/2) {
++		if (data_size > VM_GLOBALMEMADDR/2 || channels > 1024 || channels == 0) {
+ 			break;
+ 		}
+ 		for (cur_channel=0 ; cur_channel < channels ; cur_channel++) {
+@@ -440,7 +446,7 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 		}
+ 		break;
+ 	case VMSF_RGB: {
+-		const int channels=3;
++		const unsigned int channels=3;
+ 		data_size = rarvm_data->R[4];
+ 		width = rarvm_data->R[0] - 3;
+ 		PosR = rarvm_data->R[1];
+@@ -448,15 +454,14 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 		dest_data = src_data + data_size;
+ 		
+ 		SET_VALUE(FALSE, &rarvm_data->mem[VM_GLOBALMEMADDR+0x20], data_size);
+-		if ((unsigned int)data_size >= VM_GLOBALMEMADDR/2) {
++		if (data_size > VM_GLOBALMEMADDR/2 || data_size < 3 || width > data_size || PosR > 2) {
+ 			break;
+ 		}
+ 		for (cur_channel=0 ; cur_channel < channels; cur_channel++) {
+ 			unsigned int prev_byte = 0;
+ 			for (i=cur_channel ; i<data_size ; i+=channels) {
+-				int upper_pos=i-width;
+-				if (upper_pos >= 3) {
+-					unsigned char *upper_data = dest_data+upper_pos;
++				if (i >= width+3) {
++					unsigned char *upper_data = dest_data+i-width;
+ 					unsigned int upper_byte = *upper_data;
+ 					unsigned int upper_left_byte = *(upper_data-3);
+ 					predicted = prev_byte+upper_byte-upper_left_byte;
+@@ -486,13 +491,14 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 		break;
+ 	}
+ 	case VMSF_AUDIO: {
+-		int channels=rarvm_data->R[0];
++		unsigned int channels=rarvm_data->R[0];
+ 		data_size = rarvm_data->R[4];
+ 		src_data = rarvm_data->mem;
+ 		dest_data = src_data + data_size;
+ 		
+ 		SET_VALUE(FALSE, &rarvm_data->mem[VM_GLOBALMEMADDR+0x20], data_size);
+-		if ((unsigned int)data_size >= VM_GLOBALMEMADDR/2) {
++		// In fact, audio channels never exceed 4.
++		if (data_size > VM_GLOBALMEMADDR/2 || channels > 128 || channels == 0) {
+ 			break;
+ 		}
+ 		for (cur_channel=0 ; cur_channel < channels ; cur_channel++) {
+@@ -553,7 +559,7 @@ static void execute_standard_filter(rarvm_data_t *rarvm_data, rarvm_standard_fil
+ 		data_size = rarvm_data->R[4];
+ 		src_pos = 0;
+ 		dest_pos = data_size;
+-		if ((unsigned int)data_size >= VM_GLOBALMEMADDR/2) {
++		if (data_size > VM_GLOBALMEMADDR/2) {
+ 			break;
+ 		}
+ 		while (src_pos < data_size) {
+-- 
+2.16.2
+