rpms/clamav/FC-5 clamav-0.88.1-strncpy.patch, NONE, 1.1 clamav-0.88.1-guys, please-read-the-compiler-warnings-before-doing-a-release.patch, NONE, 1.1 sources, 1.15, 1.16 clamav.spec, 1.33, 1.34

Enrico Scholz (ensc) fedora-extras-commits at redhat.com
Sun Apr 30 10:33:38 UTC 2006 

Author: ensc

Update of /cvs/extras/rpms/clamav/FC-5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv25624/FC-5

Modified Files:
	sources clamav.spec 
Added Files:
	clamav-0.88.1-strncpy.patch 
	clamav-0.88.1-guys,please-read-the-compiler-warnings-before-doing-a-release.patch 
Log Message:
- updated to 0.88.2 (SECURITY)
- added patch which fixes wrong usage of strncpy(3) in unrarlib.c
- added patch which fixes some classes of compiler warnings


clamav-0.88.1-strncpy.patch:

--- NEW FILE clamav-0.88.1-strncpy.patch ---
2006-04-24  Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de>

	* libclamav/unrarlib.c/stricomp(): terminate the string copied
	  with strncpy() explicitly with '\0'. Does not seem to be
	  exploitable at the moment due to deeply buried constraints
	  (function will be called for buffers with a static size of
	  260 only).

	  But it is better to fix it now than to run into problems
	  when function is used for other purposes.

--- clamav-0.88.1/libclamav/unrarlib.c.strncpy	2005-06-23 22:03:12.000000000 +0200
+++ clamav-0.88.1/libclamav/unrarlib.c	2006-04-24 23:10:07.000000000 +0200
@@ -1180,8 +1180,10 @@ int stricomp(char *Str1,char *Str2)
   char S1[512],S2[512];
   char *chptr;
 
-  strncpy(S1,Str1,sizeof(S1));
-  strncpy(S2,Str2,sizeof(S2));
+  strncpy(S1,Str1,sizeof(S1));
+  strncpy(S2,Str2,sizeof(S2));
+  S1[sizeof(S1)-1] = '\0';
+  S2[sizeof(S2)-1] = '\0';
 
   while((chptr = strchr(S1, '\\')) != NULL) /* ignore backslash             */
   {
2006-04-24  Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de>

	* libclamav/unrarlib.c/stricomp(): terminate the string copied
	  with strncpy() explicitly with '\0'. Does not seem to be
	  exploitable at the moment due to deeply buried constraints
	  (function will be called for buffers with a static size of
	  260 only).

	  But it is better to fix it now than to run into problems
	  when function is used for other purposes.

--- clamav-0.88.1/libclamav/unrarlib.c.strncpy	2005-06-23 22:03:12.000000000 +0200
+++ clamav-0.88.1/libclamav/unrarlib.c	2006-04-24 23:10:07.000000000 +0200
@@ -1180,8 +1180,10 @@ int stricomp(char *Str1,char *Str2)
   char S1[512],S2[512];
   char *chptr;
 
-  strncpy(S1,Str1,sizeof(S1));
-  strncpy(S2,Str2,sizeof(S2));
+  strncpy(S1,Str1,sizeof(S1));
+  strncpy(S2,Str2,sizeof(S2));
+  S1[sizeof(S1)-1] = '\0';
+  S2[sizeof(S2)-1] = '\0';
 
   while((chptr = strchr(S1, '\\')) != NULL) /* ignore backslash             */
   {

***** Not enough context to create diffstat for file: clamav-0.88.1-guys,please-read-the-compiler-warnings-before-doing-a-release.patch,NONE,1.1
***** Not enough context to create diff for file: clamav-0.88.1-guys,please-read-the-compiler-warnings-before-doing-a-release.patch,NONE,1.1

Index: sources
===================================================================
RCS file: /cvs/extras/rpms/clamav/FC-5/sources,v
retrieving revision 1.15
retrieving revision 1.16
diff -u -r1.15 -r1.16
--- sources	6 Apr 2006 16:50:58 -0000	1.15
+++ sources	30 Apr 2006 10:33:38 -0000	1.16
@@ -1,2 +1,2 @@
-9fe8c47037051e350077513dd94fb76a  clamav-0.88.1.tar.gz
-bc06324bf070679854689235df5042d8  clamav-0.88.1.tar.gz.sig
+f0a1c610a1fb70bd748a08bea69c736c  clamav-0.88.2.tar.gz
+6846cb50e005c18ab4b39ff9aa7126fc  clamav-0.88.2.tar.gz.sig


Index: clamav.spec
===================================================================
RCS file: /cvs/extras/rpms/clamav/FC-5/clamav.spec,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- clamav.spec	6 Apr 2006 16:50:58 -0000	1.33
+++ clamav.spec	30 Apr 2006 10:33:38 -0000	1.34
@@ -21,7 +21,7 @@
 
 Summary:	End-user tools for the Clam Antivirus scanner
 Name:		clamav
-Version:	0.88.1
+Version:	0.88.2
 Release:	%release_func 1
 
 License:	GPL
@@ -36,6 +36,8 @@
 Source6:	clamav-update.logrotate
 Source7:	clamd.SERVICE.init
 Source8:	clamav-notify-servers
+Patch0:		clamav-0.88.2-guys,please-read-the-compiler-warnings-before-doing-a-release.patch
+Patch1:		clamav-0.88.1-strncpy.patch
 Patch20:	clamav-0.70-user.patch
 Patch21:	clamav-0.70-path.patch
 Patch22:	clamav-0.80-initoff.patch
@@ -162,6 +164,9 @@
 
 %prep
 %setup -q
+%patch0  -p1 -b '.guys,please-read-the-compiler-warnings-before-doing-a-release.patch'
+%patch1  -p1 -b .strncpy
+
 %patch20 -p1 -b .user
 %patch21 -p1 -b .path
 %patch22 -p1 -b .initoff
@@ -186,6 +191,7 @@
 ## See https://bugzilla.redhat.com/beta/show_bug.cgi?id=131385 and
 ## http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0797
 ## also
+CFLAGS="$RPM_OPT_FLAGS -Wall -W -W -Wmissing-prototypes -Wmissing-declarations -std=gnu99"
 %configure --disable-clamav --with-dbdir=/var/lib/clamav \
            --disable-zlib-vcheck \
 	   %{!?_without_milter:--enable-milter}
@@ -426,6 +432,11 @@
 %endif	# _without_milter
 
 %changelog
+* Sun Apr 30 2006 Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de> - 0.88.2-1
+- updated to 0.88.2 (SECURITY)
+- added patch which fixes wrong usage of strncpy(3) in unrarlib.c
+- added patch which fixes some classes of compiler warnings
+
 * Thu Apr 06 2006 Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de> - 0.88.1-1
 - updated to 0.88.1 (SECURITY)

More information about the scm-commits mailing list