Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clam 2638 1.3.2 and backports #1330

Merged

Conversation

micahsnyder
Copy link
Contributor

  • Fix unit test caused by expiring signing certificate.

  • Fixed a build issue on Windows with newer versions of Rust.
    Also upgraded GitHub Actions imports to fix CI failures.
    Fixes courtesy of liushuyu.

  • Fixed an unaligned pointer dereference issue on select architectures.
    Fix courtesy of Sebastian Andrzej Siewior.

  • Fixes to Jenkins CI pipeline.

micahsnyder and others added 5 commits August 13, 2024 11:04
The clamscan test "assorted_test.py::TC::test_pe_cert_trust" is about to
fail because the "test.exe" test file was signed with a cert set to
expire after only 2 years, and it has been 23 months.

While attempting to generate a new one that will last 73000 days (200
years), I discovered that any signing certificate set to expire after
2038 will fail the trust-check because the `ca.not_after` variable is
maxed out `time_t` incapable of expressing a higher number.
To fix this, I've upgraded the variables to `uint64_t`.

I also had to replace a bunch of generated signatures to match the new
"test.exe".

Finally, I noticed that "ca.not_before" was being set to the token[8]
instead of token[9], which presumably mean the "NotBefore" field for
Trusted and Revoked Certificates was non-functional, as it was treating
the "CertSign" boolean as the "NotBefore" value.

Fixes: Cisco-Talos#1300
... from native libraries array. Otherwise Ninja will get very confused.
@micahsnyder micahsnyder force-pushed the CLAM-2638-1.3.2-and-backports branch from cf3223b to 8b64fcf Compare August 13, 2024 16:09
@micahsnyder micahsnyder marked this pull request as ready for review August 13, 2024 16:09
ragusaa and others added 8 commits August 13, 2024 12:59
fmap_need_off_once() may return an unaligned pointer. This in return
leads to an unaligned access during the load of the uint32_t variables
loading to failures on architectures not supporting unaligned access.

This was reported to the Debian BTS as #1073128.

[bigeasy: Commit message, reworked the patch a bit].

Link: https://bugs.debian.org/1073128
Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
The build pipeline used to build clamav packages and then test those
packages with a rudimentary test set. This change will build the clamav
packages in one pipeline - then test the packages in a new test pipeline.

The new test pipeline will use the larger test suite that we use for
testing from-source builds in the "regular" test pipeline.
We switched hosts for this stage to one that doesn't have system-installed libs.
@micahsnyder micahsnyder force-pushed the CLAM-2638-1.3.2-and-backports branch from 8b64fcf to 9a54515 Compare August 13, 2024 16:59
The 'cgi' module is deprecrated and will be removed in Python 3.13.
We weren't using it anyways.

Fixes: Cisco-Talos#1327
@rsundriyal rsundriyal self-requested a review August 30, 2024 17:29
Copy link
Contributor

@rsundriyal rsundriyal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@micahsnyder micahsnyder merged commit f89900d into Cisco-Talos:dev/1.3.2 Aug 30, 2024
22 of 24 checks passed
@micahsnyder micahsnyder deleted the CLAM-2638-1.3.2-and-backports branch August 30, 2024 20:11
mtremer pushed a commit to ipfire/ipfire-2.x that referenced this pull request Sep 5, 2024
- Update from version 1.3.1 to 1.3.2
- Update of rootfile
- 2 CVE Fixes
- Changelog
    1.3.2
	- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506):
	  Changed the logging module to disable following symlinks on Linux and Unix
	  systems so as to prevent an attacker with existing access to the 'clamd' or
	  'freshclam' services from using a symlink to corrupt system files.
	  This issue affects all currently supported versions. It will be fixed in:
	  - 1.4.1
	  - 1.3.2
	  - 1.0.7
	  - 0.103.12
	  Thank you to Detlef for identifying this issue.
	- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505):
	  Fixed a possible out-of-bounds read bug in the PDF file parser that could
	  cause a denial-of-service (DoS) condition.
	  This issue affects all currently supported versions. It will be fixed in:
	  - 1.4.1
	  - 1.3.2
	  - 1.0.7
	  - 0.103.12
	  Thank you to OSS-Fuzz for identifying this issue.
	- Removed unused Python modules from freshclam tests including deprecated
	  'cgi' module that is expected to cause test failures in Python 3.13.
	- Fix unit test caused by expiring signing certificate.
	  - Backport of [GitHub pull request](Cisco-Talos/clamav#1305)
	- Fixed a build issue on Windows with newer versions of Rust.
	  Also upgraded GitHub Actions imports to fix CI failures.
	  Fixes courtesy of liushuyu.
	  - Backport of [GitHub pull request](Cisco-Talos/clamav#1307)
	- Fixed an unaligned pointer dereference issue on select architectures.
	  Fix courtesy of Sebastian Andrzej Siewior.
	  - Backport of [GitHub pull request](Cisco-Talos/clamav#1293)
	- Fixes to Jenkins CI pipeline.
	  For details, see [GitHub pull request](Cisco-Talos/clamav#1330)

Signed-off-by: Adolf Belka <[email protected]>
Signed-off-by: Michael Tremer <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants