PR#6: Bundle zlib 1.2.7-17.el7 to avoid malformed database errors (#1600458) - rpms/clamav

rpms / clamav

#6 Bundle zlib 1.2.7-17.el7 to avoid malformed database errors (#1600458)

Merged 5 years ago by robert. Opened 5 years ago by robert.

Unknown source el6 into el6

Bundle zlib 1.2.7-17.el7 to avoid malformed database errors (#1600458)

Robert Scheck • 5 years ago

e83b89f

.gitignore

file modified

+2 -3

		`@@ -2,6 +2,5 @@`
		`/clamav-*-norar.tar.xz`
		`/main*.cvd`
		`/daily*.cvd`
		`- /bytecode-278.cvd`
		`- /bytecode-319.cvd`
		`- /bytecode-324.cvd`
		`+ /bytecode-*.cvd`
		`+ /zlib-*.tar.bz2`

clamav.spec

file modified

+75 -2

		`@@ -2,11 +2,21 @@`
		`### FIXME: amavisd-new requires clamd to run as user vscan, solution needed`
		`### REMINDER: Look and sync with Petr Kristof's work`

		`+ # Work around https://bugzilla.clamav.net/show_bug.cgi?id=12162 by bundling`
		`+ # newer zlib version from RHEL/CentOS 7 (#1600458)`
		`+ %global zlibversion 1.2.7`
		`+ %global zlibrelease 17%{?dist}`
		`+`
		`Summary: Anti-virus software`
		`Name: clamav`
		`Version: 0.100.1`
		`- Release: 1%{?dist}`
		`+ Release: 2%{?dist}`
		`+ # ClamAV is GPLv2, zlib is zlib, /contrib/dotzlib/ has Boost license`
		`+ %if 0%{?zlibversion:1} && 0%{?zlibrelease:1}`
		`+ License: GPLv2 and zlib and Boost`
		`+ %else`
		`License: GPLv2`
		`+ %endif`
		`Group: Applications/System`
		`URL: https://www.clamav.net/`

		`@@ -33,18 +43,42 @@`
		`Source12: http://db.local.clamav.net/daily-24741.cvd`
		`Source13: http://db.local.clamav.net/bytecode-324.cvd`

		`+ %if 0%{?zlibversion:1} && 0%{?zlibrelease:1}`
		`+ # Cheerfully borrowed from zlib.spec in RHEL/CentOS 7`
		`+ Source90: http://www.zlib.net/zlib-%{zlibversion}.tar.bz2`
		`+ %endif`
		`+`
		`Patch0: clamav-0.100.0-stats-deprecation.patch`
		`Patch31: clamav-0.99.1-setsebool.patch`

		`+ %if 0%{?zlibversion:1} && 0%{?zlibrelease:1}`
		`+ # Cheerfully borrowed from zlib.spec in RHEL/CentOS 7, see`
		`+ # also https://git.centos.org/tree/rpms!zlib.git/c7/SOURCES`
		`+ Patch90: zlib-1.2.5-minizip-fixuncrypt.patch`
		`+ # resolves: #805113`
		`+ Patch91: zlib-1.2.7-optimized-s390.patch`
		`+ # resolves: #844791`
		`+ Patch92: zlib-1.2.7-z-block-flush.patch`
		`+ # resolves: #1127330`
		`+ Patch93: zlib-1.2.7-fix-serious-but-very-rare-decompression-bug-in-inftr.patch`
		`+ # resolves: #1337441`
		`+ Patch94: zlib-1.2.7-Fix-bug-where-gzopen-gzclose-would-write-an-empty-fi.patch`
		`+ %endif`
		`+`
		`BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)`

		`- BuildRequires: bzip2-devel, zlib-devel, gmp-devel, curl-devel, xz, ncurses-devel, openssl-devel, libxml2-devel, pcre-devel, json-c-devel`
		`+ BuildRequires: bzip2-devel, gmp-devel, curl-devel, xz, ncurses-devel, openssl-devel, libxml2-devel, pcre-devel, json-c-devel`
		`%{!?_without_milter:BuildRequires: sendmail-devel >= 8.12}`

		`Requires: clamav-db = %{version}-%{release}`
		`Requires(pre): shadow-utils`

		`Provides: bundled(libmspack) = 0.5-0.1.alpha.modified_by_clamav`
		`+ %if 0%{?zlibversion:1} && 0%{?zlibrelease:1}`
		`+ Provides: bundled(zlib) = %{zlibversion}-%{zlibrelease}`
		`+ %else`
		`+ Requires: zlib-devel`
		`+ %endif`

		`### Fedora Extras introduced them differently :(`
		`Provides: libclamav`
		`@@ -196,7 +230,40 @@`
		`s\|^#(ClamdSocket) .+$\|$1 unix:%{_localstatedir}/run/clamav/clamd.sock\|;`
		`' etc/clamav-milter.conf.sample`

		`+ %if 0%{?zlibversion:1} && 0%{?zlibrelease:1}`
		`+ # Cheerfully borrowed from zlib.spec in RHEL/CentOS 7, see`
		`+ # https://git.centos.org/blob/rpms!zlib.git/c7/SPECS!zlib.spec`
		`+ tar xfj %{SOURCE90}`
		`+ pushd zlib-%{zlibversion}`
		`+ %patch90 -p1 -b .fixuncrypt`
		`+ %ifarch s390 s390x`
		`+ %patch91 -p1 -b .optimized-deflate`
		`+ %endif`
		`+ %patch92 -p1 -b .z-flush`
		`+ %patch93 -p1`
		`+ %patch94 -p1`
		`+ popd`
		`+ %endif`
		`+`
		`%build`
		`+ %if 0%{?zlibversion:1} && 0%{?zlibrelease:1}`
		`+ # Cheerfully borrowed from zlib.spec in RHEL/CentOS 7, see`
		`+ # https://git.centos.org/blob/rpms!zlib.git/c7/SPECS!zlib.spec`
		`+ pushd zlib-%{zlibversion}`
		`+ %ifarch ppc64 ppc64le`
		`+ export CFLAGS="$RPM_OPT_FLAGS -fPIC -O3"`
		`+ %else`
		`+ export CFLAGS="$RPM_OPT_FLAGS -fPIC"`
		`+ %endif`
		`+`
		`+ export LDFLAGS="$LDFLAGS -Wl,-z,relro"`
		`+`
		`+ ./configure --libdir=%{_libdir} --includedir=%{_includedir} --prefix=%{_prefix} --static`
		`+ make %{?_smp_mflags}`
		`+ make install DESTDIR=%{_builddir}/%{name}-%{version}/zlib-%{zlibversion}-%{zlibrelease}`
		`+ popd`
		`+ %endif`
		`+`
		`%configure \`
		`--program-prefix="%{?_program_prefix}" \`
		`%{!?_without_milter:--enable-milter} \`
		`@@ -210,6 +277,9 @@`
		`--with-group="clam" \`
		`--with-libcurl=%{_prefix} \`
		`--with-user="clam" \`
		`+ %if 0%{?zlibversion:1} && 0%{?zlibrelease:1}`
		`+ --with-zlib=%{_builddir}/%{name}-%{version}/zlib-%{zlibversion}-%{zlibrelease}%{_prefix} \`
		`+ %endif`
		`# --disable-llvm`

		`make %{?_smp_mflags}`
		`@@ -418,6 +488,9 @@`
		`%exclude %{_libdir}/libclammspack.la`

		`%changelog`
		`+ * Sun Aug 12 2018 Robert Scheck <robert@fedoraproject.org> - 0.100.1-2`
		`+ - Bundle zlib 1.2.7-17.el7 to avoid malformed database errors (#1600458)`
		`+`
		`* Wed Jul 11 2018 Sérgio Basto <sergio@serjux.com> - 0.100.1-1`
		`- Update to 0.100.1`

sources

file modified

		`@@ -3,3 +3,4 @@`
		`SHA512 (bytecode-324.cvd) = 854b1a9b2bfc4e8a21aa857135e9406cb56522c5481a91ff085e7b6f1c7565ca9e98ffa1f3d3372155716f2756dc8eb14603b5f1dc38d9739e4d9a9047bd0bbf`
		`SHA512 (main-58.cvd) = 71309a7ea26f0fbfe329252c728173c895b107b7ea2e0bd613b12475db1d0270a496d707c4d80c842bf8b6f21680e86edfa7fa3b8aea075e93d67c91d696603a`
		`SHA512 (clamd-wrapper.tar.bz2) = a67f15197ebc92c0e9387e32da944d6815b1ce106ae0dd0c00e9001b6224f4f11119dd1df675bb1a7f8ac15ad2a3aaab67ae39d6257d0de6967b1f7cf1527ef9`
		`+ SHA512 (zlib-1.2.7.tar.bz2) = 3e18c3923210c2c3da6e12735c0d2babdaf661fb704430516b00aaab8d5e690d8d8f46646173c634f04b050a59bf979d343aede472c5038afcda7baa2c897635`

zlib-1.2.5-minizip-fixuncrypt.patch

file added

+14

		`@@ -0,0 +1,14 @@`
		`+ diff -up zlib-1.2.5/contrib/minizip/unzip.c.fixuncrypt zlib-1.2.5/contrib/minizip/unzip.c`
		`+ --- zlib-1.2.5/contrib/minizip/unzip.c.fixuncrypt 2011-11-11 12:13:56.335867758 -0500`
		`+ +++ zlib-1.2.5/contrib/minizip/unzip.c 2011-11-11 12:14:01.747799372 -0500`
		`+ @@ -68,10 +68,6 @@`
		`+ #include <stdlib.h>`
		`+ #include <string.h>`
		`+`
		`+ -#ifndef NOUNCRYPT`
		`+ - #define NOUNCRYPT`
		`+ -#endif`
		`+ -`
		`+ #include "zlib.h"`
		`+ #include "unzip.h"`
		`+`

zlib-1.2.7-Fix-bug-where-gzopen-gzclose-would-write-an-empty-fi.patch

file added

+43

		`@@ -0,0 +1,43 @@`
		`+ From 0cf495a1ca941428c0b11e2307cad760ae44993e Mon Sep 17 00:00:00 2001`
		`+ From: Mark Adler <madler@alumni.caltech.edu>`
		`+ Date: Sat, 29 Sep 2012 22:23:47 -0700`
		`+ Subject: [PATCH] Fix bug where gzopen(), gzclose() would write an empty file.`
		`+`
		`+ A gzopen() to write (mode "w") followed immediately by a gzclose()`
		`+ would output an empty zero-length file. What it should do is write`
		`+ an empty gzip file, with the gzip header, empty deflate content,`
		`+ and gzip trailer totalling 20 bytes. This fixes it to do that.`
		`+ ---`
		`+ gzwrite.c \| 15 +++++++--------`
		`+ 1 file changed, 7 insertions(+), 8 deletions(-)`
		`+`
		`+ diff --git a/gzwrite.c b/gzwrite.c`
		`+ index f53aace..79a69a5 100644`
		`+ --- a/gzwrite.c`
		`+ +++ b/gzwrite.c`
		`+ @@ -554,15 +554,14 @@ int ZEXPORT gzclose_w(file)`
		`+ }`
		`+`
		`+ /* flush, free memory, and close file */`
		`+ - if (state->size) {`
		`+ - if (gz_comp(state, Z_FINISH) == -1)`
		`+ - ret = state->err;`
		`+ - if (!state->direct) {`
		`+ - (void)deflateEnd(&(state->strm));`
		`+ - free(state->out);`
		`+ - }`
		`+ - free(state->in);`
		`+ + if (gz_comp(state, Z_FINISH) == -1)`
		`+ + ret = state->err;`
		`+ + if (!state->direct) {`
		`+ + (void)deflateEnd(&(state->strm));`
		`+ + free(state->out);`
		`+ }`
		`+ + if (state->size)`
		`+ + free(state->in);`
		`+ gz_error(state, Z_OK, NULL);`
		`+ free(state->path);`
		`+ if (close(state->fd) == -1)`
		`+ --`
		`+ 1.9.3`
		`+`

zlib-1.2.7-fix-serious-but-very-rare-decompression-bug-in-inftr.patch

file added

+47

		`@@ -0,0 +1,47 @@`
		`+ From 51370f365607fe14a6a7a1a27b3bd29d788f5e5b Mon Sep 17 00:00:00 2001`
		`+ From: Mark Adler <madler@alumni.caltech.edu>`
		`+ Date: Mon, 18 Feb 2013 21:06:35 -0800`
		`+ Subject: [PATCH] Fix serious but very rare decompression bug in inftrees.c.`
		`+`
		`+ inftrees.c compared the number of used table entries to the maximum`
		`+ allowed value using >= instead of >. This patch fixes those to use`
		`+ >. The bug was discovered by Ignat Kolesnichenko of Yandex LC`
		`+ where they have run petabytes of data through zlib. Triggering the`
		`+ bug is apparently very rare, seeing as how it has been out there in`
		`+ the wild for almost three years before being discovered. The bug`
		`+ is instantiated only if the exact maximum number of decoding table`
		`+ entries, ENOUGH_DISTS or ENOUGH_LENS is used by the block being`
		`+ decoded, resulting in the false positive of overflowing the table.`
		`+ ---`
		`+ inftrees.c \| 8 ++++----`
		`+ 1 file changed, 4 insertions(+), 4 deletions(-)`
		`+`
		`+ diff --git a/inftrees.c b/inftrees.c`
		`+ index 873da59..3781399 100644`
		`+ --- a/inftrees.c`
		`+ +++ b/inftrees.c`
		`+ @@ -208,8 +208,8 @@ unsigned short FAR *work;`
		`+ mask = used - 1; /* mask for comparing low */`
		`+`
		`+ /* check available table space */`
		`+ - if ((type == LENS && used >= ENOUGH_LENS) \|\|`
		`+ - (type == DISTS && used >= ENOUGH_DISTS))`
		`+ + if ((type == LENS && used > ENOUGH_LENS) \|\|`
		`+ + (type == DISTS && used > ENOUGH_DISTS))`
		`+ return 1;`
		`+`
		`+ /* process all codes and make table entries */`
		`+ @@ -277,8 +277,8 @@ unsigned short FAR *work;`
		`+`
		`+ /* check for enough space */`
		`+ used += 1U << curr;`
		`+ - if ((type == LENS && used >= ENOUGH_LENS) \|\|`
		`+ - (type == DISTS && used >= ENOUGH_DISTS))`
		`+ + if ((type == LENS && used > ENOUGH_LENS) \|\|`
		`+ + (type == DISTS && used > ENOUGH_DISTS))`
		`+ return 1;`
		`+`
		`+ /* point entry in root table to sub-table */`
		`+ --`
		`+ 1.9.3`
		`+`

zlib-1.2.7-optimized-s390.patch

file added

+40

		`@@ -0,0 +1,40 @@`
		`+ diff -upr zlib-1.2.7.orig/deflate.c zlib-1.2.7/deflate.c`
		`+ --- zlib-1.2.7.orig/deflate.c 2012-10-04 12:18:50.750427902 +0200`
		`+ +++ zlib-1.2.7/deflate.c 2012-10-04 12:20:04.222190460 +0200`
		`+ @@ -1150,15 +1150,16 @@ local void lm_init (s)`
		`+ /* For 80x86 and 680x0, an optimized version will be provided in match.asm or`
		`+ * match.S. The code will be functionally equivalent.`
		`+ */`
		`+ -local uInt longest_match(s, cur_match)`
		`+ +local uInt longest_match(s, pcur_match)`
		`+ deflate_state *s;`
		`+ - IPos cur_match; /* current match */`
		`+ + IPos pcur_match; /* current match */`
		`+ {`
		`+ + ptrdiff_t cur_match = pcur_match; /* extend to pointer width */`
		`+ unsigned chain_length = s->max_chain_length;/* max hash chain length */`
		`+ register Bytef scan = s->window + s->strstart; / current string */`
		`+ register Bytef match; / matched string */`
		`+ register int len; /* length of current match */`
		`+ - int best_len = s->prev_length; /* best match length so far */`
		`+ + ptrdiff_t best_len = s->prev_length; /* best match length so far */`
		`+ int nice_match = s->nice_match; /* stop if match long enough */`
		`+ IPos limit = s->strstart > (IPos)MAX_DIST(s) ?`
		`+ s->strstart - (IPos)MAX_DIST(s) : NIL;`
		`+ @@ -1173,12 +1174,12 @@ local uInt longest_match(s, cur_match)`
		`+ * Try with and without -DUNALIGNED_OK to check.`
		`+ */`
		`+ register Bytef *strend = s->window + s->strstart + MAX_MATCH - 1;`
		`+ - register ush scan_start = (ushf)scan;`
		`+ - register ush scan_end = (ushf)(scan+best_len-1);`
		`+ + register uInt scan_start = (ushf)scan;`
		`+ + register uInt scan_end = (ushf)(scan+best_len-1);`
		`+ #else`
		`+ register Bytef *strend = s->window + s->strstart + MAX_MATCH;`
		`+ - register Byte scan_end1 = scan[best_len-1];`
		`+ - register Byte scan_end = scan[best_len];`
		`+ + register uInt scan_end1 = scan[best_len-1];`
		`+ + register uInt scan_end = scan[best_len];`
		`+ #endif`
		`+`
		`+ /* The code is optimized for HASH_BITS >= 8 and MAX_MATCH-2 multiple of 16.`

zlib-1.2.7-z-block-flush.patch

file added

+45

		`@@ -0,0 +1,45 @@`
		`+ From f1b8edadc3c733990f8a8de4d643f968e571ae85 Mon Sep 17 00:00:00 2001`
		`+ From: Adam Tkac <atkac@redhat.com>`
		`+ Date: Fri, 17 Aug 2012 15:13:48 +0200`
		`+ Subject: [PATCH] Rank Z_BLOCK flush below Z_PARTIAL_FLUSH only when last`
		`+ flush was Z_BLOCK.`
		`+`
		`+ This fixes regression introduced by f1ebdd6a9c495a5db9a22aa80dd7d54ae7db42e9`
		`+ (Permit stronger flushes after Z_BLOCK flushes.). Now this code is valid`
		`+ again:`
		`+`
		`+ deflate(stream, Z_SYNC_FLUSH);`
		`+ deflateParams(stream, newLevel, Z_DEFAULT_STRATEGY);`
		`+`
		`+ Signed-off-by: Adam Tkac <atkac@redhat.com>`
		`+ ---`
		`+ deflate.c \| 13 ++++++++++---`
		`+ 1 file changed, 10 insertions(+), 3 deletions(-)`
		`+`
		`+ diff --git a/deflate.c b/deflate.c`
		`+ index 9e4c2cb..3422f72 100644`
		`+ --- a/deflate.c`
		`+ +++ b/deflate.c`
		`+ @@ -882,9 +882,16 @@ int ZEXPORT deflate (strm, flush)`
		`+ * flushes. For repeated and useless calls with Z_FINISH, we keep`
		`+ * returning Z_STREAM_END instead of Z_BUF_ERROR.`
		`+ */`
		`+ - } else if (strm->avail_in == 0 && RANK(flush) <= RANK(old_flush) &&`
		`+ - flush != Z_FINISH) {`
		`+ - ERR_RETURN(strm, Z_BUF_ERROR);`
		`+ + } else if (strm->avail_in == 0 && flush != Z_FINISH) {`
		`+ + char err;`
		`+ +`
		`+ + /* Degrade Z_BLOCK only when last flush was Z_BLOCK */`
		`+ + err = (old_flush == Z_BLOCK) ?`
		`+ + RANK(flush) <= RANK(old_flush) : flush <= old_flush;`
		`+ +`
		`+ + if (err) {`
		`+ + ERR_RETURN(strm, Z_BUF_ERROR);`
		`+ + }`
		`+ }`
		`+`
		`+ /* User must not provide more input after the first FINISH: */`
		`+ --`
		`+ 1.7.11.4`
		`+`

robert commented 5 years ago

Patch suggestion for https://bugzilla.redhat.com/show_bug.cgi?id=1600458#c29 - please note, that it is intended to use the bundled zlib on all architectures on EL-6 to avoid other/further/new issues due to old zlib. Bundled zlib is marked as such as per https://fedoraproject.org/wiki/Bundled_Libraries?rd=Packaging:Bundled_Libraries, the bundled zlib has been taken from RHEL/CentOS 7 to ensure possible security updates/patches/bugfixes until CentOS 6 reaches EOL in 2020.