Version in base suite: 0.101.2+dfsg-1 Version in overlay suite: 0.101.2+dfsg-1+deb10u1 Base version: clamav_0.101.2+dfsg-1+deb10u1 Target version: clamav_0.101.4+dfsg-0+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/c/clamav/clamav_0.101.2+dfsg-1+deb10u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/c/clamav/clamav_0.101.4+dfsg-0+deb10u1.dsc NEWS.md | 149 ++- clamd/server-th.c | 43 clamscan/clamscan.c | 3 clamscan/manager.c | 35 configure | 26 configure.ac | 6 debian/.git-dpm | 14 debian/changelog | 11 debian/clamav-daemon.postinst.in | 2 debian/libclamav9.symbols | 391 ++++---- debian/patches/Add-support-for-LLVM-3.7.patch | 2 debian/patches/Add-support-for-LLVM-3.8.patch | 2 debian/patches/Add-support-for-LLVM-3.9.patch | 2 debian/patches/Adds-detection-and-heuristic-alert-for-zips-with-ove.patch | 233 ----- debian/patches/Bumped-version-number-to-0.101.3.patch | 460 ---------- debian/patches/Change-paths-in-sample-conf-file-to-match-Debian.patch | 2 debian/patches/add-support-for-system-tomsfastmath.patch | 4 debian/patches/clamd_dont_depend_on_clamav_demon_socket.patch | 2 debian/patches/series | 2 debian/rules | 2 docs/UserManual.md | 2 docs/UserManual/Installation-Windows.md | 8 docs/html/UserManual.html | 2 docs/html/UserManual/Installation-Unix/Steps-macOS.html | 4 docs/html/UserManual/Installation-Windows.html | 8 docs/html/UserManual/Signatures/PhishSigs.html | 16 docs/html/UserManual/development.html | 2 etc/clamd.conf.sample | 22 freshclam/manager.c | 41 libclamav/bytecode_api.h | 54 - libclamav/clamav.h | 2 libclamav/default.h | 1 libclamav/libclamav.map | 6 libclamav/matcher-pcre.c | 6 libclamav/nsis/bzlib.c | 102 +- libclamav/others.c | 77 + libclamav/others.h | 16 libclamav/scanners.c | 35 libclamav/unzip.c | 79 + libclamav/version.h | 1 m4/reorganization/version.m4 | 4 shared/optparser.c | 59 - unit_tests/valgrind.supp | 33 43 files changed, 768 insertions(+), 1203 deletions(-) diff -Nru clamav-0.101.2+dfsg/NEWS.md clamav-0.101.4+dfsg/NEWS.md --- clamav-0.101.2+dfsg/NEWS.md 2019-03-13 21:13:01.000000000 +0000 +++ clamav-0.101.4+dfsg/NEWS.md 2019-08-20 16:08:49.000000000 +0000 @@ -3,6 +3,59 @@ Note: This file refers to the source tarball. Things described here may differ slightly from the binary packages. +## 0.101.4 + +ClamAV 0.101.4 is a security patch release that addresses the following issues. + +- An out of bounds write was possible within ClamAV's NSIS bzip2 library when + attempting decompression in cases where the number of selectors exceeded the + max limit set by the library (CVE-2019-12900). The issue has been resolved + by respecting that limit. + + Thanks to Martin Simmons for reporting the issue [here](https://bugzilla.clamav.net/show_bug.cgi?id=12371) + +- The zip bomb vulnerability mitigated in 0.101.3 has been assigned the + CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb + mitigation was immediately identified. To remediate the zip-bomb scantime + issue, a scan time limit has been introduced in 0.101.4. This limit now + resolves ClamAV's vulnerability to CVE-2019-12625. + + The default scan time limit is 2 minutes (120000 milliseconds). + + To customize the time limit: + + - use the `clamscan` `--max-scantime` option + - use the `clamd` `MaxScanTime` config option + + Libclamav users may customize the time limit using the `cl_engine_set_num` + function. For example: + + ```c + cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds) + ``` + + Thanks to David Fifield for reviewing the zip-bomb mitigation in 0.101.3 + and reporting the issue. + +## 0.101.3 + +ClamAV 0.101.3 is a patch release to address a vulnerability to non-recursive +zip bombs. + +A Denial-of-Service (DoS) vulnerability may occur when scanning a zip bomb as a +result of excessively long scan times. The issue is resolved by detecting the +overlapping local file headers which characterize the non-recursive zip bomb +described by David Fifield, +[here](https://www.bamsoftware.com/hacks/zipbomb/). + +Thank you to Hanno Böck for reporting the issue as it relates to ClamAV, +[here](https://bugzilla.clamav.net/show_bug.cgi?id=12356). + +Also included in 0.101.3: + +- Update of bundled the libmspack library from 0.8alpha to 0.10alpha, to + address a buffer overflow vulnerability in libmspack < 0.9.1α. + ## 0.101.2 ClamAV 0.101.2 is a patch release to address a handful of security related bugs. @@ -508,7 +561,7 @@ a handful of other important bugs, including patches to support g++ 6, C++11. Thank you to the following ClamAV community members for your code -submissions and bug reports! +submissions and bug reports! Alberto Garcia Bernhard Vogel @@ -550,7 +603,7 @@ - fix ups improving the reliability of several ClamAV file parsers. - sigtool now decodes file type signatures (e.g., daily.ftm CVD file). - now supporting libpcre2 in addition to libpcre. -- systemd support for clamd and freshclam. Patch provided by +- systemd support for clamd and freshclam. Patch provided by Andreas Cadhalpun. - fixed builds on Mac OS X 10.10 & 10.11. - improved debug info for certificate metadata. @@ -592,7 +645,7 @@ ## 0.99 -ClamAV 0.99 contains major new features and changes. YARA rules, +ClamAV 0.99 contains major new features and changes. YARA rules, Perl Compatible Regular Expressions, revamped on-access scanning for Linux, and other new features join the many great features of ClamAV: @@ -603,10 +656,10 @@ for full details. - New and improved on-access scanning for Linux. See the recent blog post and clamdoc.pdf for details on the new on-access capabilities. -- A new ClamAV API callback function that is invoked when a virus - is found. This is intended primarily for applications running in - all-match mode. Any applications using all-match mode must use - the new callback function to record and report detected viruses. +- A new ClamAV API callback function that is invoked when a virus + is found. This is intended primarily for applications running in + all-match mode. Any applications using all-match mode must use + the new callback function to record and report detected viruses. - Configurable default password list to attempt zip file decryption. - TIFF file support. - Upgrade Windows pthread library to 2.9.1. @@ -643,7 +696,7 @@ ## 0.98.7 ClamAV 0.98.7 is here! This release contains new scanning features -and bug fixes. +and bug fixes. - Improvements to PDF processing: decryption, escape sequence handling, and file property collection. @@ -663,7 +716,7 @@ CVE-2015-2668. - Fix compilation error after ./configure --disable-pthreads. Reported and fix suggested by John E. Krokes. -- Apply upstream patch for possible heap overflow in Henry Spencer's +- Apply upstream patch for possible heap overflow in Henry Spencer's regex library. CVE-2015-2305. - Fix crash in upx decoder with crafted file. Discovered and patch supplied by Sebastian Andrzej Siewior. CVE-2015-2170. @@ -704,7 +757,7 @@ - Compensate a crash due to incorrect compiler optimization when handling crafted petite packer files. This issue was discovered by Sebastian Andrzej Siewior. - + Thanks to the following ClamAV community members for code submissions and bug reporting included in ClamAV 0.98.6: @@ -803,17 +856,17 @@ about OpenIOC. - All ClamAV sockets (clamd, freshclam, clamav-milter, clamdscan, clamdtop) now support IPV6 addresses and configuration parameters. -- Use OpenSSL file hash functions for improved performance. OpenSSL +- Use OpenSSL file hash functions for improved performance. OpenSSL is now prerequisite software for ClamAV 0.98.2. - Improved detection of malware scripts within image files. Issue reported by Maarten Broekman. - Change to circumvent possible denial of service when processing icons within specially crafted PE files. Icon limits are now in place with corresponding - clamd and clamscan configuration parameters. This issue was reported by + clamd and clamscan configuration parameters. This issue was reported by Joxean Koret. - Improvements to the fidelity of the ClamAV pattern matcher, an issue reported by Christian Blichmann. -- Opt-in collection of statistics. Statistics collected are: sizes and MD5 +- Opt-in collection of statistics. Statistics collected are: sizes and MD5 hashes of files, PE file section counts and section MD5 hashes, and names and counts of detected viruses. Enable statistics collection with the --enable-stats clamscan flag or StatsEnabled clamd configuration @@ -822,7 +875,7 @@ assistance and suggestions by Sebastian Andrzej Siewior, Scott Kitterman, and Dave Simonson. - Patch by Arkadiusz Miskiewicz to improve error handling in freshclam. -- ClamAV 0.98.2 also includes miscellaneous bug fixes and documentation +- ClamAV 0.98.2 also includes miscellaneous bug fixes and documentation improvements. Thanks to the following ClamAV community members for sending patches or reporting @@ -841,7 +894,7 @@ REGARDING OPENSSL In addition, as a special exception, the copyright holders give -permission to link the code of portions of this program with the +permission to link the code of portions of this program with the OpenSSL library under certain conditions as described in each individual source file, and distribute linked combinations including the two. @@ -849,20 +902,20 @@ You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL. If you modify file(s) with this exception, you may extend this exception to your -version of the file(s), but you are not obligated to do so. If you +version of the file(s), but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. If you delete this exception statement from all source files in the program, then also delete it here. ## 0.98.1 -ClamAV 0.98.1 provides improved support of Mac OS X platform, support for new file types, and +ClamAV 0.98.1 provides improved support of Mac OS X platform, support for new file types, and quality improvements. These include: - Extraction, decompression, and scanning of files within Apple Disk Image (DMG) format. - Extraction, decompression, and scanning of files within Extensible Archive (XAR) format. - XAR format is commonly used for software packaging, such as PKG and RPM, as well as + XAR format is commonly used for software packaging, such as PKG and RPM, as well as general archival. - Decompression and scanning of files in "Xz" compression format. @@ -877,7 +930,7 @@ performance cost. This should only be needed when callback functions are used that need file access. -- Various improvements to ClamAV configuration, support of third party libraries, +- Various improvements to ClamAV configuration, support of third party libraries, and unit tests. ## 0.98 @@ -915,8 +968,8 @@ - New callbacks added to the API: The libclamav API has additional hooks for developers to use when wrapping ClamAV scanning. These function - types are prefixed with "clcb_" and allow developers to add logic at - certain steps of the scanning process without directly modifying the + types are prefixed with "clcb_" and allow developers to add logic at + certain steps of the scanning process without directly modifying the library. For more details refer to the clamav.h file. - More configurable limits: Several hardcoded values are now configurable @@ -962,20 +1015,20 @@ ## 0.97.5 -ClamAV 0.97.5 addresses possible evasion cases in some archive formats -(CVE-2012-1457, CVE-2012-1458, CVE-2012-1459). It also addresses stability -issues in portions of the bytecode engine. This release is recommended for +ClamAV 0.97.5 addresses possible evasion cases in some archive formats +(CVE-2012-1457, CVE-2012-1458, CVE-2012-1459). It also addresses stability +issues in portions of the bytecode engine. This release is recommended for all users. ## 0.97.4 -ClamAV 0.97.4 includes minor bugfixes, detection improvements and initial -support for on-access scanning under Mac OS X (see contrib/ClamAuth). +ClamAV 0.97.4 includes minor bugfixes, detection improvements and initial +support for on-access scanning under Mac OS X (see contrib/ClamAuth). This update is recommended for all users. ## 0.97.3 -ClamAV 0.97.3 is a minor bugfix release and is recommended for all +ClamAV 0.97.3 is a minor bugfix release and is recommended for all users. Please refer to the ChangeLog file for details. ## 0.97.2 @@ -996,9 +1049,9 @@ ClamAV 0.97 brings many improvements, including complete Windows support (all major components compile out-of-box under Visual Studio), support for -signatures based on SHA1 and SHA256, better error detection, as well as -speed and memory optimizations. The complete list of changes is available -in the ChangeLog file. For upgrade notes and tips please see: +signatures based on SHA1 and SHA256, better error detection, as well as +speed and memory optimizations. The complete list of changes is available +in the ChangeLog file. For upgrade notes and tips please see: https://wiki.clamav.net/Main/UpgradeNotes097 With Sourcefire, Inc. acquisition of Immunet Corp., ClamAV for Windows @@ -1009,7 +1062,7 @@ and creation of custom signatures on any platform running Immunet 3.0, powered by ClamAV. If you run Windows systems in your environment and need an AV solution to protect them, give Immunet 3.0, powered by ClamAV -a try; you can download it from https://www.clamav.net/download.html#otherversions +a try; you can download it from https://www.clamav.net/download.html#otherversions -- The ClamAV team (https://www.clamav.net/about.html#credits) @@ -1401,7 +1454,7 @@ ## 0.90.3 This release fixes some security bugs in libclamav and improves stability -under Solaris. Please see ChangeLog for complete list of changes. +under Solaris. Please see ChangeLog for complete list of changes. If your system is suffering from long clamscan startup times, please consider installing 0.91rc1 which is due to be released shortly @@ -1455,9 +1508,9 @@ improvements in terms of detection rate and performances. If you find a bug, please take some time to report it on our bugzilla: https://bugzilla.clamav.net. Your help in testing the new code is really appreciated. The experimental code -introduces many improvements in terms of detection rate and performances. +introduces many improvements in terms of detection rate and performances. -RAR3, SIS and SFX archives support is finally available together with +RAR3, SIS and SFX archives support is finally available together with new unpackers and decryptors: pespin, sue, yc, wwpack32, nspack, mew, upack and others. Additionally, ClamAV now includes better mechanisms for scanning ELF, PDF and tar files. The email decoding has been improved to reduce both @@ -1466,10 +1519,10 @@ As part of the Google Summer of Code program, we have introduced support for a new phishing signatures format that has proved very effective in detecting phishing emails. The ClamAV phishing module allows better and more generic -detection of phishing emails by searching for URLs in email messages, and -comparing the real site with the URL displayed to the user in the message. +detection of phishing emails by searching for URLs in email messages, and +comparing the real site with the URL displayed to the user in the message. -On the performance side, support for the MULTISCAN command has been +On the performance side, support for the MULTISCAN command has been implemented in clamd, allowing to scan multiple files simultaneously. Support for Sensory Networks' NodalCore acceleration technology (https://www.clamav.net/nodalcore/) is now available in ClamAV and will be @@ -1568,7 +1621,7 @@ - mod_streamav - a ClamAV based antivirus filter for Apache 2 - pyClamd - a python interface to Clamd -More information at https://www.clamav.net/download.html#tools +More information at https://www.clamav.net/download.html#tools -- The ClamAV team (https://www.clamav.net/about.html#credits) @@ -1622,7 +1675,7 @@ Following the 0.88.1 release some portals and security related websites published incorrect information on security problems of 0.88. To avoid such incidents in the future, every new ClamAV package will be released -together with detailed information about security bugs it fixes. +together with detailed information about security bugs it fixes. -- The ClamAV team (https://www.clamav.net/about.html#credits) @@ -1892,7 +1945,7 @@ - simscan - an e-mail and spam filter for qmail - smtpfilter - scan SMTP session for viruses - snort-inline - scan your network traffic for viruses with ClamAV - - SquidClamAV Redirector - a Squid helper script which adds virus scanning + - SquidClamAV Redirector - a Squid helper script which adds virus scanning - WRAVLib - a library for a-v integration with Mono/.NET applications -- @@ -2050,7 +2103,7 @@ SourceWear.com is selling some very nice t-shirts and polo shirts powered by ClamAV. Wear them and virus writers will stay away from you :- A quarter out of every dollar profited from the sale of these shirts will go to the ClamAV -project. Visit http://www.sourcewear.com and click on ClamAV logo! +project. Visit http://www.sourcewear.com and click on ClamAV logo! -- The ClamAV team (https://www.clamav.net/about.html#credits) @@ -2071,7 +2124,7 @@ we plan to drop support for ClamAV 0.60 on September 1st. We encourage _all_ users to upgrade to the latest release available. -People running an old version of ClamAV are missing many viruses and +People running an old version of ClamAV are missing many viruses and may experience stability problems. On non-production systems you can try the latest development version. @@ -2109,7 +2162,7 @@ ## 0.73 This version fixes memory management problems in the OLE2 decoder and -improves mail scanning. +improves mail scanning. Thank you for using ClamAV ! @@ -2132,7 +2185,7 @@ the noteworthy changes include: - libclamav: - - support nested OLE2 files + - support nested OLE2 files - support Word6 macro code - ignore popular file types (media, graphics) - support compress.exe (SZDD) compression (test/test.msc) @@ -2367,7 +2420,7 @@ New mirroring mechanisms. Luca Gibelli (ClamAV) and mirror administrators (22 sites) are converting mirrors to new "push mirroring" method. It uses advanced techniques to ensure all the mirrors are up to date. -More info: https://www.clamav.net/documents/introduction +More info: https://www.clamav.net/documents/introduction We would like to thank our donors: @@ -2540,7 +2593,7 @@ - various mbox code updates (fixed memory leak; added support for decoding viruses sent in message bodies, detection of viruses that put their payloads after the end of message marker (thanks to Stephen White - for the bug report and useful CGI tools); + for the bug report and useful CGI tools); - zziplib updated to 0.10.81 (some problems with older version were reported by Martin Schitter) @@ -2681,7 +2734,7 @@ ## 0.52 This version contains a portability fixes - it should compile on OpenBSD, -MacOSX and NetBSD (support for them was broken in 0.51). +MacOSX and NetBSD (support for them was broken in 0.51). - clamd: various fixes: - drop supplementary groups (suggested by Enrico Scholz @@ -2751,7 +2804,7 @@ - clamd: a modern anti-virus daemon. It uses configuration file clamav.conf described in the clamav.conf(5) manual. The program was written with - security as a goal. + security as a goal. - clamuko: on-access scanning under Linux. It utilizes Dazuko kernel module (GPL, http://dazuko.org) and is clamd-based. diff -Nru clamav-0.101.2+dfsg/clamd/server-th.c clamav-0.101.4+dfsg/clamd/server-th.c --- clamav-0.101.2+dfsg/clamd/server-th.c 2019-03-13 21:13:01.000000000 +0000 +++ clamav-0.101.4+dfsg/clamd/server-th.c 2019-08-20 16:08:49.000000000 +0000 @@ -88,7 +88,7 @@ #ifndef _WIN32 /* ignore all signals */ sigfillset(&sigset); - /* The behavior of a process is undefined after it ignores a + /* The behavior of a process is undefined after it ignores a * SIGFPE, SIGILL, SIGSEGV, or SIGBUS signal */ sigdelset(&sigset, SIGFPE); sigdelset(&sigset, SIGILL); @@ -552,7 +552,7 @@ /* no more commands are accepted */ conn->mode = MODE_WAITREPLY; /* Stop monitoring this FD, it will be closed either - * by us, or by the scanner thread. + * by us, or by the scanner thread. * Never close a file descriptor that is being * monitored by poll()/select() from another thread, * because this can lead to subtle bugs such as: @@ -631,7 +631,7 @@ int rc; size_t pos = *ppos; size_t cmdlen; - + logg("$mode == MODE_STREAM\n"); /* we received some data, set readtimeout */ time(&buf->timeout_at); @@ -754,12 +754,25 @@ memset(&options, 0, sizeof(struct cl_scan_options)); /* set up limits */ - if((opt = optget(opts, "MaxScanSize"))->active) { - if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANSIZE, opt->numarg))) { - logg("!cl_engine_set_num(CL_ENGINE_MAX_SCANSIZE) failed: %s\n", cl_strerror(ret)); - cl_engine_free(engine); - return 1; - } + if ((opt = optget(opts, "MaxScanTime"))->active) { + if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, opt->numarg))) { + logg("!cl_engine_set_num(CL_ENGINE_MAX_SCANTIME) failed: %s\n", cl_strerror(ret)); + cl_engine_free(engine); + return 1; + } + } + val = cl_engine_get_num(engine, CL_ENGINE_MAX_SCANTIME, NULL); + if (val) + logg("Limits: Global time limit set to %llu milliseconds.\n", val); + else + logg("^Limits: Global time limit protection disabled.\n"); + + if ((opt = optget(opts, "MaxScanSize"))->active) { + if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANSIZE, opt->numarg))) { + logg("!cl_engine_set_num(CL_ENGINE_MAX_SCANSIZE) failed: %s\n", cl_strerror(ret)); + cl_engine_free(engine); + return 1; + } } val = cl_engine_get_num(engine, CL_ENGINE_MAX_SCANSIZE, NULL); if(val) @@ -1016,7 +1029,7 @@ /* TODO: Remove deprecated option in a future feature release */ if (optget(opts, "ScanPE")->enabled || optget(opts, "ScanELF")->enabled) { - if ((optget(opts, "DetectBrokenExecutables")->enabled) || + if ((optget(opts, "DetectBrokenExecutables")->enabled) || (optget(opts, "AlertBrokenExecutables")->enabled)) { logg("Alerting on broken executables enabled.\n"); options.heuristic |= CL_SCAN_HEURISTIC_BROKEN; @@ -1039,7 +1052,7 @@ if (optget(opts, "ScanOLE2")->enabled) { logg("OLE2 support enabled.\n"); options.parse |= CL_SCAN_PARSE_OLE2; - + /* TODO: Remove deprecated option in a future feature release */ if ((optget(opts, "OLE2BlockMacros")->enabled) || (optget(opts, "AlertOLE2Macros")->enabled)) { @@ -1187,7 +1200,7 @@ int solaris_has_extended_stdio = 0; #endif /* Condition to not run out of file descriptors: - * MaxThreads * MaxRecursion + (MaxQueue - MaxThreads) + CLAMDFILES < RLIMIT_NOFILE + * MaxThreads * MaxRecursion + (MaxQueue - MaxThreads) + CLAMDFILES < RLIMIT_NOFILE * CLAMDFILES is 6: 3 standard FD + logfile + 2 FD for reloading the DB * */ #ifdef C_SOLARIS @@ -1314,12 +1327,12 @@ sigdelset(&sigset, SIGHUP); sigdelset(&sigset, SIGPIPE); sigdelset(&sigset, SIGUSR2); - /* The behavior of a process is undefined after it ignores a + /* The behavior of a process is undefined after it ignores a * SIGFPE, SIGILL, SIGSEGV, or SIGBUS signal */ sigdelset(&sigset, SIGFPE); sigdelset(&sigset, SIGILL); sigdelset(&sigset, SIGSEGV); -#ifdef SIGBUS +#ifdef SIGBUS sigdelset(&sigset, SIGBUS); #endif sigdelset(&sigset, SIGTSTP); @@ -1663,4 +1676,4 @@ logg("--- Stopped at %s", cli_ctime(¤t_time, timestr, sizeof(timestr))); return ret; -} +} diff -Nru clamav-0.101.2+dfsg/clamscan/clamscan.c clamav-0.101.4+dfsg/clamscan/clamscan.c --- clamav-0.101.2+dfsg/clamscan/clamscan.c 2019-03-13 21:13:01.000000000 +0000 +++ clamav-0.101.4+dfsg/clamscan/clamscan.c 2019-08-20 16:08:49.000000000 +0000 @@ -145,7 +145,7 @@ optfree(opts); return 2; } - } else + } else logg_file = NULL; if(actsetup(opts)) { @@ -277,6 +277,7 @@ mprintf(" --nocerts Disable authenticode certificate chain verification in PE files\n"); mprintf(" --dumpcerts Dump authenticode certificate chain in PE files\n"); mprintf("\n"); + mprintf(" --max-scantime=#n Scan time longer than this will be skipped and assumed clean\n"); mprintf(" --max-filesize=#n Files larger than this will be skipped and assumed clean\n"); mprintf(" --max-scansize=#n The maximum amount of data to scan for each container file (**)\n"); mprintf(" --max-files=#n The maximum number of files to scan for each container file (**)\n"); diff -Nru clamav-0.101.2+dfsg/clamscan/manager.c clamav-0.101.4+dfsg/clamscan/manager.c --- clamav-0.101.2+dfsg/clamscan/manager.c 2019-03-13 21:13:01.000000000 +0000 +++ clamav-0.101.4+dfsg/clamscan/manager.c 2019-08-20 16:08:49.000000000 +0000 @@ -340,7 +340,7 @@ return; } -#endif +#endif if(!sb.st_size) { if(!printinfected) logg("~%s: Empty file\n", filename); @@ -674,7 +674,7 @@ } cl_engine_set_clcb_virus_found(engine, clamscan_virus_found_cb); - + if (optget(opts, "disable-cache")->enabled) cl_engine_set_num(engine, CL_ENGINE_DISABLE_CACHE, 1); @@ -873,6 +873,24 @@ /* set limits */ + /* TODO: Remove deprecated option in a future feature release */ + if ((opt = optget(opts, "timelimit"))->active) { + if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, opt->numarg))) { + logg("!cli_engine_set_num(CL_ENGINE_MAX_SCANTIME) failed: %s\n", cl_strerror(ret)); + + cl_engine_free(engine); + return 2; + } + } + if ((opt = optget(opts, "max-scantime"))->active) { + if ((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, opt->numarg))) { + logg("!cli_engine_set_num(CL_ENGINE_MAX_SCANTIME) failed: %s\n", cl_strerror(ret)); + + cl_engine_free(engine); + return 2; + } + } + if((opt = optget(opts, "max-scansize"))->active) { if((ret = cl_engine_set_num(engine, CL_ENGINE_MAX_SCANSIZE, opt->numarg))) { logg("!cli_engine_set_num(CL_ENGINE_MAX_SCANSIZE) failed: %s\n", cl_strerror(ret)); @@ -994,15 +1012,6 @@ } } - if ((opt = optget(opts, "timelimit"))->active) { - if ((ret = cl_engine_set_num(engine, CL_ENGINE_TIME_LIMIT, opt->numarg))) { - logg("!cli_engine_set_num(CL_ENGINE_TIME_LIMIT) failed: %s\n", cl_strerror(ret)); - - cl_engine_free(engine); - return 2; - } - } - if ((opt = optget(opts, "pcre-max-filesize"))->active) { if ((ret = cl_engine_set_num(engine, CL_ENGINE_PCRE_MAX_FILESIZE, opt->numarg))) { logg("!cli_engine_set_num(CL_ENGINE_PCRE_MAX_FILESIZE) failed: %s\n", cl_strerror(ret)); @@ -1038,7 +1047,7 @@ options.parse |= CL_SCAN_PARSE_ARCHIVE; /* TODO: Remove deprecated option in a future feature release */ - if ((optget(opts, "detect-broken")->enabled) || + if ((optget(opts, "detect-broken")->enabled) || (optget(opts, "alert-broken")->enabled)) { options.heuristic |= CL_SCAN_HEURISTIC_BROKEN; } @@ -1096,7 +1105,7 @@ } /* TODO: Remove deprecated option in a future feature release */ - if ((optget(opts, "block-max")->enabled) || + if ((optget(opts, "block-max")->enabled) || (optget(opts, "alert-exceeds-max")->enabled)) { options.heuristic |= CL_SCAN_HEURISTIC_EXCEEDS_MAX; } diff -Nru clamav-0.101.2+dfsg/configure clamav-0.101.4+dfsg/configure --- clamav-0.101.2+dfsg/configure 2019-03-13 21:13:01.000000000 +0000 +++ clamav-0.101.4+dfsg/configure 2019-08-20 16:08:49.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for ClamAV 0.101.2. +# Generated by GNU Autoconf 2.69 for ClamAV 0.101.4. # # Report bugs to . # @@ -592,8 +592,8 @@ # Identity of this package. PACKAGE_NAME='ClamAV' PACKAGE_TARNAME='clamav' -PACKAGE_VERSION='0.101.2' -PACKAGE_STRING='ClamAV 0.101.2' +PACKAGE_VERSION='0.101.4' +PACKAGE_STRING='ClamAV 0.101.4' PACKAGE_BUGREPORT='https://bugzilla.clamav.net/' PACKAGE_URL='https://www.clamav.net/' @@ -1558,7 +1558,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures ClamAV 0.101.2 to adapt to many kinds of systems. +\`configure' configures ClamAV 0.101.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1629,7 +1629,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of ClamAV 0.101.2:";; + short | recursive ) echo "Configuration of ClamAV 0.101.4:";; esac cat <<\_ACEOF @@ -1854,7 +1854,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -ClamAV configure 0.101.2 +ClamAV configure 0.101.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2444,7 +2444,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by ClamAV $as_me 0.101.2, which was +It was created by ClamAV $as_me 0.101.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -4201,7 +4201,7 @@ # Define the identity of the package. PACKAGE='clamav' - VERSION='0.101.2' + VERSION='0.101.4' # Some tools Automake needs. @@ -5929,7 +5929,7 @@ -VERSION="0.101.2" +VERSION="0.101.4" LC_CURRENT=9 LC_REVISION=2 @@ -29986,7 +29986,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by ClamAV $as_me 0.101.2, which was +This file was extended by ClamAV $as_me 0.101.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -30053,7 +30053,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -ClamAV config.status 0.101.2 +ClamAV config.status 0.101.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -32875,7 +32875,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by ClamAV $as_me 0.101.2, which was +This file was extended by ClamAV $as_me 0.101.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -32942,7 +32942,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -ClamAV config.status 0.101.2 +ClamAV config.status 0.101.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru clamav-0.101.2+dfsg/configure.ac clamav-0.101.4+dfsg/configure.ac --- clamav-0.101.2+dfsg/configure.ac 2019-03-30 13:57:20.000000000 +0000 +++ clamav-0.101.4+dfsg/configure.ac 2019-08-25 09:24:30.000000000 +0000 @@ -22,7 +22,7 @@ AC_PREREQ([2.59]) dnl For a release change [devel] to the real version [0.xy] dnl also change VERSION below -AC_INIT([ClamAV], [0.101.2], [https://bugzilla.clamav.net/], [clamav], [https://www.clamav.net/]) +AC_INIT([ClamAV], [0.101.4], [https://bugzilla.clamav.net/], [clamav], [https://www.clamav.net/]) dnl enable C++ AC_PROG_CXX() @@ -252,7 +252,7 @@ if test "X$have_curl" != "Xyes" && test "X$have_json" != "Xyes"; then CL_MSG_STATUS([clamsubmit ], [no (missing libjson-c-dev AND libcurl-devel. Use the website to submit FPs/FNs.)], [no]) else - if test "X$have_curl" = "Xyes"; then + if test "X$have_curl" = "Xyes"; then CL_MSG_STATUS([clamsubmit ], [no (missing libjson-c-dev. Use the website to submit FPs/FNs.)], [no]) else CL_MSG_STATUS([clamsubmit ], [no (missing libcurl-devel. Use the website to submit FPs/FNs.)], [no]) @@ -294,7 +294,7 @@ CL_MSG_STATUS([pcre ],[$PCRE_HOME],[$have_pcre]) fi CL_MSG_STATUS([libmspack ],[yes],[$mspack_msg]) -if test "x$XML_LIBS" = "x"; then +if test "x$XML_LIBS" = "x"; then CL_MSG_STATUS([libxml2 ],[no],[]) else CL_MSG_STATUS([libxml2 ],[yes, from $XML_HOME],[]) diff -Nru clamav-0.101.2+dfsg/debian/.git-dpm clamav-0.101.4+dfsg/debian/.git-dpm --- clamav-0.101.2+dfsg/debian/.git-dpm 2019-08-06 20:02:44.000000000 +0000 +++ clamav-0.101.4+dfsg/debian/.git-dpm 2019-08-25 10:53:19.000000000 +0000 @@ -1,8 +1,8 @@ # see git-dpm(1) from git-dpm package -f9c686061408a8a6378bb089e57c541713fb8a7c -f9c686061408a8a6378bb089e57c541713fb8a7c -5a612c89e68e5010b2cd71002ceb15efc03a2324 -5a612c89e68e5010b2cd71002ceb15efc03a2324 -clamav_0.101.2+dfsg.orig.tar.xz -7f723ff0a4ce24ef821947fd3832e3f54e17a875 -4719692 +d270e1b7719040d02da3674f913a229a27a95ef8 +d270e1b7719040d02da3674f913a229a27a95ef8 +2ef384b1d0316b03c71b17de219c056c19169197 +2ef384b1d0316b03c71b17de219c056c19169197 +clamav_0.101.4+dfsg.orig.tar.xz +ae609c30ebf523a2f5e1b5f3cf25332cbb48686d +4975416 diff -Nru clamav-0.101.2+dfsg/debian/changelog clamav-0.101.4+dfsg/debian/changelog --- clamav-0.101.2+dfsg/debian/changelog 2019-08-06 20:07:01.000000000 +0000 +++ clamav-0.101.4+dfsg/debian/changelog 2019-08-25 10:53:19.000000000 +0000 @@ -1,3 +1,14 @@ +clamav (0.101.4+dfsg-0+deb10u1) buster; urgency=medium + + * Import 0.101.4 + - CVE-2019-12625 (Add scan time limit to limit the processing zip-bombs) + (Closes:934359) + - CVE-2019-12900 (An out of bounds write was possible within ClamAV's + NSIS bzip) + - update symbols file (bump to 101.4 and drop unused cli_strnstr). + + -- Sebastian Andrzej Siewior Sun, 25 Aug 2019 12:53:19 +0200 + clamav (0.101.2+dfsg-1+deb10u1) buster; urgency=medium * Cherry-pick a fix from 0.101.3 to address a vulnerability to diff -Nru clamav-0.101.2+dfsg/debian/clamav-daemon.postinst.in clamav-0.101.4+dfsg/debian/clamav-daemon.postinst.in --- clamav-0.101.2+dfsg/debian/clamav-daemon.postinst.in 2019-08-06 20:02:44.000000000 +0000 +++ clamav-0.101.4+dfsg/debian/clamav-daemon.postinst.in 2019-08-25 10:53:19.000000000 +0000 @@ -211,6 +211,7 @@ [ -z "$StructuredDataDetection" ] && StructuredDataDetection=false [ -z "$ScanHTML" ] && ScanHTML=true [ -z "$ArchiveBlockEncrypted" ] && ArchiveBlockEncrypted=false + [ -z "$MaxScanTime" ] && MaxScanTime=120000 [ -z "$MaxScanSize" ] && MaxScanSize=100M [ -z "$MaxFileSize" ] && MaxFileSize=25M [ -z "$MaxRecursion" ] && MaxRecursion=16 @@ -331,6 +332,7 @@ ForceToDisk $ForceToDisk DisableCertCheck $DisableCertCheck DisableCache $DisableCache +MaxScanTime $MaxScanTime MaxScanSize $MaxScanSize MaxFileSize $MaxFileSize MaxRecursion $MaxRecursion diff -Nru clamav-0.101.2+dfsg/debian/libclamav9.symbols clamav-0.101.4+dfsg/debian/libclamav9.symbols --- clamav-0.101.2+dfsg/debian/libclamav9.symbols 2019-08-06 20:02:44.000000000 +0000 +++ clamav-0.101.4+dfsg/debian/libclamav9.symbols 2019-08-25 10:53:19.000000000 +0000 @@ -1,16 +1,16 @@ libclamav.so.9 libclamav9 #MINVER# * Build-Depends-Package: libclamav-dev - CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.101.2 + CLAMAV_PRIVATE@CLAMAV_PRIVATE 0.101.4 CLAMAV_PUBLIC@CLAMAV_PUBLIC 0.101.0 - base64Flush@CLAMAV_PRIVATE 0.101.2 - blobAddData@CLAMAV_PRIVATE 0.101.2 - blobCreate@CLAMAV_PRIVATE 0.101.2 - blobDestroy@CLAMAV_PRIVATE 0.101.2 - cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.101.2 + base64Flush@CLAMAV_PRIVATE 0.101.4 + blobAddData@CLAMAV_PRIVATE 0.101.4 + blobCreate@CLAMAV_PRIVATE 0.101.4 + blobDestroy@CLAMAV_PRIVATE 0.101.4 + cl_ASN1_GetTimeT@CLAMAV_PRIVATE 0.101.4 cl_always_gen_section_hash@CLAMAV_PUBLIC 0.101.0 - cl_base64_decode@CLAMAV_PRIVATE 0.101.2 - cl_base64_encode@CLAMAV_PRIVATE 0.101.2 - cl_cleanup_crypto@CLAMAV_PRIVATE 0.101.2 + cl_base64_decode@CLAMAV_PRIVATE 0.101.4 + cl_base64_encode@CLAMAV_PRIVATE 0.101.4 + cl_cleanup_crypto@CLAMAV_PRIVATE 0.101.4 cl_countsigs@CLAMAV_PUBLIC 0.101.0 cl_cvdfree@CLAMAV_PUBLIC 0.101.0 cl_cvdhead@CLAMAV_PUBLIC 0.101.0 @@ -39,7 +39,7 @@ cl_engine_set_clcb_stats_remove_sample@CLAMAV_PUBLIC 0.101.0 cl_engine_set_clcb_stats_submit@CLAMAV_PUBLIC 0.101.0 cl_engine_set_clcb_virus_found@CLAMAV_PUBLIC 0.101.0 - cl_engine_set_num@CLAMAV_PUBLIC 0.101.0 + cl_engine_set_num@CLAMAV_PUBLIC 0.101.4 cl_engine_set_stats_set_cbdata@CLAMAV_PUBLIC 0.101.0 cl_engine_set_str@CLAMAV_PUBLIC 0.101.0 cl_engine_settings_apply@CLAMAV_PUBLIC 0.101.0 @@ -50,21 +50,21 @@ cl_fmap_close@CLAMAV_PUBLIC 0.101.0 cl_fmap_open_handle@CLAMAV_PUBLIC 0.101.0 cl_fmap_open_memory@CLAMAV_PUBLIC 0.101.0 - cl_get_pkey_file@CLAMAV_PRIVATE 0.101.2 - cl_get_x509_from_mem@CLAMAV_PRIVATE 0.101.2 - cl_hash_data@CLAMAV_PRIVATE 0.101.2 + cl_get_pkey_file@CLAMAV_PRIVATE 0.101.4 + cl_get_x509_from_mem@CLAMAV_PRIVATE 0.101.4 + cl_hash_data@CLAMAV_PRIVATE 0.101.4 cl_hash_destroy@CLAMAV_PUBLIC 0.101.0 - cl_hash_file_fd@CLAMAV_PRIVATE 0.101.2 - cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.101.2 - cl_hash_file_fp@CLAMAV_PRIVATE 0.101.2 + cl_hash_file_fd@CLAMAV_PRIVATE 0.101.4 + cl_hash_file_fd_ctx@CLAMAV_PRIVATE 0.101.4 + cl_hash_file_fp@CLAMAV_PRIVATE 0.101.4 cl_hash_init@CLAMAV_PUBLIC 0.101.0 cl_init@CLAMAV_PUBLIC 0.101.0 - cl_initialize_crypto@CLAMAV_PRIVATE 0.101.2 + cl_initialize_crypto@CLAMAV_PRIVATE 0.101.4 cl_load@CLAMAV_PUBLIC 0.101.0 - cl_load_cert@CLAMAV_PRIVATE 0.101.2 - cl_load_crl@CLAMAV_PRIVATE 0.101.2 + cl_load_cert@CLAMAV_PRIVATE 0.101.4 + cl_load_crl@CLAMAV_PRIVATE 0.101.4 cl_retdbdir@CLAMAV_PUBLIC 0.101.0 - cl_retflevel@CLAMAV_PUBLIC 0.101.1 + cl_retflevel@CLAMAV_PUBLIC 0.101.4 cl_retver@CLAMAV_PUBLIC 0.101.0 cl_scandesc@CLAMAV_PUBLIC 0.101.0 cl_scandesc_callback@CLAMAV_PUBLIC 0.101.0 @@ -72,185 +72,184 @@ cl_scanfile_callback@CLAMAV_PUBLIC 0.101.0 cl_scanmap_callback@CLAMAV_PUBLIC 0.101.0 cl_set_clcb_msg@CLAMAV_PUBLIC 0.101.0 - cl_sha1@CLAMAV_PRIVATE 0.101.2 - cl_sha256@CLAMAV_PRIVATE 0.101.2 - cl_sign_data@CLAMAV_PRIVATE 0.101.2 - cl_sign_data_keyfile@CLAMAV_PRIVATE 0.101.2 - cl_sign_file_fd@CLAMAV_PRIVATE 0.101.2 - cl_sign_file_fp@CLAMAV_PRIVATE 0.101.2 + cl_sha1@CLAMAV_PRIVATE 0.101.4 + cl_sha256@CLAMAV_PRIVATE 0.101.4 + cl_sign_data@CLAMAV_PRIVATE 0.101.4 + cl_sign_data_keyfile@CLAMAV_PRIVATE 0.101.4 + cl_sign_file_fd@CLAMAV_PRIVATE 0.101.4 + cl_sign_file_fp@CLAMAV_PRIVATE 0.101.4 cl_statchkdir@CLAMAV_PUBLIC 0.101.0 cl_statfree@CLAMAV_PUBLIC 0.101.0 cl_statinidir@CLAMAV_PUBLIC 0.101.0 cl_strerror@CLAMAV_PUBLIC 0.101.0 cl_update_hash@CLAMAV_PUBLIC 0.101.0 - cl_validate_certificate_chain@CLAMAV_PRIVATE 0.101.2 - cl_validate_certificate_chain_ts_dir@CLAMAV_PRIVATE 0.101.2 - cl_verify_signature@CLAMAV_PRIVATE 0.101.2 - cl_verify_signature_fd@CLAMAV_PRIVATE 0.101.2 - cl_verify_signature_fd_x509@CLAMAV_PRIVATE 0.101.2 - cl_verify_signature_fd_x509_keyfile@CLAMAV_PRIVATE 0.101.2 - cl_verify_signature_hash@CLAMAV_PRIVATE 0.101.2 - cl_verify_signature_hash_x509@CLAMAV_PRIVATE 0.101.2 - cl_verify_signature_hash_x509_keyfile@CLAMAV_PRIVATE 0.101.2 - cl_verify_signature_x509@CLAMAV_PRIVATE 0.101.2 - cl_verify_signature_x509_keyfile@CLAMAV_PRIVATE 0.101.2 - cli_ac_buildtrie@CLAMAV_PRIVATE 0.101.2 - cli_ac_chklsig@CLAMAV_PRIVATE 0.101.2 - cli_ac_free@CLAMAV_PRIVATE 0.101.2 - cli_ac_freedata@CLAMAV_PRIVATE 0.101.2 - cli_ac_init@CLAMAV_PRIVATE 0.101.2 - cli_ac_initdata@CLAMAV_PRIVATE 0.101.2 - cli_ac_scanbuff@CLAMAV_PRIVATE 0.101.2 - cli_bm_free@CLAMAV_PRIVATE 0.101.2 - cli_bm_init@CLAMAV_PRIVATE 0.101.2 - cli_bm_scanbuff@CLAMAV_PRIVATE 0.101.2 - cli_build_regex_list@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_context_alloc@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_context_clear@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_context_destroy@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_context_getresult_int@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_context_set_trace@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_context_setfile@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_context_setfuncid@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_context_setparam_int@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_context_setparam_ptr@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_debug@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_debug_printsrc@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_describe@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_destroy@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_done@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_init@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_load@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_prepare2@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_printversion@CLAMAV_PRIVATE 0.101.2 - cli_bytecode_run@CLAMAV_PRIVATE 0.101.2 - cli_bytefunc_describe@CLAMAV_PRIVATE 0.101.2 - cli_byteinst_describe@CLAMAV_PRIVATE 0.101.2 - cli_bytetype_describe@CLAMAV_PRIVATE 0.101.2 - cli_bytevalue_describe@CLAMAV_PRIVATE 0.101.2 - cli_calloc@CLAMAV_PRIVATE 0.101.2 - cli_checkfp_pe@CLAMAV_PRIVATE 0.101.2 - cli_chomp@CLAMAV_PRIVATE 0.101.2 - cli_ctime@CLAMAV_PRIVATE 0.101.2 - cli_cvdunpack@CLAMAV_PRIVATE 0.101.2 - cli_dbgmsg_internal@CLAMAV_PRIVATE 0.101.2 - cli_dconf_init@CLAMAV_PRIVATE 0.101.2 - cli_debug_flag@CLAMAV_PRIVATE 0.101.2 - cli_detect_environment@CLAMAV_PRIVATE 0.101.2 - cli_disasm_one@CLAMAV_PRIVATE 0.101.2 - cli_errmsg@CLAMAV_PRIVATE 0.101.2 - cli_filecopy@CLAMAV_PRIVATE 0.101.2 - cli_fmap_scandesc@CLAMAV_PRIVATE 0.101.2 - cli_free_vba_project@CLAMAV_PRIVATE 0.101.2 - cli_ftw@CLAMAV_PRIVATE 0.101.2 - cli_genhash_pe@CLAMAV_PRIVATE 0.101.2 - cli_gentemp@CLAMAV_PRIVATE 0.101.2 - cli_gentempfd@CLAMAV_PRIVATE 0.101.2 - cli_gettmpdir@CLAMAV_PRIVATE 0.101.2 - cli_hashfile@CLAMAV_PRIVATE 0.101.2 - cli_hashset_destroy@CLAMAV_PRIVATE 0.101.2 - cli_hashstream@CLAMAV_PRIVATE 0.101.2 - cli_hex2str@CLAMAV_PRIVATE 0.101.2 - cli_hex2ui@CLAMAV_PRIVATE 0.101.2 - cli_initroots@CLAMAV_PRIVATE 0.101.2 - cli_isnumber@CLAMAV_PRIVATE 0.101.2 - cli_js_destroy@CLAMAV_PRIVATE 0.101.2 - cli_js_init@CLAMAV_PRIVATE 0.101.2 - cli_js_output@CLAMAV_PRIVATE 0.101.2 - cli_js_parse_done@CLAMAV_PRIVATE 0.101.2 - cli_js_process_buffer@CLAMAV_PRIVATE 0.101.2 - cli_ldbtokenize@CLAMAV_PRIVATE 0.101.2 - cli_malloc@CLAMAV_PRIVATE 0.101.2 - cli_memstr@CLAMAV_PRIVATE 0.101.2 - cli_ole2_extract@CLAMAV_PRIVATE 0.101.2 - cli_parse_add@CLAMAV_PRIVATE 0.101.2 - cli_pcre_build@CLAMAV_PRIVATE 0.101.2 - cli_pcre_freeoff@CLAMAV_PRIVATE 0.101.2 - cli_pcre_init@CLAMAV_PRIVATE 0.101.2 - cli_pcre_perf_events_destroy@CLAMAV_PRIVATE 0.101.2 - cli_pcre_perf_print@CLAMAV_PRIVATE 0.101.2 - cli_pcre_recaloff@CLAMAV_PRIVATE 0.101.2 - cli_pcre_scanbuf@CLAMAV_PRIVATE 0.101.2 - cli_ppt_vba_read@CLAMAV_PRIVATE 0.101.2 - cli_printcxxver@CLAMAV_PRIVATE 0.101.2 - cli_readn@CLAMAV_PRIVATE 0.101.2 - cli_realloc@CLAMAV_PRIVATE 0.101.2 - cli_regcomp@CLAMAV_PRIVATE 0.101.2 - cli_regex2suffix@CLAMAV_PRIVATE 0.101.2 - cli_regexec@CLAMAV_PRIVATE 0.101.2 - cli_regfree@CLAMAV_PRIVATE 0.101.2 - cli_rmdirs@CLAMAV_PRIVATE 0.101.2 - cli_rndnum@CLAMAV_PRIVATE 0.101.2 - cli_sanitize_filepath@CLAMAV_PRIVATE 0.101.2 - cli_scanbuff@CLAMAV_PRIVATE 0.101.2 - cli_sigopts_handler@CLAMAV_PRIVATE 0.101.2 - cli_sigperf_events_destroy@CLAMAV_PRIVATE 0.101.2 - cli_sigperf_print@CLAMAV_PRIVATE 0.101.2 - cli_str2hex@CLAMAV_PRIVATE 0.101.2 - cli_strbcasestr@CLAMAV_PRIVATE 0.101.2 - cli_strdup@CLAMAV_PRIVATE 0.101.2 - cli_strerror@CLAMAV_PRIVATE 0.101.2 - cli_strlcat@CLAMAV_PRIVATE 0.101.2 - cli_strlcpy@CLAMAV_PRIVATE 0.101.2 - cli_strnstr@CLAMAV_PRIVATE 0.101.2 - cli_strrcpy@CLAMAV_PRIVATE 0.101.2 - cli_strtok@CLAMAV_PRIVATE 0.101.2 - cli_strtokbuf@CLAMAV_PRIVATE 0.101.2 - cli_strtokenize@CLAMAV_PRIVATE 0.101.2 - cli_textbuffer_append_normalize@CLAMAV_PRIVATE 0.101.2 - cli_unescape@CLAMAV_PRIVATE 0.101.2 - cli_unlink@CLAMAV_PRIVATE 0.101.2 - cli_url_canon@CLAMAV_PRIVATE 0.101.2 - cli_utf16_to_utf8@CLAMAV_PRIVATE 0.101.2 - cli_utf16toascii@CLAMAV_PRIVATE 0.101.2 - cli_vba_inflate@CLAMAV_PRIVATE 0.101.2 - cli_vba_readdir@CLAMAV_PRIVATE 0.101.2 - cli_versig2@CLAMAV_PRIVATE 0.101.2 - cli_versig@CLAMAV_PRIVATE 0.101.2 - cli_warnmsg@CLAMAV_PRIVATE 0.101.2 - cli_wm_decrypt_macro@CLAMAV_PRIVATE 0.101.2 - cli_wm_readdir@CLAMAV_PRIVATE 0.101.2 - cli_writen@CLAMAV_PRIVATE 0.101.2 - decodeLine@CLAMAV_PRIVATE 0.101.2 - disasmbuf@CLAMAV_PRIVATE 0.101.2 - fmap@CLAMAV_PRIVATE 0.101.2 - get_fpu_endian@CLAMAV_PRIVATE 0.101.2 - have_clamjit@CLAMAV_PRIVATE 0.101.2 - have_rar@CLAMAV_PRIVATE 0.101.2 - html_normalise_map@CLAMAV_PRIVATE 0.101.2 - html_normalise_mem@CLAMAV_PRIVATE 0.101.2 - html_screnc_decode@CLAMAV_PRIVATE 0.101.2 - html_tag_arg_free@CLAMAV_PRIVATE 0.101.2 - init_domainlist@CLAMAV_PRIVATE 0.101.2 - init_regex_list@CLAMAV_PRIVATE 0.101.2 - init_whitelist@CLAMAV_PRIVATE 0.101.2 - is_regex_ok@CLAMAV_PRIVATE 0.101.2 - load_regex_matcher@CLAMAV_PRIVATE 0.101.2 + cl_validate_certificate_chain@CLAMAV_PRIVATE 0.101.4 + cl_validate_certificate_chain_ts_dir@CLAMAV_PRIVATE 0.101.4 + cl_verify_signature@CLAMAV_PRIVATE 0.101.4 + cl_verify_signature_fd@CLAMAV_PRIVATE 0.101.4 + cl_verify_signature_fd_x509@CLAMAV_PRIVATE 0.101.4 + cl_verify_signature_fd_x509_keyfile@CLAMAV_PRIVATE 0.101.4 + cl_verify_signature_hash@CLAMAV_PRIVATE 0.101.4 + cl_verify_signature_hash_x509@CLAMAV_PRIVATE 0.101.4 + cl_verify_signature_hash_x509_keyfile@CLAMAV_PRIVATE 0.101.4 + cl_verify_signature_x509@CLAMAV_PRIVATE 0.101.4 + cl_verify_signature_x509_keyfile@CLAMAV_PRIVATE 0.101.4 + cli_ac_buildtrie@CLAMAV_PRIVATE 0.101.4 + cli_ac_chklsig@CLAMAV_PRIVATE 0.101.4 + cli_ac_free@CLAMAV_PRIVATE 0.101.4 + cli_ac_freedata@CLAMAV_PRIVATE 0.101.4 + cli_ac_init@CLAMAV_PRIVATE 0.101.4 + cli_ac_initdata@CLAMAV_PRIVATE 0.101.4 + cli_ac_scanbuff@CLAMAV_PRIVATE 0.101.4 + cli_bm_free@CLAMAV_PRIVATE 0.101.4 + cli_bm_init@CLAMAV_PRIVATE 0.101.4 + cli_bm_scanbuff@CLAMAV_PRIVATE 0.101.4 + cli_build_regex_list@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_context_alloc@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_context_clear@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_context_destroy@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_context_getresult_int@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_context_set_trace@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_context_setfile@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_context_setfuncid@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_context_setparam_int@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_context_setparam_ptr@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_debug@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_debug_printsrc@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_describe@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_destroy@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_done@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_init@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_load@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_prepare2@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_printversion@CLAMAV_PRIVATE 0.101.4 + cli_bytecode_run@CLAMAV_PRIVATE 0.101.4 + cli_bytefunc_describe@CLAMAV_PRIVATE 0.101.4 + cli_byteinst_describe@CLAMAV_PRIVATE 0.101.4 + cli_bytetype_describe@CLAMAV_PRIVATE 0.101.4 + cli_bytevalue_describe@CLAMAV_PRIVATE 0.101.4 + cli_calloc@CLAMAV_PRIVATE 0.101.4 + cli_checkfp_pe@CLAMAV_PRIVATE 0.101.4 + cli_chomp@CLAMAV_PRIVATE 0.101.4 + cli_ctime@CLAMAV_PRIVATE 0.101.4 + cli_cvdunpack@CLAMAV_PRIVATE 0.101.4 + cli_dbgmsg_internal@CLAMAV_PRIVATE 0.101.4 + cli_dconf_init@CLAMAV_PRIVATE 0.101.4 + cli_debug_flag@CLAMAV_PRIVATE 0.101.4 + cli_detect_environment@CLAMAV_PRIVATE 0.101.4 + cli_disasm_one@CLAMAV_PRIVATE 0.101.4 + cli_errmsg@CLAMAV_PRIVATE 0.101.4 + cli_filecopy@CLAMAV_PRIVATE 0.101.4 + cli_fmap_scandesc@CLAMAV_PRIVATE 0.101.4 + cli_free_vba_project@CLAMAV_PRIVATE 0.101.4 + cli_ftw@CLAMAV_PRIVATE 0.101.4 + cli_genhash_pe@CLAMAV_PRIVATE 0.101.4 + cli_gentemp@CLAMAV_PRIVATE 0.101.4 + cli_gentempfd@CLAMAV_PRIVATE 0.101.4 + cli_gettmpdir@CLAMAV_PRIVATE 0.101.4 + cli_hashfile@CLAMAV_PRIVATE 0.101.4 + cli_hashset_destroy@CLAMAV_PRIVATE 0.101.4 + cli_hashstream@CLAMAV_PRIVATE 0.101.4 + cli_hex2str@CLAMAV_PRIVATE 0.101.4 + cli_hex2ui@CLAMAV_PRIVATE 0.101.4 + cli_initroots@CLAMAV_PRIVATE 0.101.4 + cli_isnumber@CLAMAV_PRIVATE 0.101.4 + cli_js_destroy@CLAMAV_PRIVATE 0.101.4 + cli_js_init@CLAMAV_PRIVATE 0.101.4 + cli_js_output@CLAMAV_PRIVATE 0.101.4 + cli_js_parse_done@CLAMAV_PRIVATE 0.101.4 + cli_js_process_buffer@CLAMAV_PRIVATE 0.101.4 + cli_ldbtokenize@CLAMAV_PRIVATE 0.101.4 + cli_malloc@CLAMAV_PRIVATE 0.101.4 + cli_memstr@CLAMAV_PRIVATE 0.101.4 + cli_ole2_extract@CLAMAV_PRIVATE 0.101.4 + cli_parse_add@CLAMAV_PRIVATE 0.101.4 + cli_pcre_build@CLAMAV_PRIVATE 0.101.4 + cli_pcre_freeoff@CLAMAV_PRIVATE 0.101.4 + cli_pcre_init@CLAMAV_PRIVATE 0.101.4 + cli_pcre_perf_events_destroy@CLAMAV_PRIVATE 0.101.4 + cli_pcre_perf_print@CLAMAV_PRIVATE 0.101.4 + cli_pcre_recaloff@CLAMAV_PRIVATE 0.101.4 + cli_pcre_scanbuf@CLAMAV_PRIVATE 0.101.4 + cli_ppt_vba_read@CLAMAV_PRIVATE 0.101.4 + cli_printcxxver@CLAMAV_PRIVATE 0.101.4 + cli_readn@CLAMAV_PRIVATE 0.101.4 + cli_realloc@CLAMAV_PRIVATE 0.101.4 + cli_regcomp@CLAMAV_PRIVATE 0.101.4 + cli_regex2suffix@CLAMAV_PRIVATE 0.101.4 + cli_regexec@CLAMAV_PRIVATE 0.101.4 + cli_regfree@CLAMAV_PRIVATE 0.101.4 + cli_rmdirs@CLAMAV_PRIVATE 0.101.4 + cli_rndnum@CLAMAV_PRIVATE 0.101.4 + cli_sanitize_filepath@CLAMAV_PRIVATE 0.101.4 + cli_scanbuff@CLAMAV_PRIVATE 0.101.4 + cli_sigopts_handler@CLAMAV_PRIVATE 0.101.4 + cli_sigperf_events_destroy@CLAMAV_PRIVATE 0.101.4 + cli_sigperf_print@CLAMAV_PRIVATE 0.101.4 + cli_str2hex@CLAMAV_PRIVATE 0.101.4 + cli_strbcasestr@CLAMAV_PRIVATE 0.101.4 + cli_strdup@CLAMAV_PRIVATE 0.101.4 + cli_strerror@CLAMAV_PRIVATE 0.101.4 + cli_strlcat@CLAMAV_PRIVATE 0.101.4 + cli_strlcpy@CLAMAV_PRIVATE 0.101.4 + cli_strrcpy@CLAMAV_PRIVATE 0.101.4 + cli_strtok@CLAMAV_PRIVATE 0.101.4 + cli_strtokbuf@CLAMAV_PRIVATE 0.101.4 + cli_strtokenize@CLAMAV_PRIVATE 0.101.4 + cli_textbuffer_append_normalize@CLAMAV_PRIVATE 0.101.4 + cli_unescape@CLAMAV_PRIVATE 0.101.4 + cli_unlink@CLAMAV_PRIVATE 0.101.4 + cli_url_canon@CLAMAV_PRIVATE 0.101.4 + cli_utf16_to_utf8@CLAMAV_PRIVATE 0.101.4 + cli_utf16toascii@CLAMAV_PRIVATE 0.101.4 + cli_vba_inflate@CLAMAV_PRIVATE 0.101.4 + cli_vba_readdir@CLAMAV_PRIVATE 0.101.4 + cli_versig2@CLAMAV_PRIVATE 0.101.4 + cli_versig@CLAMAV_PRIVATE 0.101.4 + cli_warnmsg@CLAMAV_PRIVATE 0.101.4 + cli_wm_decrypt_macro@CLAMAV_PRIVATE 0.101.4 + cli_wm_readdir@CLAMAV_PRIVATE 0.101.4 + cli_writen@CLAMAV_PRIVATE 0.101.4 + decodeLine@CLAMAV_PRIVATE 0.101.4 + disasmbuf@CLAMAV_PRIVATE 0.101.4 + fmap@CLAMAV_PRIVATE 0.101.4 + get_fpu_endian@CLAMAV_PRIVATE 0.101.4 + have_clamjit@CLAMAV_PRIVATE 0.101.4 + have_rar@CLAMAV_PRIVATE 0.101.4 + html_normalise_map@CLAMAV_PRIVATE 0.101.4 + html_normalise_mem@CLAMAV_PRIVATE 0.101.4 + html_screnc_decode@CLAMAV_PRIVATE 0.101.4 + html_tag_arg_free@CLAMAV_PRIVATE 0.101.4 + init_domainlist@CLAMAV_PRIVATE 0.101.4 + init_regex_list@CLAMAV_PRIVATE 0.101.4 + init_whitelist@CLAMAV_PRIVATE 0.101.4 + is_regex_ok@CLAMAV_PRIVATE 0.101.4 + load_regex_matcher@CLAMAV_PRIVATE 0.101.4 lsig_sub_matched@CLAMAV_PUBLIC 0.101.0 - messageCreate@CLAMAV_PRIVATE 0.101.2 - messageDestroy@CLAMAV_PRIVATE 0.101.2 - mpool_calloc@CLAMAV_PRIVATE 0.101.2 - mpool_create@CLAMAV_PRIVATE 0.101.2 - mpool_destroy@CLAMAV_PRIVATE 0.101.2 - mpool_free@CLAMAV_PRIVATE 0.101.2 - mpool_getstats@CLAMAV_PRIVATE 0.101.2 - phishingScan@CLAMAV_PRIVATE 0.101.2 - phishing_done@CLAMAV_PRIVATE 0.101.2 - phishing_init@CLAMAV_PRIVATE 0.101.2 - regex_list_add_pattern@CLAMAV_PRIVATE 0.101.2 - regex_list_done@CLAMAV_PRIVATE 0.101.2 - regex_list_match@CLAMAV_PRIVATE 0.101.2 - tableCreate@CLAMAV_PRIVATE 0.101.2 - tableDestroy@CLAMAV_PRIVATE 0.101.2 - tableFind@CLAMAV_PRIVATE 0.101.2 - tableInsert@CLAMAV_PRIVATE 0.101.2 - tableIterate@CLAMAV_PRIVATE 0.101.2 - tableRemove@CLAMAV_PRIVATE 0.101.2 - tableUpdate@CLAMAV_PRIVATE 0.101.2 - text_normalize_init@CLAMAV_PRIVATE 0.101.2 - text_normalize_map@CLAMAV_PRIVATE 0.101.2 - text_normalize_reset@CLAMAV_PRIVATE 0.101.2 - uniq_add@CLAMAV_PRIVATE 0.101.2 - uniq_free@CLAMAV_PRIVATE 0.101.2 - uniq_get@CLAMAV_PRIVATE 0.101.2 - uniq_init@CLAMAV_PRIVATE 0.101.2 + messageCreate@CLAMAV_PRIVATE 0.101.4 + messageDestroy@CLAMAV_PRIVATE 0.101.4 + mpool_calloc@CLAMAV_PRIVATE 0.101.4 + mpool_create@CLAMAV_PRIVATE 0.101.4 + mpool_destroy@CLAMAV_PRIVATE 0.101.4 + mpool_free@CLAMAV_PRIVATE 0.101.4 + mpool_getstats@CLAMAV_PRIVATE 0.101.4 + phishingScan@CLAMAV_PRIVATE 0.101.4 + phishing_done@CLAMAV_PRIVATE 0.101.4 + phishing_init@CLAMAV_PRIVATE 0.101.4 + regex_list_add_pattern@CLAMAV_PRIVATE 0.101.4 + regex_list_done@CLAMAV_PRIVATE 0.101.4 + regex_list_match@CLAMAV_PRIVATE 0.101.4 + tableCreate@CLAMAV_PRIVATE 0.101.4 + tableDestroy@CLAMAV_PRIVATE 0.101.4 + tableFind@CLAMAV_PRIVATE 0.101.4 + tableInsert@CLAMAV_PRIVATE 0.101.4 + tableIterate@CLAMAV_PRIVATE 0.101.4 + tableRemove@CLAMAV_PRIVATE 0.101.4 + tableUpdate@CLAMAV_PRIVATE 0.101.4 + text_normalize_init@CLAMAV_PRIVATE 0.101.4 + text_normalize_map@CLAMAV_PRIVATE 0.101.4 + text_normalize_reset@CLAMAV_PRIVATE 0.101.4 + uniq_add@CLAMAV_PRIVATE 0.101.4 + uniq_free@CLAMAV_PRIVATE 0.101.4 + uniq_get@CLAMAV_PRIVATE 0.101.4 + uniq_init@CLAMAV_PRIVATE 0.101.4 diff -Nru clamav-0.101.2+dfsg/debian/patches/Add-support-for-LLVM-3.7.patch clamav-0.101.4+dfsg/debian/patches/Add-support-for-LLVM-3.7.patch --- clamav-0.101.2+dfsg/debian/patches/Add-support-for-LLVM-3.7.patch 2019-08-06 20:02:44.000000000 +0000 +++ clamav-0.101.4+dfsg/debian/patches/Add-support-for-LLVM-3.7.patch 2019-08-25 10:53:19.000000000 +0000 @@ -1,4 +1,4 @@ -From 10fa493123ae406f385d04c8033ab900613d542a Mon Sep 17 00:00:00 2001 +From 35b9f66b69337557d4034f54d71e8ef61c32f295 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 14 Oct 2016 20:24:39 +0200 Subject: Add support for LLVM 3.7 diff -Nru clamav-0.101.2+dfsg/debian/patches/Add-support-for-LLVM-3.8.patch clamav-0.101.4+dfsg/debian/patches/Add-support-for-LLVM-3.8.patch --- clamav-0.101.2+dfsg/debian/patches/Add-support-for-LLVM-3.8.patch 2019-08-06 20:02:44.000000000 +0000 +++ clamav-0.101.4+dfsg/debian/patches/Add-support-for-LLVM-3.8.patch 2019-08-25 10:53:19.000000000 +0000 @@ -1,4 +1,4 @@ -From 4c68f84da6bf0b1b686c7d7575520a307fc71c34 Mon Sep 17 00:00:00 2001 +From dadb4b37352a7ffcd3b4bc070281c858b34f1381 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 14 Oct 2016 20:24:48 +0200 Subject: Add support for LLVM 3.8 diff -Nru clamav-0.101.2+dfsg/debian/patches/Add-support-for-LLVM-3.9.patch clamav-0.101.4+dfsg/debian/patches/Add-support-for-LLVM-3.9.patch --- clamav-0.101.2+dfsg/debian/patches/Add-support-for-LLVM-3.9.patch 2019-08-06 20:02:44.000000000 +0000 +++ clamav-0.101.4+dfsg/debian/patches/Add-support-for-LLVM-3.9.patch 2019-08-25 10:53:19.000000000 +0000 @@ -1,4 +1,4 @@ -From cb77f255d9bc2871a474227e2a8676dfd930a483 Mon Sep 17 00:00:00 2001 +From d270e1b7719040d02da3674f913a229a27a95ef8 Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Fri, 14 Oct 2016 20:24:56 +0200 Subject: Add support for LLVM 3.9 diff -Nru clamav-0.101.2+dfsg/debian/patches/Adds-detection-and-heuristic-alert-for-zips-with-ove.patch clamav-0.101.4+dfsg/debian/patches/Adds-detection-and-heuristic-alert-for-zips-with-ove.patch --- clamav-0.101.2+dfsg/debian/patches/Adds-detection-and-heuristic-alert-for-zips-with-ove.patch 2019-08-06 20:02:44.000000000 +0000 +++ clamav-0.101.4+dfsg/debian/patches/Adds-detection-and-heuristic-alert-for-zips-with-ove.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,233 +0,0 @@ -From f9c686061408a8a6378bb089e57c541713fb8a7c Mon Sep 17 00:00:00 2001 -From: Micah Snyder -Date: Fri, 12 Jul 2019 21:09:45 -0400 -Subject: Adds detection and heuristic alert for zips with overlapping files, - preventing extraction of non-recursive zip bombs. - -Patch-Name: Adds-detection-and-heuristic-alert-for-zips-with-ove.patch -Signed-off-by: Sebastian Andrzej Siewior ---- - NEWS.md | 15 ++++++---- - libclamav/unzip.c | 74 ++++++++++++++++++++++++++++++++++++++++------- - 2 files changed, 72 insertions(+), 17 deletions(-) - -diff --git a/NEWS.md b/NEWS.md -index 3cd2587..76d8474 100644 ---- a/NEWS.md -+++ b/NEWS.md -@@ -5,14 +5,17 @@ Note: This file refers to the source tarball. Things described here may differ - - ## 0.101.3 - --ClamAV 0.101.3 is a patch release... -+ClamAV 0.101.3 is a patch release to address a vulnerability to non-recursive -+zip bombs. - --- Fixes for the following vulnerabilities affecting 0.101.2 and prior: -- - -+A Denial-of-Service (DoS) vulnerability may occur when scanning a zip bomb as a -+result of excessively long scan times. The issue is resolved by detecting the -+overlapping local file headers which characterize the non-recursive zip bomb -+described by David Fifield, -+[here](https://www.bamsoftware.com/hacks/zipbomb/). - --Additional thanks to the following community members for submitting bug reports: -- --- -+Thank you to Hanno Böck for reporting the issue as it relates to ClamAV, -+[here](https://bugzilla.clamav.net/show_bug.cgi?id=12356). - - ## 0.101.2 - -diff --git a/libclamav/unzip.c b/libclamav/unzip.c -index 0216908..a67b92d 100644 ---- a/libclamav/unzip.c -+++ b/libclamav/unzip.c -@@ -54,6 +54,8 @@ - #define UNZIP_PRIVATE - #include "unzip.h" - -+#define ZIP_MAX_NUM_OVERLAPPING_FILES 5 -+ - #define ZIP_CRC32(r,c,b,l) \ - do { \ - r = crc32(~c,b,l); \ -@@ -493,14 +495,14 @@ static inline int zdecrypt(const uint8_t *src, uint32_t csize, uint32_t usize, c - if (pass_zip) - pass_zip = pass_zip->next; - else -- pass_any = pass_any->next; -+ pass_any = pass_any->next; - } - - cli_dbgmsg("cli_unzip: decrypt - skipping encrypted file, no valid passwords\n"); - return CL_SUCCESS; - } - --static unsigned int lhdr(fmap_t *map, uint32_t loff,uint32_t zsize, unsigned int *fu, unsigned int fc, const uint8_t *ch, int *ret, cli_ctx *ctx, char *tmpd, int detect_encrypted, zip_cb zcb) { -+static unsigned int lhdr(fmap_t *map, uint32_t loff,uint32_t zsize, unsigned int *fu, unsigned int fc, const uint8_t *ch, int *ret, cli_ctx *ctx, char *tmpd, int detect_encrypted, zip_cb zcb, uint32_t *file_local_header_size, uint32_t* file_local_data_size) { - const uint8_t *lh, *zip; - char name[256]; - uint32_t csize, usize; -@@ -563,7 +565,7 @@ static unsigned int lhdr(fmap_t *map, uint32_t loff,uint32_t zsize, unsigned int - } - virus_found = 1; - } -- -+ - if(LH_flags & F_USEDD) { - cli_dbgmsg("cli_unzip: lh - has data desc\n"); - if(!ch) { -@@ -581,6 +583,11 @@ static unsigned int lhdr(fmap_t *map, uint32_t loff,uint32_t zsize, unsigned int - zip+=LH_elen; - zsize-=LH_elen; - -+ if (NULL != file_local_header_size) -+ *file_local_header_size = zip - lh; -+ if (NULL != file_local_data_size) -+ *file_local_data_size = csize; -+ - if (!csize) { /* FIXME: what's used for method0 files? csize or usize? Nothing in the specs, needs testing */ - cli_dbgmsg("cli_unzip: lh - skipping empty file\n"); - } else { -@@ -589,6 +596,7 @@ static unsigned int lhdr(fmap_t *map, uint32_t loff,uint32_t zsize, unsigned int - fmap_unneed_off(map, loff, SIZEOF_LH); - return 0; - } -+ - if(LH_flags & F_ENCR) { - if(fmap_need_ptr_once(map, zip, csize)) - *ret = zdecrypt(zip, csize, usize, lh, fu, ctx, tmpd, zcb); -@@ -624,12 +632,19 @@ static unsigned int lhdr(fmap_t *map, uint32_t loff,uint32_t zsize, unsigned int - return zip-lh; - } - --static unsigned int chdr(fmap_t *map, uint32_t coff, uint32_t zsize, unsigned int *fu, unsigned int fc, int *ret, cli_ctx *ctx, char *tmpd, struct zip_requests *requests) { -+static unsigned int chdr(fmap_t *map, uint32_t coff, uint32_t zsize, unsigned int *fu, unsigned int fc, int *ret, cli_ctx *ctx, char *tmpd, struct zip_requests *requests, uint32_t *file_local_offset, uint32_t *file_local_header_size, uint32_t *file_local_data_size) { - char name[256]; - int last = 0; - const uint8_t *ch; - int virus_found = 0; - -+ if (NULL != file_local_offset) -+ *file_local_offset = 0; -+ if (NULL != file_local_header_size) -+ *file_local_header_size = 0; -+ if (NULL != file_local_data_size) -+ *file_local_data_size = 0; -+ - if(!(ch = fmap_need_off(map, coff, SIZEOF_CH)) || CH_magic != 0x02014b50) { - if(ch) fmap_unneed_ptr(map, ch, SIZEOF_CH); - cli_dbgmsg("cli_unzip: ch - wrkcomplete\n"); -@@ -674,7 +689,9 @@ static unsigned int chdr(fmap_t *map, uint32_t coff, uint32_t zsize, unsigned in - - if (!requests) { - if(CH_offnamecnt; ++i) { - cli_dbgmsg("checking for %i: %s\n", i, requests->names[i]); - -- len = MIN(sizeof(name)-1, requests->namelens[i]); -+ len = MIN(sizeof(name)-1, requests->namelens[i]); - if (!strncmp(requests->names[i], name, len)) { - requests->match = 1; - requests->found = i; -@@ -712,6 +729,13 @@ int cli_unzip(cli_ctx *ctx) { - #if HAVE_JSON - int toval = 0; - #endif -+ int bZipBombDetected = 0; -+ uint32_t cur_file_local_offset = 0; -+ uint32_t cur_file_local_header_size = 0; -+ uint32_t cur_file_local_data_size = 0; -+ uint32_t prev_file_local_offset = 0; -+ uint32_t prev_file_local_header_size = 0; -+ uint32_t prev_file_local_data_size = 0; - - cli_dbgmsg("in cli_unzip\n"); - fsize = (uint32_t)map->len; -@@ -744,20 +768,48 @@ int cli_unzip(cli_ctx *ctx) { - } - - if(coff) { -+ uint32_t nOverlappingFiles = 0; -+ - cli_dbgmsg("cli_unzip: central @%x\n", coff); -- while((coff=chdr(map, coff, fsize, &fu, fc+1, &ret, ctx, tmpd, NULL))) { -+ while((coff=chdr(map, coff, fsize, &fu, fc+1, &ret, ctx, tmpd, NULL, &cur_file_local_offset, &cur_file_local_header_size, &cur_file_local_data_size))) { - fc++; - if (ctx->engine->maxfiles && fu>=ctx->engine->maxfiles) { - cli_dbgmsg("cli_unzip: Files limit reached (max: %u)\n", ctx->engine->maxfiles); - ret=CL_EMAXFILES; - } -+ /* -+ * Detect overlapping files and zip bombs. -+ */ -+ if ((((cur_file_local_offset > prev_file_local_offset) && (cur_file_local_offset < prev_file_local_offset + prev_file_local_header_size + prev_file_local_data_size)) || -+ ((prev_file_local_offset > cur_file_local_offset) && (prev_file_local_offset < cur_file_local_offset + cur_file_local_header_size + cur_file_local_data_size))) && -+ (cur_file_local_header_size + cur_file_local_data_size > 0)) { -+ /* Overlapping file detected */ -+ nOverlappingFiles++; -+ -+ cli_dbgmsg("cli_unzip: Overlapping files detected.\n"); -+ cli_dbgmsg(" previous file end: %u\n", prev_file_local_offset + prev_file_local_header_size + prev_file_local_data_size); -+ cli_dbgmsg(" current file start: %u\n", cur_file_local_offset); -+ if (ZIP_MAX_NUM_OVERLAPPING_FILES < nOverlappingFiles) { -+ if (SCAN_HEURISTICS) { -+ ret = cli_append_virus(ctx, "Heuristics.Zip.OverlappingFiles"); -+ virus_found = 1; -+ } else { -+ ret = CL_EFORMAT; -+ } -+ bZipBombDetected = 1; -+ } -+ } -+ prev_file_local_offset = cur_file_local_offset; -+ prev_file_local_header_size = cur_file_local_header_size; -+ prev_file_local_data_size = cur_file_local_data_size; -+ - #if HAVE_JSON - if (cli_json_timeout_cycle_check(ctx, &toval) != CL_SUCCESS) { - ret=CL_ETIMEOUT; - } - #endif - if (ret != CL_CLEAN) { -- if (ret == CL_VIRUS && SCAN_ALLMATCHES) { -+ if (ret == CL_VIRUS && SCAN_ALLMATCHES && !bZipBombDetected) { - ret = CL_CLEAN; - virus_found = 1; - } else -@@ -769,7 +821,7 @@ int cli_unzip(cli_ctx *ctx) { - ret = CL_VIRUS; - if(fu<=(fc/4)) { /* FIXME: make up a sane ratio or remove the whole logic */ - fc = 0; -- while (ret==CL_CLEAN && lhoffmatch) { - ret=CL_VIRUS; - } diff -Nru clamav-0.101.2+dfsg/debian/patches/Bumped-version-number-to-0.101.3.patch clamav-0.101.4+dfsg/debian/patches/Bumped-version-number-to-0.101.3.patch --- clamav-0.101.2+dfsg/debian/patches/Bumped-version-number-to-0.101.3.patch 2019-08-06 20:02:44.000000000 +0000 +++ clamav-0.101.4+dfsg/debian/patches/Bumped-version-number-to-0.101.3.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,460 +0,0 @@ -From 9e0d7c6a42bb6f5b17f1696e3b69cc1714142223 Mon Sep 17 00:00:00 2001 -From: Micah Snyder -Date: Fri, 12 Jul 2019 17:16:42 -0400 -Subject: Bumped version number to 0.101.3. - -Patch-Name: Bumped-version-number-to-0.101.3.patch -[sebastian@breakpoint.cc: remove "configure" and "win32/"] -Signed-off-by: Sebastian Andrzej Siewior ---- - NEWS.md | 109 +++++++++++++----------- - configure.ac | 6 +- - docs/UserManual.md | 2 +- - docs/UserManual/Installation-Windows.md | 8 +- - m4/reorganization/version.m4 | 4 +- - 5 files changed, 70 insertions(+), 59 deletions(-) - -diff --git a/NEWS.md b/NEWS.md -index 7f992b8..3cd2587 100644 ---- a/NEWS.md -+++ b/NEWS.md -@@ -1,7 +1,18 @@ - # ClamAV News - - Note: This file refers to the source tarball. Things described here may differ -- slightly from the binary packages. -+ slight -+ -+## 0.101.3 -+ -+ClamAV 0.101.3 is a patch release... -+ -+- Fixes for the following vulnerabilities affecting 0.101.2 and prior: -+ - -+ -+Additional thanks to the following community members for submitting bug reports: -+ -+- - - ## 0.101.2 - -@@ -508,7 +519,7 @@ ClamAV 0.99.4 is a hotfix release to patch a set of vulnerabilities. - a handful of other important bugs, including patches to support g++ 6, C++11. - - Thank you to the following ClamAV community members for your code --submissions and bug reports! -+submissions and bug reports! - - Alberto Garcia - Bernhard Vogel -@@ -550,7 +561,7 @@ ClamAV 0.99.2 is a release of bug fixes and minor enhancements. - - fix ups improving the reliability of several ClamAV file parsers. - - sigtool now decodes file type signatures (e.g., daily.ftm CVD file). - - now supporting libpcre2 in addition to libpcre. --- systemd support for clamd and freshclam. Patch provided by -+- systemd support for clamd and freshclam. Patch provided by - Andreas Cadhalpun. - - fixed builds on Mac OS X 10.10 & 10.11. - - improved debug info for certificate metadata. -@@ -592,7 +603,7 @@ Thanks to the following community members for code submissions used in - - ## 0.99 - --ClamAV 0.99 contains major new features and changes. YARA rules, -+ClamAV 0.99 contains major new features and changes. YARA rules, - Perl Compatible Regular Expressions, revamped on-access scanning - for Linux, and other new features join the many great features of ClamAV: - -@@ -603,10 +614,10 @@ Perl Compatible Regular Expressions, revamped on-access scanning - for full details. - - New and improved on-access scanning for Linux. See the recent blog - post and clamdoc.pdf for details on the new on-access capabilities. --- A new ClamAV API callback function that is invoked when a virus -- is found. This is intended primarily for applications running in -- all-match mode. Any applications using all-match mode must use -- the new callback function to record and report detected viruses. -+- A new ClamAV API callback function that is invoked when a virus -+ is found. This is intended primarily for applications running in -+ all-match mode. Any applications using all-match mode must use -+ the new callback function to record and report detected viruses. - - Configurable default password list to attempt zip file decryption. - - TIFF file support. - - Upgrade Windows pthread library to 2.9.1. -@@ -643,7 +654,7 @@ Thank you to the ClamAV community members who sent patches and bug reports - ## 0.98.7 - - ClamAV 0.98.7 is here! This release contains new scanning features --and bug fixes. -+and bug fixes. - - - Improvements to PDF processing: decryption, escape sequence - handling, and file property collection. -@@ -663,7 +674,7 @@ and bug fixes. - CVE-2015-2668. - - Fix compilation error after ./configure --disable-pthreads. - Reported and fix suggested by John E. Krokes. --- Apply upstream patch for possible heap overflow in Henry Spencer's -+- Apply upstream patch for possible heap overflow in Henry Spencer's - regex library. CVE-2015-2305. - - Fix crash in upx decoder with crafted file. Discovered and patch - supplied by Sebastian Andrzej Siewior. CVE-2015-2170. -@@ -704,7 +715,7 @@ Kai Risku - - Compensate a crash due to incorrect compiler optimization when - handling crafted petite packer files. This issue was discovered - by Sebastian Andrzej Siewior. -- -+ - Thanks to the following ClamAV community members for code submissions - and bug reporting included in ClamAV 0.98.6: - -@@ -803,17 +814,17 @@ Sebastian Andrzej Siewior - about OpenIOC. - - All ClamAV sockets (clamd, freshclam, clamav-milter, clamdscan, clamdtop) - now support IPV6 addresses and configuration parameters. --- Use OpenSSL file hash functions for improved performance. OpenSSL -+- Use OpenSSL file hash functions for improved performance. OpenSSL - is now prerequisite software for ClamAV 0.98.2. - - Improved detection of malware scripts within image files. Issue reported - by Maarten Broekman. - - Change to circumvent possible denial of service when processing icons within - specially crafted PE files. Icon limits are now in place with corresponding -- clamd and clamscan configuration parameters. This issue was reported by -+ clamd and clamscan configuration parameters. This issue was reported by - Joxean Koret. - - Improvements to the fidelity of the ClamAV pattern matcher, an issue - reported by Christian Blichmann. --- Opt-in collection of statistics. Statistics collected are: sizes and MD5 -+- Opt-in collection of statistics. Statistics collected are: sizes and MD5 - hashes of files, PE file section counts and section MD5 hashes, and names - and counts of detected viruses. Enable statistics collection with the - --enable-stats clamscan flag or StatsEnabled clamd configuration -@@ -822,7 +833,7 @@ Sebastian Andrzej Siewior - assistance and suggestions by Sebastian Andrzej Siewior, Scott Kitterman, - and Dave Simonson. - - Patch by Arkadiusz Miskiewicz to improve error handling in freshclam. --- ClamAV 0.98.2 also includes miscellaneous bug fixes and documentation -+- ClamAV 0.98.2 also includes miscellaneous bug fixes and documentation - improvements. - - Thanks to the following ClamAV community members for sending patches or reporting -@@ -841,7 +852,7 @@ Christian Blichmann - REGARDING OPENSSL - - In addition, as a special exception, the copyright holders give --permission to link the code of portions of this program with the -+permission to link the code of portions of this program with the - OpenSSL library under certain conditions as described in each - individual source file, and distribute linked combinations - including the two. -@@ -849,20 +860,20 @@ including the two. - You must obey the GNU General Public License in all respects - for all of the code used other than OpenSSL. If you modify - file(s) with this exception, you may extend this exception to your --version of the file(s), but you are not obligated to do so. If you -+version of the file(s), but you are not obligated to do so. If you - do not wish to do so, delete this exception statement from your - version. If you delete this exception statement from all source - files in the program, then also delete it here. - - ## 0.98.1 - --ClamAV 0.98.1 provides improved support of Mac OS X platform, support for new file types, and -+ClamAV 0.98.1 provides improved support of Mac OS X platform, support for new file types, and - quality improvements. These include: - - - Extraction, decompression, and scanning of files within Apple Disk Image (DMG) format. - - - Extraction, decompression, and scanning of files within Extensible Archive (XAR) format. -- XAR format is commonly used for software packaging, such as PKG and RPM, as well as -+ XAR format is commonly used for software packaging, such as PKG and RPM, as well as - general archival. - - - Decompression and scanning of files in "Xz" compression format. -@@ -877,7 +888,7 @@ ClamAV 0.98.1 provides improved support of Mac OS X platform, support for new fi - performance cost. This should only be needed when callback functions are used - that need file access. - --- Various improvements to ClamAV configuration, support of third party libraries, -+- Various improvements to ClamAV configuration, support of third party libraries, - and unit tests. - - ## 0.98 -@@ -915,8 +926,8 @@ support for additional filetypes, and internal upgrades. - - - New callbacks added to the API: The libclamav API has additional hooks - for developers to use when wrapping ClamAV scanning. These function -- types are prefixed with "clcb_" and allow developers to add logic at -- certain steps of the scanning process without directly modifying the -+ types are prefixed with "clcb_" and allow developers to add logic at -+ certain steps of the scanning process without directly modifying the - library. For more details refer to the clamav.h file. - - - More configurable limits: Several hardcoded values are now configurable -@@ -962,20 +973,20 @@ reported as scan result." - - ## 0.97.5 - --ClamAV 0.97.5 addresses possible evasion cases in some archive formats --(CVE-2012-1457, CVE-2012-1458, CVE-2012-1459). It also addresses stability --issues in portions of the bytecode engine. This release is recommended for -+ClamAV 0.97.5 addresses possible evasion cases in some archive formats -+(CVE-2012-1457, CVE-2012-1458, CVE-2012-1459). It also addresses stability -+issues in portions of the bytecode engine. This release is recommended for - all users. - - ## 0.97.4 - --ClamAV 0.97.4 includes minor bugfixes, detection improvements and initial --support for on-access scanning under Mac OS X (see contrib/ClamAuth). -+ClamAV 0.97.4 includes minor bugfixes, detection improvements and initial -+support for on-access scanning under Mac OS X (see contrib/ClamAuth). - This update is recommended for all users. - - ## 0.97.3 - --ClamAV 0.97.3 is a minor bugfix release and is recommended for all -+ClamAV 0.97.3 is a minor bugfix release and is recommended for all - users. Please refer to the ChangeLog file for details. - - ## 0.97.2 -@@ -996,9 +1007,9 @@ The ClamAV team (https://www.clamav.net/about.html#credits) - - ClamAV 0.97 brings many improvements, including complete Windows support - (all major components compile out-of-box under Visual Studio), support for --signatures based on SHA1 and SHA256, better error detection, as well as --speed and memory optimizations. The complete list of changes is available --in the ChangeLog file. For upgrade notes and tips please see: -+signatures based on SHA1 and SHA256, better error detection, as well as -+speed and memory optimizations. The complete list of changes is available -+in the ChangeLog file. For upgrade notes and tips please see: - https://wiki.clamav.net/Main/UpgradeNotes097 - - With Sourcefire, Inc. acquisition of Immunet Corp., ClamAV for Windows -@@ -1009,7 +1020,7 @@ the full power of the LibClamAV engine, all the ClamAV signatures, - and creation of custom signatures on any platform running Immunet 3.0, - powered by ClamAV. If you run Windows systems in your environment and - need an AV solution to protect them, give Immunet 3.0, powered by ClamAV --a try; you can download it from https://www.clamav.net/download.html#otherversions -+a try; you can download it from https://www.clamav.net/download.html#otherversions - - -- - The ClamAV team (https://www.clamav.net/about.html#credits) -@@ -1401,7 +1412,7 @@ The ClamAV team (https://www.clamav.net/about.html#credits) - ## 0.90.3 - - This release fixes some security bugs in libclamav and improves stability --under Solaris. Please see ChangeLog for complete list of changes. -+under Solaris. Please see ChangeLog for complete list of changes. - - If your system is suffering from long clamscan startup times, please - consider installing 0.91rc1 which is due to be released shortly -@@ -1455,9 +1466,9 @@ systems yet. You are encouraged to pass the --enable-experimental flag to - improvements in terms of detection rate and performances. If you find a bug, - please take some time to report it on our bugzilla: https://bugzilla.clamav.net. - Your help in testing the new code is really appreciated. The experimental code --introduces many improvements in terms of detection rate and performances. -+introduces many improvements in terms of detection rate and performances. - --RAR3, SIS and SFX archives support is finally available together with -+RAR3, SIS and SFX archives support is finally available together with - new unpackers and decryptors: pespin, sue, yc, wwpack32, nspack, mew, upack - and others. Additionally, ClamAV now includes better mechanisms for scanning - ELF, PDF and tar files. The email decoding has been improved to reduce both -@@ -1466,10 +1477,10 @@ the memory requirements and the time taken to process attachments. - As part of the Google Summer of Code program, we have introduced support for - a new phishing signatures format that has proved very effective in detecting - phishing emails. The ClamAV phishing module allows better and more generic --detection of phishing emails by searching for URLs in email messages, and --comparing the real site with the URL displayed to the user in the message. -+detection of phishing emails by searching for URLs in email messages, and -+comparing the real site with the URL displayed to the user in the message. - --On the performance side, support for the MULTISCAN command has been -+On the performance side, support for the MULTISCAN command has been - implemented in clamd, allowing to scan multiple files simultaneously. - Support for Sensory Networks' NodalCore acceleration technology - (https://www.clamav.net/nodalcore/) is now available in ClamAV and will be -@@ -1568,7 +1579,7 @@ NodalCore cards. - - mod_streamav - a ClamAV based antivirus filter for Apache 2 - - pyClamd - a python interface to Clamd - --More information at https://www.clamav.net/download.html#tools -+More information at https://www.clamav.net/download.html#tools - - -- - The ClamAV team (https://www.clamav.net/about.html#credits) -@@ -1622,7 +1633,7 @@ architectures and possible security problem in freshclam. - Following the 0.88.1 release some portals and security related websites - published incorrect information on security problems of 0.88. To avoid - such incidents in the future, every new ClamAV package will be released --together with detailed information about security bugs it fixes. -+together with detailed information about security bugs it fixes. - - -- - The ClamAV team (https://www.clamav.net/about.html#credits) -@@ -1892,7 +1903,7 @@ Important note to clamdwatch users: please upgrade to the latest version - - simscan - an e-mail and spam filter for qmail - - smtpfilter - scan SMTP session for viruses - - snort-inline - scan your network traffic for viruses with ClamAV -- - SquidClamAV Redirector - a Squid helper script which adds virus scanning -+ - SquidClamAV Redirector - a Squid helper script which adds virus scanning - - WRAVLib - a library for a-v integration with Mono/.NET applications - - -- -@@ -2050,7 +2061,7 @@ up with or beating the proprietary alternatives." Thanks! - SourceWear.com is selling some very nice t-shirts and polo shirts powered by - ClamAV. Wear them and virus writers will stay away from you :- A quarter out - of every dollar profited from the sale of these shirts will go to the ClamAV --project. Visit http://www.sourcewear.com and click on ClamAV logo! -+project. Visit http://www.sourcewear.com and click on ClamAV logo! - - -- - The ClamAV team (https://www.clamav.net/about.html#credits) -@@ -2071,7 +2082,7 @@ We have been distributing the database in both formats till now, but - we plan to drop support for ClamAV 0.60 on September 1st. - - We encourage _all_ users to upgrade to the latest release available. --People running an old version of ClamAV are missing many viruses and -+People running an old version of ClamAV are missing many viruses and - may experience stability problems. - - On non-production systems you can try the latest development version. -@@ -2109,7 +2120,7 @@ The ClamAV team (https://www.clamav.net/about.html#credits) - ## 0.73 - - This version fixes memory management problems in the OLE2 decoder and --improves mail scanning. -+improves mail scanning. - - Thank you for using ClamAV ! - -@@ -2132,7 +2143,7 @@ This release fixes all bugs found in 0.70 and introduces a few new features - - the noteworthy changes include: - - - libclamav: -- - support nested OLE2 files -+ - support nested OLE2 files - - support Word6 macro code - - ignore popular file types (media, graphics) - - support compress.exe (SZDD) compression (test/test.msc) -@@ -2367,7 +2378,7 @@ the highest possible level. - New mirroring mechanisms. Luca Gibelli (ClamAV) and mirror administrators - (22 sites) are converting mirrors to new "push mirroring" - method. It uses advanced techniques to ensure all the mirrors are up to date. --More info: https://www.clamav.net/documents/introduction -+More info: https://www.clamav.net/documents/introduction - - We would like to thank our donors: - -@@ -2540,7 +2551,7 @@ performance is required. Please check clamdoc for more detail. - - various mbox code updates (fixed memory leak; added support for decoding - viruses sent in message bodies, detection of viruses that put their - payloads after the end of message marker (thanks to Stephen White -- for the bug report and useful CGI tools); -+ for the bug report and useful CGI tools); - - - zziplib updated to 0.10.81 (some problems with older version were reported - by Martin Schitter) -@@ -2681,7 +2692,7 @@ attachement file names. - ## 0.52 - - This version contains a portability fixes - it should compile on OpenBSD, --MacOSX and NetBSD (support for them was broken in 0.51). -+MacOSX and NetBSD (support for them was broken in 0.51). - - - clamd: various fixes: - - drop supplementary groups (suggested by Enrico Scholz -@@ -2751,7 +2762,7 @@ Please check the manual for more information. - - - clamd: a modern anti-virus daemon. It uses configuration file clamav.conf - described in the clamav.conf(5) manual. The program was written with -- security as a goal. -+ security as a goal. - - - clamuko: on-access scanning under Linux. It utilizes Dazuko kernel module - (GPL, http://dazuko.org) and is clamd-based. -diff --git a/configure.ac b/configure.ac -index 88ff4ff..277a2d8 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -22,7 +22,7 @@ dnl MA 02110-1301, USA. - AC_PREREQ([2.59]) - dnl For a release change [devel] to the real version [0.xy] - dnl also change VERSION below --AC_INIT([ClamAV], [0.101.2], [https://bugzilla.clamav.net/], [clamav], [https://www.clamav.net/]) -+AC_INIT([ClamAV], [0.101.3], [https://bugzilla.clamav.net/], [clamav], [https://www.clamav.net/]) - - dnl enable C++ - AC_PROG_CXX() -@@ -253,7 +253,7 @@ else - if test "X$have_curl" != "Xyes" && test "X$have_json" != "Xyes"; then - CL_MSG_STATUS([clamsubmit ], [no (missing libjson-c-dev AND libcurl-devel. Use the website to submit FPs/FNs.)], [no]) - else -- if test "X$have_curl" = "Xyes"; then -+ if test "X$have_curl" = "Xyes"; then - CL_MSG_STATUS([clamsubmit ], [no (missing libjson-c-dev. Use the website to submit FPs/FNs.)], [no]) - else - CL_MSG_STATUS([clamsubmit ], [no (missing libcurl-devel. Use the website to submit FPs/FNs.)], [no]) -@@ -295,7 +295,7 @@ else - CL_MSG_STATUS([pcre ],[$PCRE_HOME],[$have_pcre]) - fi - CL_MSG_STATUS([libmspack ],[yes],[$mspack_msg]) --if test "x$XML_LIBS" = "x"; then -+if test "x$XML_LIBS" = "x"; then - CL_MSG_STATUS([libxml2 ],[no],[]) - else - CL_MSG_STATUS([libxml2 ],[yes, from $XML_HOME],[]) -diff --git a/docs/UserManual.md b/docs/UserManual.md -index 567e14b..7435bdd 100644 ---- a/docs/UserManual.md -+++ b/docs/UserManual.md -@@ -1,4 +1,4 @@ --# Clam AntiVirus 0.101.2 *User Manual* -+# Clam AntiVirus 0.101.3 *User Manual* - - ![image](UserManual/images/demon.png) - -diff --git a/docs/UserManual/Installation-Windows.md b/docs/UserManual/Installation-Windows.md -index 5a693f9..a6d6c9a 100644 ---- a/docs/UserManual/Installation-Windows.md -+++ b/docs/UserManual/Installation-Windows.md -@@ -6,9 +6,9 @@ If you wish to build ClamAV from source using Visual Studio 2015, please head ov - - Important: Installing ClamAV using the Installer will require Administrator privileges. - --1. Download: http://www.clamav.net/downloads/production/ClamAV-0.101.2.exe -+1. Download: http://www.clamav.net/downloads/production/ClamAV-0.101.3.exe - 2. Locate the file in your Downloads directory. --3. Right-click on `ClamAV-0.101.2.exe` and select `Run as administrator`. You may receive a warning message along the lines of "Windows protected your PC". Select `More info` and then select `Run anyway`. -+3. Right-click on `ClamAV-0.101.3.exe` and select `Run as administrator`. You may receive a warning message along the lines of "Windows protected your PC". Select `More info` and then select `Run anyway`. - 4. Select `I accept the agreement` and click `Next`. - 5. Click `Next` again. If you've removed a previous installation of ClamAV, you may receive the prompt "The folder ... already exists...". If you do, select `Yes`. - 6. Click `Install`. -@@ -28,9 +28,9 @@ Continue on to "First Time Set-Up" below... - - ## Install using the ClamAV Portable Install Package - --1. Download: https://www.clamav.net/downloads/production/clamav-0.101.2-win-x64-portable.zip -+1. Download: https://www.clamav.net/downloads/production/clamav-0.101.3-win-x64-portable.zip - 2. Unzip it. --3. Open the `clamav-0.101.2-win-x64-portable` directory. -+3. Open the `clamav-0.101.3-win-x64-portable` directory. - 4. Hold down Shift and then right-click on the background in the current directory (but not on one of the files). Select `"Open PowerShell window here"`. If that option doesn't appear, try again. - - Continue on to "First Time Set-Up"... -diff --git a/m4/reorganization/version.m4 b/m4/reorganization/version.m4 -index 57d23e4..c834b53 100644 ---- a/m4/reorganization/version.m4 -+++ b/m4/reorganization/version.m4 -@@ -1,9 +1,9 @@ - dnl change this on a release - dnl VERSION="devel-`date +%Y%m%d`" --VERSION="0.101.2" -+VERSION="0.101.3" - - LC_CURRENT=9 --LC_REVISION=2 -+LC_REVISION=3 - LC_AGE=0 - LIBCLAMAV_VERSION="$LC_CURRENT":"$LC_REVISION":"$LC_AGE" - AC_SUBST([LIBCLAMAV_VERSION]) diff -Nru clamav-0.101.2+dfsg/debian/patches/Change-paths-in-sample-conf-file-to-match-Debian.patch clamav-0.101.4+dfsg/debian/patches/Change-paths-in-sample-conf-file-to-match-Debian.patch --- clamav-0.101.2+dfsg/debian/patches/Change-paths-in-sample-conf-file-to-match-Debian.patch 2019-08-06 20:02:44.000000000 +0000 +++ clamav-0.101.4+dfsg/debian/patches/Change-paths-in-sample-conf-file-to-match-Debian.patch 2019-08-25 10:53:19.000000000 +0000 @@ -1,4 +1,4 @@ -From b48451aff1cb63af054c74b54564e39ff7b5cd4d Mon Sep 17 00:00:00 2001 +From 4e4774ddaf9ce107b944830f11d33f9d539e6375 Mon Sep 17 00:00:00 2001 From: Scott Kitterman Date: Mon, 10 Mar 2014 19:20:18 -0400 Subject: Change paths in sample conf file to match Debian diff -Nru clamav-0.101.2+dfsg/debian/patches/add-support-for-system-tomsfastmath.patch clamav-0.101.4+dfsg/debian/patches/add-support-for-system-tomsfastmath.patch --- clamav-0.101.2+dfsg/debian/patches/add-support-for-system-tomsfastmath.patch 2019-08-06 20:02:44.000000000 +0000 +++ clamav-0.101.4+dfsg/debian/patches/add-support-for-system-tomsfastmath.patch 2019-08-25 10:53:19.000000000 +0000 @@ -1,4 +1,4 @@ -From f00b0d08179db47e34aeb5056116e8694a42a4b8 Mon Sep 17 00:00:00 2001 +From b24dce89cbeab82baca41d02f21f7d8e3e642b3e Mon Sep 17 00:00:00 2001 From: Andreas Cadhalpun Date: Wed, 11 Mar 2015 20:03:15 +0100 Subject: add support for system tomsfastmath @@ -14,7 +14,7 @@ create mode 100644 m4/reorganization/libs/tomsfastmath.m4 diff --git a/configure.ac b/configure.ac -index 1a2431a..88ff4ff 100644 +index c0638fc..9a1cf02 100644 --- a/configure.ac +++ b/configure.ac @@ -96,6 +96,7 @@ m4_include([m4/reorganization/libs/libmspack.m4]) diff -Nru clamav-0.101.2+dfsg/debian/patches/clamd_dont_depend_on_clamav_demon_socket.patch clamav-0.101.4+dfsg/debian/patches/clamd_dont_depend_on_clamav_demon_socket.patch --- clamav-0.101.2+dfsg/debian/patches/clamd_dont_depend_on_clamav_demon_socket.patch 2019-08-06 20:02:44.000000000 +0000 +++ clamav-0.101.4+dfsg/debian/patches/clamd_dont_depend_on_clamav_demon_socket.patch 2019-08-25 10:53:19.000000000 +0000 @@ -1,4 +1,4 @@ -From d22241edbec2fa27b175e4ccac11612a1b2c7937 Mon Sep 17 00:00:00 2001 +From 75151a065b91b322e1d7867c0658686e316b2972 Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior Date: Thu, 11 Aug 2016 21:54:10 +0200 Subject: clamd: don't depend on clamav-demon.socket diff -Nru clamav-0.101.2+dfsg/debian/patches/series clamav-0.101.4+dfsg/debian/patches/series --- clamav-0.101.2+dfsg/debian/patches/series 2019-08-06 20:02:44.000000000 +0000 +++ clamav-0.101.4+dfsg/debian/patches/series 2019-08-25 10:53:19.000000000 +0000 @@ -4,5 +4,3 @@ Add-support-for-LLVM-3.7.patch Add-support-for-LLVM-3.8.patch Add-support-for-LLVM-3.9.patch -Bumped-version-number-to-0.101.3.patch -Adds-detection-and-heuristic-alert-for-zips-with-ove.patch diff -Nru clamav-0.101.2+dfsg/debian/rules clamav-0.101.4+dfsg/debian/rules --- clamav-0.101.2+dfsg/debian/rules 2019-08-06 20:02:44.000000000 +0000 +++ clamav-0.101.4+dfsg/debian/rules 2019-08-25 10:53:19.000000000 +0000 @@ -88,7 +88,7 @@ fi;\ done; \ # Check for library features which may have been upgraded. - if ! grep -q "CL_FLEVEL 102" libclamav/others.h ; then \ + if ! grep -q "CL_FLEVEL 105" libclamav/others.h ; then \ echo "cl_retflevel needs boosting in symbol file"; \ touch debian/exit; \ fi; diff -Nru clamav-0.101.2+dfsg/docs/UserManual/Installation-Windows.md clamav-0.101.4+dfsg/docs/UserManual/Installation-Windows.md --- clamav-0.101.2+dfsg/docs/UserManual/Installation-Windows.md 2019-03-13 21:13:01.000000000 +0000 +++ clamav-0.101.4+dfsg/docs/UserManual/Installation-Windows.md 2019-08-20 16:08:49.000000000 +0000 @@ -6,9 +6,9 @@ Important: Installing ClamAV using the Installer will require Administrator privileges. -1. Download: http://www.clamav.net/downloads/production/ClamAV-0.101.2.exe +1. Download: http://www.clamav.net/downloads/production/ClamAV-0.101.4.exe 2. Locate the file in your Downloads directory. -3. Right-click on `ClamAV-0.101.2.exe` and select `Run as administrator`. You may receive a warning message along the lines of "Windows protected your PC". Select `More info` and then select `Run anyway`. +3. Right-click on `ClamAV-0.101.4.exe` and select `Run as administrator`. You may receive a warning message along the lines of "Windows protected your PC". Select `More info` and then select `Run anyway`. 4. Select `I accept the agreement` and click `Next`. 5. Click `Next` again. If you've removed a previous installation of ClamAV, you may receive the prompt "The folder ... already exists...". If you do, select `Yes`. 6. Click `Install`. @@ -28,9 +28,9 @@ ## Install using the ClamAV Portable Install Package -1. Download: https://www.clamav.net/downloads/production/clamav-0.101.2-win-x64-portable.zip +1. Download: https://www.clamav.net/downloads/production/clamav-0.101.4-win-x64-portable.zip 2. Unzip it. -3. Open the `clamav-0.101.2-win-x64-portable` directory. +3. Open the `clamav-0.101.4-win-x64-portable` directory. 4. Hold down Shift and then right-click on the background in the current directory (but not on one of the files). Select `"Open PowerShell window here"`. If that option doesn't appear, try again. Continue on to "First Time Set-Up"... diff -Nru clamav-0.101.2+dfsg/docs/UserManual.md clamav-0.101.4+dfsg/docs/UserManual.md --- clamav-0.101.2+dfsg/docs/UserManual.md 2019-03-13 21:13:01.000000000 +0000 +++ clamav-0.101.4+dfsg/docs/UserManual.md 2019-08-20 16:08:49.000000000 +0000 @@ -1,4 +1,4 @@ -# Clam AntiVirus 0.101.2 *User Manual* +# Clam AntiVirus 0.101.4 *User Manual* ![image](UserManual/images/demon.png) diff -Nru clamav-0.101.2+dfsg/docs/html/UserManual/Installation-Unix/Steps-macOS.html clamav-0.101.4+dfsg/docs/html/UserManual/Installation-Unix/Steps-macOS.html --- clamav-0.101.2+dfsg/docs/html/UserManual/Installation-Unix/Steps-macOS.html 2019-03-13 21:13:08.000000000 +0000 +++ clamav-0.101.4+dfsg/docs/html/UserManual/Installation-Unix/Steps-macOS.html 2019-08-20 16:09:34.000000000 +0000 @@ -245,11 +245,11 @@

Then, these commands can be used to create the clamav group and clamav user.

sudo dscl . create /Groups/clamav
 sudo dscl . create /Groups/clamav RealName "Clam Antivirus Group"
-sudo dscl . create /Groups/clamav gid 799           # Ensure this is unique!
+sudo dscl . create /Groups/clamav gid 799           # Ensure this is unique!
 sudo dscl . create /Users/clamav
 sudo dscl . create /Users/clamav RealName "Clam Antivirus User"
 sudo dscl . create /Users/clamav UserShell /bin/false
-sudo dscl . create /Users/clamav UniqueID 599       # Ensure this is unique!
+sudo dscl . create /Users/clamav UniqueID 599       # Ensure this is unique!
 sudo dscl . create /Users/clamav PrimaryGroupID 799 # Must match the above gid!

Finally, you will want to set user ownership of the database directory.
For example:

diff -Nru clamav-0.101.2+dfsg/docs/html/UserManual/Installation-Windows.html clamav-0.101.4+dfsg/docs/html/UserManual/Installation-Windows.html --- clamav-0.101.2+dfsg/docs/html/UserManual/Installation-Windows.html 2019-03-13 21:13:06.000000000 +0000 +++ clamav-0.101.4+dfsg/docs/html/UserManual/Installation-Windows.html 2019-08-20 16:09:27.000000000 +0000 @@ -14,9 +14,9 @@

Install using the ClamAV Windows Installer

Important: Installing ClamAV using the Installer will require Administrator privileges.

    -
  1. Download: http://www.clamav.net/downloads/production/ClamAV-0.101.2.exe
    2. +
  2. Download: http://www.clamav.net/downloads/production/ClamAV-0.101.4.exe
  3. Locate the file in your Downloads directory.
    4. -
  4. Right-click on ClamAV-0.101.2.exe and select Run as administrator. You may receive a warning message along the lines of "Windows protected your PC". Select More info and then select Run anyway.
    5. +
  5. Right-click on ClamAV-0.101.4.exe and select Run as administrator. You may receive a warning message along the lines of "Windows protected your PC". Select More info and then select Run anyway.
  6. Select I accept the agreement and click Next.
  7. Click Next again. If you've removed a previous installation of ClamAV, you may receive the prompt "The folder ... already exists...". If you do, select Yes.
  8. Click Install.
    9. @@ -30,9 +30,9 @@

    Continue on to "First Time Set-Up" below...

    Install using the ClamAV Portable Install Package

      -
    1. Download: https://www.clamav.net/downloads/production/clamav-0.101.2-win-x64-portable.zip
      2. +
    2. Download: https://www.clamav.net/downloads/production/clamav-0.101.4-win-x64-portable.zip
    3. Unzip it.
      4. -
    4. Open the clamav-0.101.2-win-x64-portable directory.
      5. +
    5. Open the clamav-0.101.4-win-x64-portable directory.
    6. Hold down Shift and then right-click on the background in the current directory (but not on one of the files). Select "Open PowerShell window here". If that option doesn't appear, try again.

    Continue on to "First Time Set-Up"...

    diff -Nru clamav-0.101.2+dfsg/docs/html/UserManual/Signatures/PhishSigs.html clamav-0.101.4+dfsg/docs/html/UserManual/Signatures/PhishSigs.html --- clamav-0.101.2+dfsg/docs/html/UserManual/Signatures/PhishSigs.html 2019-03-13 21:13:11.000000000 +0000 +++ clamav-0.101.4+dfsg/docs/html/UserManual/Signatures/PhishSigs.html 2019-08-20 16:09:30.000000000 +0000 @@ -114,11 +114,11 @@
    • RealURL
    -

    is the URL the user is sent to, example: href attribute of an html anchor (\ tag)

    +

    is the URL the user is sent to, example: href attribute of an html anchor (<a> tag)

    • DisplayedURL
    -

    is the URL description displayed to the user, where its claimed they are sent, example: contents of an html anchor (\ tag)

    +

    is the URL description displayed to the user, where its claimed they are sent, example: contents of an html anchor (<a> tag)

    • DisplayedHostname
    @@ -200,7 +200,7 @@ H:amazon.co.uk:0-20

    First line: engine versions 20, 21, ..., 29 can load it

    Second line: engine versions >= 20 can load it

    -

    Third line: engine versions \< 20 can load it

    +

    Third line: engine versions < 20 can load it

    In a real situation, you’d probably use the second form. A situation like that would be if you are using a feature of the signatures not available in earlier versions, or if earlier versions have bugs with your signature. Its neither case here, the above examples are for illustrative purposes only.

    Examples of WDB signatures

    To allow amazon’s country specific domains and amazon.com, to mix domain names in DisplayedURL, and RealURL:

    @@ -331,22 +331,22 @@

    (anchor) the href is the realURL, its contents is the displayedURL

    • contents
      -is the tag-stripped contents of the \ tags, so for example \ tags are stripped (but not their contents)
      • +is the tag-stripped contents of the <a> tags, so for example <b> tags are stripped (but not their contents)
    -

    nesting another \ tag withing an \ tag (besides being invalid html) is treated as a \\<a..

    +

    nesting another <a> tag withing an <a> tag (besides being invalid html) is treated as a </a><a..

    • form
    -

    the action attribute is the realURL, and a nested \ tag is the displayedURL

    +

    the action attribute is the realURL, and a nested <a> tag is the displayedURL

    • img/area
    -

    if nested within an \ tag, the realURL is the href of the a tag, and the src/dynsrc/area is the displayedURL of the img

    +

    if nested within an <a> tag, the realURL is the href of the a tag, and the src/dynsrc/area is the displayedURL of the img

    if nested withing a form tag, then the action attribute of the form tag is the realURL

    • iframe
    -

    if nested withing an \ tag the src attribute is the displayedURL, and the href of its parent a tag is the realURL

    +

    if nested withing an <a> tag the src attribute is the displayedURL, and the href of its parent a tag is the realURL

    if nested withing a form tag, then the action attribute of the form tag is the realURL

    Example

    Consider this html file:

    diff -Nru clamav-0.101.2+dfsg/docs/html/UserManual/development.html clamav-0.101.4+dfsg/docs/html/UserManual/development.html --- clamav-0.101.2+dfsg/docs/html/UserManual/development.html 2019-03-13 21:13:05.000000000 +0000 +++ clamav-0.101.4+dfsg/docs/html/UserManual/development.html 2019-08-20 16:09:29.000000000 +0000 @@ -196,7 +196,7 @@

    First, install perf, which on Linux can be done via:

    apt-get install linux-tools-common linux-tools-generic linux-tools-`uname -r`

    Modify the system settings to allow perf record to be run by a standard user:

    -
    sudo su     # Run the following as root
+
    sudo su     # Run the following as root
 cat /proc/sys/kernel/perf_event_paranoid
 echo "1" > /proc/sys/kernel/perf_event_paranoid
 exit
    
diff -Nru clamav-0.101.2+dfsg/docs/html/UserManual.html clamav-0.101.4+dfsg/docs/html/UserManual.html
--- clamav-0.101.2+dfsg/docs/html/UserManual.html	2019-03-13 21:13:04.000000000 +0000
+++ clamav-0.101.4+dfsg/docs/html/UserManual.html	2019-08-20 16:09:26.000000000 +0000
@@ -9,7 +9,7 @@
   
 
 
-
    Clam AntiVirus 0.101.2 User Manual
    
+
    Clam AntiVirus 0.101.4 User Manual
    
 
    image
    
 
    
 
    Table Of Contents
    
diff -Nru clamav-0.101.2+dfsg/etc/clamd.conf.sample clamav-0.101.4+dfsg/etc/clamd.conf.sample
--- clamav-0.101.2+dfsg/etc/clamd.conf.sample	2019-03-13 21:13:01.000000000 +0000
+++ clamav-0.101.4+dfsg/etc/clamd.conf.sample	2019-08-20 16:08:49.000000000 +0000
@@ -85,7 +85,7 @@
 # Default: no
 #OfficialDatabaseOnly no
 
-# The daemon can work in local mode, network mode or both. 
+# The daemon can work in local mode, network mode or both.
 # Due to security reasons we recommend the local mode.
 
 # Path to a local socket file the daemon will listen on.
@@ -231,7 +231,7 @@
 #DetectPUA yes
 
 # Exclude a specific PUA category. This directive can be used multiple times.
-# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for 
+# See https://github.com/vrtadmin/clamav-faq/blob/master/faq/faq-pua.md for
 # the complete list of PUA categories.
 # Default: Load all categories (if DetectPUA is activated)
 #ExcludePUA NetTool
@@ -271,9 +271,9 @@
 # the end of a scan. If an archive contains both a heuristically detected
 # virus/phish, and a real malware, the real malware will be reported
 #
-# Keep this disabled if you intend to handle "*.Heuristics.*" viruses 
+# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
 # differently from "real" malware.
-# If a non-heuristically-detected virus (signature-based) is found first, 
+# If a non-heuristically-detected virus (signature-based) is found first,
 # the scan is interrupted immediately, regardless of this config option.
 #
 # Default: no
@@ -475,6 +475,16 @@
 # The options below protect your system against Denial of Service attacks
 # using archive bombs.
 
+# This option sets the maximum amount of time to a scan may take.
+# In this version, this field only affects the scan time of ZIP archives.
+# Value of 0 disables the limit
+# Note: disabling this limit or setting it too high may result allow scanning
+# of certain files to lock up the scanning process/threads resulting in a Denial
+# of Service.
+# Time is in milliseconds.
+# Default: 120000
+#MaxScanTime 300000
+
 # This option sets the maximum amount of data to be scanned for each input
 # file.
 # Archives and other containers are recursively extracted and scanned up to
@@ -697,7 +707,7 @@
 ## Bytecode
 ##
 
-# With this option enabled ClamAV will load bytecode from the database. 
+# With this option enabled ClamAV will load bytecode from the database.
 # It is highly recommended you keep this option on, otherwise you'll miss
 # detections for many new viruses.
 # Default: yes
@@ -721,7 +731,7 @@
 #BytecodeSecurity TrustSigned
 
 # Set bytecode timeout in milliseconds.
-# 
+#
 # Default: 5000
 # BytecodeTimeout 1000
 
diff -Nru clamav-0.101.2+dfsg/freshclam/manager.c clamav-0.101.4+dfsg/freshclam/manager.c
--- clamav-0.101.2+dfsg/freshclam/manager.c	2019-03-13 21:13:01.000000000 +0000
+++ clamav-0.101.4+dfsg/freshclam/manager.c	2019-08-20 16:08:49.000000000 +0000
@@ -2105,7 +2105,7 @@
 	if(!tmpdir){
 	    free(newfile);
 	    return FCE_MEM;
-	}    
+	}
 
         maxattempts = optget (opts, "MaxAttempts")->numarg;
         for (i = currver + 1; i <= newver; i++)
@@ -2518,6 +2518,41 @@
     return FC_SUCCESS;
 }
 
+/**
+ * @brief Compare two version strings.
+ *
+ * @param v1 Version string 1
+ * @param v2 Version string 2
+ * @return int 1 if v1 is greater, 0 if equal, -1 if smaller.
+ */
+int version_string_compare(char *v1, size_t v1_len, char *v2, size_t v2_len)
+{
+    size_t i, j;
+    int vnum1 = 0, vnum2 = 0;
+
+    for (i = 0, j = 0; (i < v1_len || j < v2_len);) {
+        while (i < v1_len && v1[i] != '.') {
+            vnum1 = vnum1 * 10 + (v1[i] - '0');
+            i++;
+        }
+
+        while (j < v2_len && v2[j] != '.') {
+            vnum2 = vnum2 * 10 + (v2[j] - '0');
+            j++;
+        }
+
+        if (vnum1 > vnum2)
+            return 1;
+        if (vnum2 > vnum1)
+            return -1;
+
+        vnum1 = vnum2 = 0;
+        i++;
+        j++;
+    }
+    return 0;
+}
+
 int
 downloadmanager (const struct optstruct *opts, const char *hostname,
                  unsigned int attempt)
@@ -2605,8 +2640,8 @@
                         && !strstr (vstr, "rc"))
                     {
                         pt = strchr (vstr, '-');
-                        if ((pt && strncmp (vstr, newver, pt - vstr))
-                            || (!pt && strcmp (vstr, newver)))
+                        if ((pt && (0 > version_string_compare(vstr, pt - vstr, newver, strlen(newver)))) ||
+                            (!pt && (0 > version_string_compare(vstr, strlen(vstr), newver, strlen(newver)))))
                         {
                             logg ("^Your ClamAV installation is OUTDATED!\n");
                             logg ("^Local version: %s Recommended version: %s\n", vstr, newver);
diff -Nru clamav-0.101.2+dfsg/libclamav/bytecode_api.h clamav-0.101.4+dfsg/libclamav/bytecode_api.h
--- clamav-0.101.2+dfsg/libclamav/bytecode_api.h	2019-03-13 21:13:01.000000000 +0000
+++ clamav-0.101.4+dfsg/libclamav/bytecode_api.h	2019-08-20 16:08:49.000000000 +0000
@@ -50,7 +50,7 @@
 
 /**
 \group_config
- * Specifies the bytecode type and how ClamAV executes it 
+ * Specifies the bytecode type and how ClamAV executes it
  */
 enum BytecodeKind {
     /** generic bytecode, not tied a specific hook */
@@ -86,7 +86,7 @@
     FUNC_LEVEL_096_2     = 54, /* LibClamAV release 0.96.2: PDF Hooks require this minimum level */
     FUNC_LEVEL_096_2_dev = 55,
     FUNC_LEVEL_096_3     = 55, /* LibClamAV release 0.96.3: BC_PE_ALL bytecodes require this minimum level */
-    FUNC_LEVEL_096_4     = 56, /* LibClamAV release 0.96.4: minimum recommended engine version, older versions 
+    FUNC_LEVEL_096_4     = 56, /* LibClamAV release 0.96.4: minimum recommended engine version, older versions
                                 * have quadratic load time */
     FUNC_LEVEL_096_5     = 58, /* LibClamAV release 0.96.5 */
     FUNC_LEVEL_097       = 60, /* LibClamAV release 0.97.0: older bytecodes may incorrectly use 57 */
@@ -118,7 +118,9 @@
     FUNC_LEVEL_0101_0_BETA = 100, /* LibClamAV beta release 0.101.0-beta */
     FUNC_LEVEL_0101_0    = 101, /* LibClamAV release 0.101.0, 0.101.0-rc */
     FUNC_LEVEL_0101_1    = 102, /* LibClamAV release 0.101.1 */
-    FUNC_LEVEL_0101_2    = 103, /* LibClamAV release 0.101.3 */
+    FUNC_LEVEL_0101_2    = 102, /* LibClamAV release 0.101.2 */
+    FUNC_LEVEL_0101_3    = 102, /* LibClamAV release 0.101.3 */
+    FUNC_LEVEL_0101_4    = 105, /* LibClamAV release 0.101.4 */
     FUNC_LEVEL_100       = 255 /* future release candidate */
 };
 
@@ -136,7 +138,7 @@
 
 /**
 \group_pdf
- * PDF flags 
+ * PDF flags
  */
 enum pdf_flag {
     BAD_PDF_VERSION=0,      /* */
@@ -273,7 +275,7 @@
 extern const struct cli_pe_hook_data __clambc_pedata;
 /**
 \group_globals
- * File size (max 4G). 
+ * File size (max 4G).
  */
 extern const uint32_t __clambc_filesize[1];
 
@@ -372,7 +374,7 @@
  *  @return 0 for success
  *
  * You can use lseek to disassemble starting from a different location.
- * This is a low-level API, the result is in ClamAV type-8 signature format 
+ * This is a low-level API, the result is in ClamAV type-8 signature format
  * (64 bytes/instruction).
  *  \sa DisassembleAt
  */
@@ -417,7 +419,7 @@
 int32_t file_byteat(uint32_t offset);
 
 /**
-\group_adt 
+\group_adt
  * Allocates memory. Currently this memory is freed automatically on exit
  * from the bytecode, and there is no way to free it sooner.
  * @param[in] size amount of memory to allocate in bytes
@@ -468,7 +470,7 @@
 int32_t extract_new(int32_t id);
 
 /**
-\group_file 
+\group_file
   * Reads a number in the specified radix starting from the current position.
   * Non-numeric characters are ignored.
   * @param[in] radix 10 or 16
@@ -507,7 +509,7 @@
  * @param[in] hs ID of hashset (from hashset_new)
  * @param[in] key the key to lookup
  * @return 1 if found
- * @return 0 if not found 
+ * @return 0 if not found
  * @return <0 on invalid hashset ID
  */
 int32_t hashset_contains(int32_t hs, uint32_t key);
@@ -667,8 +669,8 @@
 \group_js
   * Initializes JS normalizer for reading 'from_buffer'.
   * Normalized JS will be written to a single tempfile,
-  * one normalized JS per line, and automatically scanned 
-  * when the bytecode finishes execution. 
+  * one normalized JS per line, and automatically scanned
+  * when the bytecode finishes execution.
   * @param[in] from_buffer ID of buffer_pipe to read javascript from
   * @return ID of JS normalizer, <0 on failure
   */
@@ -700,7 +702,7 @@
 /**
 \group_math
   * Returns 2^26*log2(a/b)
-  * @param[in] a input 
+  * @param[in] a input
   * @param[in] b input
   * @return 2^26*log2(a/b)
   */
@@ -854,7 +856,7 @@
 
 /**
 \group_adt
-  * Looks up key in map. 
+  * Looks up key in map.
   * The map remember the last looked up key (so you can retrieve the
   * value).
   * @param[in] id id of map
@@ -902,10 +904,10 @@
   * specified position.
   * @param[in] data the sequence of bytes to look for
   * @param[in] len length of \p data, cannot be more than 1024
-  * @param[in] maxpos maximum position to look for a match, 
+  * @param[in] maxpos maximum position to look for a match,
   * note that this is 1 byte after the end of last possible match:
   * match_pos + \p len < \p maxpos
-  * @return offset in the current file if match is found, -1 otherwise 
+  * @return offset in the current file if match is found, -1 otherwise
   */
 int32_t file_find_limit(const uint8_t *data, uint32_t len, int32_t maxpos);
 
@@ -930,7 +932,7 @@
 /**
 \group_engine
   * Returns the current engine's scan options. **DEPRECATED**
-  * @return CL_SCAN* flags 
+  * @return CL_SCAN* flags
   */
 uint32_t engine_scan_options(void);
 
@@ -1032,7 +1034,7 @@
 /* --------------------- PDF APIs ----------------------------------- */
 /**
 \group_pdf
- * Return number of pdf objects 
+ * Return number of pdf objects
  * @return -1 - if not called from PDF hook
  * @return >=0 - number of PDF objects
 */
@@ -1141,7 +1143,7 @@
 
 /* ----------------------------- Icon APIs -------------------------- */
 /**
-\group_icon 
+\group_icon
  * Attempts to match current executable's icon against the specified icon
  * groups.
  * @param[in] group1 - same as GROUP1 in LDB signatures
@@ -1236,7 +1238,7 @@
 
 /**
 \group_json
- * @return number of characters transferred (capped by str_len), 
+ * @return number of characters transferred (capped by str_len),
  *         including terminating null-character
  * @return -1 if an error has occurred
  * @return -2 if object is not JSON_TYPE_STRING
@@ -1272,11 +1274,11 @@
 \group_engine
   * Check if any given scan option is enabled.
   * Returns non-zero if the following named options are set:
-  * 
+  *
   * "general allmatch"                - all-match mode is enabled
   * "general collect metadata"        - --gen-json is enabled
   * "general heuristics"              - --gen-json is enabled
-  * 
+  *
   * "parse archive"                   - archive parsing is enabled
   * "parse pdf"                       - pdf parsing is enabled
   * "parse swf"                       - swf parsing is enabled
@@ -1286,7 +1288,7 @@
   * "parse ole2"                      - ole2 parsing is enabled
   * "parse html"                      - html parsing is enabled
   * "parse pe"                        - pe parsing is enabled
-  * 
+  *
   * "heuristic precedence"            - heuristic signatures are set to take precedence
   * "heuristic broken"                - broken pe heuristic is enabled
   * "heuristic exceeds max"           - heuristic for when max settings are exceeded is enabled
@@ -1298,14 +1300,14 @@
   * "heuristic structured"            - structured heuristic is enabled
   * "heuristic structured ssn normal" - structured ssn normal heuristic is enabled
   * "heuristic structured ssn stripped" - structured ssn stripped heuristic is enabled
-  * 
+  *
   * "mail partial message"            - parsing of partial mail messages is enabled
-  * 
+  *
   * "dev collect sha"                 - --dev-collect-hashes is enabled
   * "dev collect performance info"    - --dev-performance is enabled
-  * 
+  *
   * @param[in] scan_options enum value for desired scan option category.
-  * @return CL_SCAN_