[EPEL-devel] Re: Are there any plans to rebuild ClamAV in EPEL7 following CVE-2022-37434?
On Tue, 1 Nov 2022 at 13:44, Nick Howitt via epel-devel <
epel-devel(a)lists.fedoraproject.org> wrote:
On 01/11/2022 15:46, Tuomo Soini wrote:
> On Tue, 1 Nov 2022 10:50:02 +0000
> Nick Howitt via epel-devel <epel-devel(a)lists.fedoraproject.org> wrote:
>
>> Yesterday, ClamAV announced CVE-2022-37434 as critical
>> (
https://blog.clamav.net/2022/10/new-packages-for-clamav-01037-01044.html).
>> Redhat only seem to classify the issue as Moderate in EL7 -
>> https://access.redhat.com/security/cve/cve-2022-37434. It looks like
>> that, unless Redhat classify it as Critical, zlib and zlib-devel
>> won't get updated so ClamAV can't be rebuilt against the updated
>> zlib-devel. What is the EPEL take on the issue?
> Question was about update of bundled libraries which are not used by
> epel package.
>
Sorry but the spec file has "BuildRequires: zlib-devel" so it is used
for building and, if I understand correctly, the CVE effectively means
ClamAV needs to be rebuilt against the fixed zlib/zlib-devel. Please let
me know if I have misunderstood.
That means it is using the OS zlib to build things. If RHEL does not ship
any update, then rebuilding it won't fix anything.
If you backport the fix to the shipped zlib source code and build it
yourself, then if all goes well everything which was built against the
original ABI will continue to work without recompiling
If you compile a new zlib then you may need to recompile it but also every
other spec that requires zlib-devel.
--
Stephen Smoogen, Red Hat Automotive
Let us be kind to one another, for most of us are fighting a hard battle.
-- Ian MacClaren
Attachments:
- attachment.html (text/html — 2.5 KB)