From 1181e9271967f522bddad64afd26e6468a0a0099 Mon Sep 17 00:00:00 2001 From: Enrico Scholz Date: Aug 15 2010 21:03:49 +0000 Subject: rediffed patches for 0.96.2 --- diff --git a/clamav-0.92-open.patch b/clamav-0.92-open.patch index 48ad0c1..e300279 100644 --- a/clamav-0.92-open.patch +++ b/clamav-0.92-open.patch @@ -1,7 +1,7 @@ -Index: clamav-0.96.1/clamd/dazukoio_compat12.c +Index: clamav-0.96.2/clamd/dazukoio_compat12.c =================================================================== ---- clamav-0.96.1.orig/clamd/dazukoio_compat12.c -+++ clamav-0.96.1/clamd/dazukoio_compat12.c +--- clamav-0.96.2.orig/clamd/dazukoio_compat12.c ++++ clamav-0.96.2/clamd/dazukoio_compat12.c @@ -89,7 +89,7 @@ int dazukoRegister_TS_compat12(struct da if (dazuko->device < 0) { diff --git a/clamav-0.95.3-umask.patch b/clamav-0.95.3-umask.patch index ada0fcd..98e4cad 100644 --- a/clamav-0.95.3-umask.patch +++ b/clamav-0.95.3-umask.patch @@ -1,8 +1,8 @@ -Index: clamav-0.96.1/clamav-milter/clamav-milter.c +Index: clamav-0.96.2/clamav-milter/clamav-milter.c =================================================================== ---- clamav-0.96.1.orig/clamav-milter/clamav-milter.c -+++ clamav-0.96.1/clamav-milter/clamav-milter.c -@@ -365,7 +365,7 @@ int main(int argc, char **argv) { +--- clamav-0.96.2.orig/clamav-milter/clamav-milter.c ++++ clamav-0.96.2/clamav-milter/clamav-milter.c +@@ -370,7 +370,7 @@ int main(int argc, char **argv) { if((opt = optget(opts, "PidFile"))->enabled) { FILE *fd; @@ -11,10 +11,10 @@ Index: clamav-0.96.1/clamav-milter/clamav-milter.c if((fd = fopen(opt->strarg, "w")) == NULL) { logg("!Can't save PID in file %s\n", opt->strarg); -Index: clamav-0.96.1/shared/output.c +Index: clamav-0.96.2/shared/output.c =================================================================== ---- clamav-0.96.1.orig/shared/output.c -+++ clamav-0.96.1/shared/output.c +--- clamav-0.96.2.orig/shared/output.c ++++ clamav-0.96.2/shared/output.c @@ -280,7 +280,7 @@ int logg(const char *str, ...) #endif if(logg_file) { @@ -24,10 +24,10 @@ Index: clamav-0.96.1/shared/output.c if((logg_fp = fopen(logg_file, "at")) == NULL) { umask(old_umask); #ifdef CL_THREAD_SAFE -Index: clamav-0.96.1/freshclam/freshclam.c +Index: clamav-0.96.2/freshclam/freshclam.c =================================================================== ---- clamav-0.96.1.orig/freshclam/freshclam.c -+++ clamav-0.96.1/freshclam/freshclam.c +--- clamav-0.96.2.orig/freshclam/freshclam.c ++++ clamav-0.96.2/freshclam/freshclam.c @@ -106,7 +106,7 @@ static void writepid(const char *pidfile { FILE *fd; diff --git a/clamav-0.96-disable-jit.patch b/clamav-0.96-disable-jit.patch deleted file mode 100644 index 01b3c79..0000000 --- a/clamav-0.96-disable-jit.patch +++ /dev/null @@ -1,150 +0,0 @@ -Index: clamav-0.96.1/clamd/clamd.c -=================================================================== ---- clamav-0.96.1.orig/clamd/clamd.c -+++ clamav-0.96.1/clamd/clamd.c -@@ -434,6 +434,9 @@ int main(int argc, char **argv) - if((opt = optget(opts,"BytecodeTimeout"))->enabled) { - cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg); - } -+ if((opt = optget(opts,"BytecodeDisableJIT"))->enabled) { -+ cl_engine_set_num(engine, CL_ENGINE_BYTECODE_DISABLEJIT, opt->numarg); -+ } - - if(optget(opts,"PhishingScanURLs")->enabled) - dboptions |= CL_DB_PHISHING_URLS; -Index: clamav-0.96.1/clamscan/manager.c -=================================================================== ---- clamav-0.96.1.orig/clamscan/manager.c -+++ clamav-0.96.1/clamscan/manager.c -@@ -404,6 +404,8 @@ int scanmanager(const struct optstruct * - cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, CL_BYTECODE_TRUST_ALL); - if((opt = optget(opts,"bytecode-timeout"))->enabled) - cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg); -+ if((opt = optget(opts,"bytecode-disable-jit"))->enabled) -+ cl_engine_set_num(engine, CL_ENGINE_BYTECODE_DISABLEJIT, opt->numarg); - - if((opt = optget(opts, "tempdir"))->enabled) { - if((ret = cl_engine_set_str(engine, CL_ENGINE_TMPDIR, opt->strarg))) { -Index: clamav-0.96.1/docs/man/clamd.conf.5.in -=================================================================== ---- clamav-0.96.1.orig/docs/man/clamd.conf.5.in -+++ clamav-0.96.1/docs/man/clamd.conf.5.in -@@ -253,6 +253,12 @@ Default: TrustSigned - Set bytecode timeout in milliseconds. - .br - Default: 60000 -+.TP -+\fBBytecodeDisableJIT BOOL\fR -+Disable the JIT and fallback to interpreter mode. -+WARNING: disabling the JIT affects performance! -+.br -+Default: No - .TP - \fBDetectPUA BOOL\fR - Detect Possibly Unwanted Applications. -Index: clamav-0.96.1/docs/man/clamscan.1.in -=================================================================== ---- clamav-0.96.1.orig/docs/man/clamscan.1.in -+++ clamav-0.96.1/docs/man/clamscan.1.in -@@ -86,6 +86,10 @@ This option disables safety checks and m - .TP - \fB\-\-bytecode\-timeout=N\fR - Set bytecode timeout in milliseconds (default: 60000 = 60s) -+.TP -+\fB\-\-bytecode\-disable\-jit\fR -+Disable the JIT and fallback to interpreter mode. -+WARNING: disable the JIT affects performance! - .TP - \fB\-\-detect\-pua[=yes/no(*)]\fR - Detect Possibly Unwanted Applications. -Index: clamav-0.96.1/etc/clamd.conf -=================================================================== ---- clamav-0.96.1.orig/etc/clamd.conf -+++ clamav-0.96.1/etc/clamd.conf -@@ -472,3 +472,8 @@ Example - # - # Default: 60000 - # BytecodeTimeout 60000 -+ -+# Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance. -+# -+# Default: no -+#BytecodeDisableJIT no -Index: clamav-0.96.1/libclamav/clamav.h -=================================================================== ---- clamav-0.96.1.orig/libclamav/clamav.h -+++ clamav-0.96.1/libclamav/clamav.h -@@ -144,7 +144,8 @@ enum cl_engine_field { - CL_ENGINE_TMPDIR, /* (char *) */ - CL_ENGINE_KEEPTMP, /* uint32_t */ - CL_ENGINE_BYTECODE_SECURITY, /* uint32_t */ -- CL_ENGINE_BYTECODE_TIMEOUT /* uint32_t */ -+ CL_ENGINE_BYTECODE_TIMEOUT, /* uint32_t */ -+ CL_ENGINE_BYTECODE_DISABLEJIT /* uint32_t */ - }; - - enum bytecode_security { -Index: clamav-0.96.1/libclamav/others.c -=================================================================== ---- clamav-0.96.1.orig/libclamav/others.c -+++ clamav-0.96.1/libclamav/others.c -@@ -301,6 +301,7 @@ struct cl_engine *cl_engine_new(void) - new->bytecode_security = CL_BYTECODE_TRUST_SIGNED; - /* 5 seconds timeout */ - new->bytecode_timeout = 60000; -+ new->disablejit = 0; - new->refcount = 1; - new->ac_only = 0; - new->ac_mindepth = CLI_DEFAULT_AC_MINDEPTH; -@@ -399,6 +400,9 @@ int cl_engine_set_num(struct cl_engine * - case CL_ENGINE_BYTECODE_TIMEOUT: - engine->bytecode_timeout = num; - break; -+ case CL_ENGINE_BYTECODE_DISABLEJIT: -+ engine->disablejit = num; -+ break; - default: - cli_errmsg("cl_engine_set_num: Incorrect field number\n"); - return CL_EARG; -Index: clamav-0.96.1/libclamav/others.h -=================================================================== ---- clamav-0.96.1.orig/libclamav/others.h -+++ clamav-0.96.1/libclamav/others.h -@@ -253,6 +253,7 @@ struct cl_engine { - unsigned hook_lsig_ids; - enum bytecode_security bytecode_security; - uint32_t bytecode_timeout; -+ unsigned disablejit; - }; - - struct cl_settings { -Index: clamav-0.96.1/libclamav/readdb.c -=================================================================== ---- clamav-0.96.1.orig/libclamav/readdb.c -+++ clamav-0.96.1/libclamav/readdb.c -@@ -2595,7 +2595,10 @@ int cl_load(const char *path, struct cl_ - return ret; - - if((dboptions & CL_DB_BYTECODE) && !engine->bcs.engine && (engine->dconf->bytecode & BYTECODE_ENGINE_MASK)) { -- if((ret = cli_bytecode_init(&engine->bcs, engine->dconf->bytecode))) -+ unsigned dconfmask = engine->dconf->bytecode; -+ if (engine->disablejit) -+ dconfmask &= BYTECODE_INTERPRETER; -+ if((ret = cli_bytecode_init(&engine->bcs, dconfmask))) - return ret; - } else { - cli_dbgmsg("Bytecode engine disabled\n"); -Index: clamav-0.96.1/shared/optparser.c -=================================================================== ---- clamav-0.96.1.orig/shared/optparser.c -+++ clamav-0.96.1/shared/optparser.c -@@ -252,6 +252,9 @@ const struct clam_option __clam_options[ - "Set bytecode security level.\nPossible values:\n\tNone - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"}, - { "BytecodeTimeout", "bytecode-timeout", 0, TYPE_NUMBER, MATCH_NUMBER, 60000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, - "Set bytecode timeout in miliseconds.\n","60000"}, -+ { "BytecodeDisableJIT", "bytecode-disable-jit", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, -+ "Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance.\n","no"}, -+ - { "DetectPUA", "detect-pua", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect Potentially Unwanted Applications.", "yes" }, - - { "ExcludePUA", "exclude-pua", 0, TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_CLAMSCAN, "Exclude a specific PUA category. This directive can be used multiple times.\nSee http://www.clamav.net/support/pua for the complete list of PUA\ncategories.", "NetTool\nPWTool" }, diff --git a/clamav-0.96-jitoff.patch b/clamav-0.96-jitoff.patch deleted file mode 100644 index cea2e5a..0000000 --- a/clamav-0.96-jitoff.patch +++ /dev/null @@ -1,80 +0,0 @@ -Index: clamav-0.96.1/etc/clamd.conf -=================================================================== ---- clamav-0.96.1.orig/etc/clamd.conf -+++ clamav-0.96.1/etc/clamd.conf -@@ -11,7 +11,7 @@ Example - # LogFile must be writable for the user running daemon. - # A full path is required. - # Default: disabled --#LogFile /tmp/clamd.log -+#LogFile /var/log/clamd. - - # By default the log file is locked for writing - the lock protects against - # running clamd multiple times (if want to run another clamd, please -@@ -40,7 +40,7 @@ Example - - # Use system logger (can work together with LogFile). - # Default: no --#LogSyslog yes -+LogSyslog yes - - # Specify the type of syslog messages - please refer to 'man syslog' - # for facility names. -@@ -54,7 +54,7 @@ Example - # This option allows you to save a process identifier of the listening - # daemon (main thread). - # Default: disabled --#PidFile /var/run/clamd.pid -+#PidFile /var/run/clamd./clamd.pid - - # Optional path to the global temporary directory. - # Default: system specific (usually /tmp or /var/tmp). -@@ -73,7 +73,7 @@ Example - - # Path to a local socket file the daemon will listen on. - # Default: disabled (must be specified by a user) --#LocalSocket /tmp/clamd.socket -+#LocalSocket /var/run/clamd./clamd.sock - - # Sets the group ownership on the unix socket. - # Default: disabled (the primary group of the user running clamd) -@@ -183,11 +183,11 @@ Example - - # Run as another user (clamd must be started by root for this option to work) - # Default: don't drop privileges --#User clamav -+User - - # Initialize supplementary group access (clamd must be started by root). - # Default: no --#AllowSupplementaryGroups no -+AllowSupplementaryGroups yes - - # Stop daemon when libclamav reports out of memory condition. - #ExitOnOOM yes -@@ -474,6 +474,10 @@ Example - # BytecodeTimeout 60000 - - # Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance. --# --# Default: no -+# -+# This option has been turned off in Fedora due to security concerns -+# by default. You might need to enable the 'clamd_use_jit' SELinux -+# boolean after enabling this option. -+# -+# Default: yes - #BytecodeDisableJIT no -Index: clamav-0.96.1/shared/optparser.c -=================================================================== ---- clamav-0.96.1.orig/shared/optparser.c -+++ clamav-0.96.1/shared/optparser.c -@@ -252,7 +252,7 @@ const struct clam_option __clam_options[ - "Set bytecode security level.\nPossible values:\n\tNone - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"}, - { "BytecodeTimeout", "bytecode-timeout", 0, TYPE_NUMBER, MATCH_NUMBER, 60000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, - "Set bytecode timeout in miliseconds.\n","60000"}, -- { "BytecodeDisableJIT", "bytecode-disable-jit", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, -+ { "BytecodeDisableJIT", "bytecode-disable-jit", 0, TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, - "Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance.\n","no"}, - - { "DetectPUA", "detect-pua", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect Potentially Unwanted Applications.", "yes" }, diff --git a/clamav-0.96.2-jitoff.patch b/clamav-0.96.2-jitoff.patch new file mode 100644 index 0000000..b988074 --- /dev/null +++ b/clamav-0.96.2-jitoff.patch @@ -0,0 +1,34 @@ +Index: clamav-0.96.2/etc/clamd.conf +=================================================================== +--- clamav-0.96.2.orig/etc/clamd.conf ++++ clamav-0.96.2/etc/clamd.conf +@@ -459,6 +459,16 @@ Example + # Default: yes + #Bytecode yes + ++# Bytecode mode ++# ++# This option has been set to 'ForceInterpreter' in Fedora due to ++# security concerns by default. You might need to enable the ++# 'clamd_use_jit' SELinux boolean after setting this option to the ++# more efficient 'ForceJIT' value. ++# ++# Default: ForceInterpreter ++#ByteCodeMode ForceInterpreter ++ + # Set bytecode security level. + # Possible values: + # None - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS +Index: clamav-0.96.2/shared/optparser.c +=================================================================== +--- clamav-0.96.2.orig/shared/optparser.c ++++ clamav-0.96.2/shared/optparser.c +@@ -254,7 +254,7 @@ const struct clam_option __clam_options[ + "Set bytecode security level.\nPossible values:\n\tNone - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"}, + { "BytecodeTimeout", "bytecode-timeout", 0, TYPE_NUMBER, MATCH_NUMBER, 60000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, + "Set bytecode timeout in miliseconds.\n","60000"}, +- { "BytecodeMode", "bytecode-mode", 0, TYPE_STRING, "^(Auto|ForceJIT|ForceInterpreter|Test)$", -1, "Auto", FLAG_REQUIRED, OPT_CLAMD | OPT_CLAMSCAN, ++ { "BytecodeMode", "bytecode-mode", 0, TYPE_STRING, "^(Auto|ForceJIT|ForceInterpreter|Test)$", -1, "ForceInterpreter", FLAG_REQUIRED, OPT_CLAMD | OPT_CLAMSCAN, + "Set bytecode execution mode.\nPossible values:\n\tAuto - automatically choose JIT if possible, fallback to interpreter\nForceJIT - always choose JIT, fail if not possible\nForceIntepreter - always choose interpreter\nTest - run with both JIT and interpreter and compare results. Make all failures fatal\n","Auto"}, + { "DetectPUA", "detect-pua", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect Potentially Unwanted Applications.", "yes" }, + diff --git a/clamav.spec b/clamav.spec index 55f27f3..4d958a2 100644 --- a/clamav.spec +++ b/clamav.spec @@ -52,8 +52,7 @@ Patch25: clamav-0.92-open.patch Patch26: clamav-0.95-cliopts.patch Patch27: clamav-0.95.3-umask.patch # https://bugzilla.redhat.com/attachment.cgi?id=403775&action=diff&context=patch&collapsed=&headers=1&format=raw -Patch28: clamav-0.96-disable-jit.patch -Patch29: clamav-0.96-jitoff.patch +Patch29: clamav-0.96.2-jitoff.patch BuildRoot: %_tmppath/%name-%version-%release-root Requires: clamav-lib = %version-%release Requires: data(clamav) @@ -318,7 +317,6 @@ The Upstart initscripts for clamav-milter. %patch25 -p1 -b .open %patch26 -p1 -b .cliopts %patch27 -p1 -b .umask -%patch28 -p1 -b .jit-disable %patch29 -p1 -b .jitoff install -p -m0644 %SOURCE300 clamav-milter/