From cb142ae7289d45a5a25eba9e4a10952960d94076 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Fri, 26 Jan 2018 16:02:29 +0100
Subject: clamav: 0.99.2 -> 0.99.3

---
 pkgs/tools/security/clamav/default.nix | 27 ++++++++-------------------
 1 file changed, 8 insertions(+), 19 deletions(-)

(limited to 'pkgs/tools/security')

diff --git a/pkgs/tools/security/clamav/default.nix b/pkgs/tools/security/clamav/default.nix
index 506d6fc3fce8..4222f7d33dee 100644
--- a/pkgs/tools/security/clamav/default.nix
+++ b/pkgs/tools/security/clamav/default.nix
@@ -1,44 +1,33 @@
-{ stdenv, fetchurl, fetchpatch, zlib, bzip2, libiconv, libxml2, openssl, ncurses, curl
-, libmilter, pcre }:
+{ stdenv, fetchurl, fetchpatch, pkgconfig
+, zlib, bzip2, libiconv, libxml2, openssl, ncurses, curl, libmilter, pcre
+}:
 
 stdenv.mkDerivation rec {
   name = "clamav-${version}";
-  version = "0.99.2";
+  version = "0.99.3";
 
   src = fetchurl {
     url = "https://www.clamav.net/downloads/production/${name}.tar.gz";
-    sha256 = "0yh2q318bnmf2152g2h1yvzgqbswn0wvbzb8p4kf7v057shxcyqn";
+    sha256 = "114f7qk3h0klgm0zzn2394n5spcn91vjc9mq6m03l2p0ls955yh0";
   };
 
-  patches = [
-    (fetchpatch {
-      name = "CVE-2017-6420.patch";
-      url = "https://github.com/vrtadmin/clamav-devel/commit/dfc00cd3301a42b571454b51a6102eecf58407bc.patch";
-      sha256 = "08w3p3a4pmi0cmcmyxkagsbn3g0jgx1jqlc34pn141x0qzrlqr60";
-    })
-  ];
-
   # don't install sample config files into the absolute sysconfdir folder
   postPatch = ''
     substituteInPlace Makefile.in --replace ' etc ' ' '
   '';
 
+  nativeBuildInputs = [ pkgconfig ];
   buildInputs = [
     zlib bzip2 libxml2 openssl ncurses curl libiconv libmilter pcre
   ];
 
   configureFlags = [
     "--sysconfdir=/etc/clamav"
-    "--with-zlib=${zlib.dev}"
-    "--disable-zlib-vcheck" # it fails to recognize that 1.2.10 >= 1.2.2
     "--disable-llvm" # enabling breaks the build at the moment
-    "--with-libbz2-prefix=${bzip2.dev}"
-    "--with-iconv-dir=${libiconv}"
+    "--with-zlib=${zlib.dev}"
     "--with-xml=${libxml2.dev}"
     "--with-openssl=${openssl.dev}"
-    "--with-libncurses-prefix=${ncurses.dev}"
     "--with-libcurl=${curl.dev}"
-    "--with-pcre=${pcre.dev}"
     "--enable-milter"
   ];
 
@@ -51,7 +40,7 @@ stdenv.mkDerivation rec {
     homepage = http://www.clamav.net;
     description = "Antivirus engine designed for detecting Trojans, viruses, malware and other malicious threats";
     license = licenses.gpl2;
-    maintainers = with maintainers; [ phreedom robberer qknight ];
+    maintainers = with maintainers; [ phreedom robberer qknight fpletz ];
     platforms = platforms.linux;
   };
 }
-- 
cgit 1.4.1


From 15ce244d0cb123648e6a99086d10af122834fc41 Mon Sep 17 00:00:00 2001
From: Robin Gloster <mail@glob.in>
Date: Fri, 26 Jan 2018 18:01:26 +0100
Subject: clamav: fix fd leakage

---
 pkgs/tools/security/clamav/default.nix   |  2 ++
 pkgs/tools/security/clamav/fd-leak.patch | 49 ++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 pkgs/tools/security/clamav/fd-leak.patch

(limited to 'pkgs/tools/security')

diff --git a/pkgs/tools/security/clamav/default.nix b/pkgs/tools/security/clamav/default.nix
index 4222f7d33dee..976c58eb1e32 100644
--- a/pkgs/tools/security/clamav/default.nix
+++ b/pkgs/tools/security/clamav/default.nix
@@ -21,6 +21,8 @@ stdenv.mkDerivation rec {
     zlib bzip2 libxml2 openssl ncurses curl libiconv libmilter pcre
   ];
 
+  patches = [ ./fd-leak.patch ];
+
   configureFlags = [
     "--sysconfdir=/etc/clamav"
     "--disable-llvm" # enabling breaks the build at the moment
diff --git a/pkgs/tools/security/clamav/fd-leak.patch b/pkgs/tools/security/clamav/fd-leak.patch
new file mode 100644
index 000000000000..2c147901e446
--- /dev/null
+++ b/pkgs/tools/security/clamav/fd-leak.patch
@@ -0,0 +1,49 @@
+--- a/libclamav/scanners.c	2018-01-26 16:59:00.820231425 +0100
++++ b/libclamav/scanners.c	2018-01-26 17:39:07.523633805 +0100
+@@ -1366,12 +1366,14 @@
+ 
+ 	if ((ret = cli_ac_initdata(&tmdata, troot?troot->ac_partsigs:0, troot?troot->ac_lsigs:0, troot?troot->ac_reloff_num:0, CLI_DEFAULT_AC_TRACKLEN))) {
+ 		free(tmpname);
++		free(normalized);
+ 		return ret;
+ 	}
+ 
+ 	if ((ret = cli_ac_initdata(&gmdata, groot->ac_partsigs, groot->ac_lsigs, groot->ac_reloff_num, CLI_DEFAULT_AC_TRACKLEN))) {
+ 		cli_ac_freedata(&tmdata);
+ 		free(tmpname);
++		free(normalized);
+ 		return ret;
+ 	}
+ 
+@@ -1390,6 +1392,7 @@
+ 				cli_errmsg("cli_scanscript: can't write to file %s\n",tmpname);
+ 				close(ofd);
+ 				free(tmpname);
++				free(normalized);
+ 				return CL_EWRITE;
+ 			}
+ 			text_normalize_reset(&state);
+@@ -1424,6 +1427,8 @@
+ 			if (ret) {
+ 				cli_ac_freedata(&tmdata);
+ 				free(tmpname);
++				free(normalized);
++				close(ofd);
+ 				return ret;
+ 			}
+ 		}
+@@ -1466,11 +1471,9 @@
+ 
+ 	}
+ 
+-	if(ctx->engine->keeptmp) {
+-		free(tmpname);
+-		if (ofd >= 0)
+-			close(ofd);
+-	}
++	if (ofd >= 0)
++		close(ofd);
++	free(tmpname);
+ 	free(normalized);
+ 
+ 	if(ret != CL_VIRUS || SCAN_ALL)  {
-- 
cgit 1.4.1