diff --git a/.cvsignore b/.cvsignore index e720e09..a0a76da 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -clamav-0.96rc1-norar.tar.xz +clamav-0.96-norar.tar.xz diff --git a/clamav-0.96-disable-jit.patch b/clamav-0.96-disable-jit.patch new file mode 100644 index 0000000..6d425f1 --- /dev/null +++ b/clamav-0.96-disable-jit.patch @@ -0,0 +1,130 @@ +--- a/clamd/clamd.c ++++ a/clamd/clamd.c +@@ -431,6 +431,9 @@ int main(int argc, char **argv) + if((opt = optget(opts,"BytecodeTimeout"))->enabled) { + cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg); + } ++ if((opt = optget(opts,"BytecodeDisableJIT"))->enabled) { ++ cl_engine_set_num(engine, CL_ENGINE_BYTECODE_DISABLEJIT, opt->numarg); ++ } + + if(optget(opts,"PhishingScanURLs")->enabled) + dboptions |= CL_DB_PHISHING_URLS; +--- a/clamscan/manager.c ++++ a/clamscan/manager.c +@@ -405,6 +405,8 @@ int scanmanager(const struct optstruct *opts) + cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, CL_BYTECODE_TRUST_ALL); + if((opt = optget(opts,"bytecode-timeout"))->enabled) + cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg); ++ if((opt = optget(opts,"bytecode-disable-jit"))->enabled) ++ cl_engine_set_num(engine, CL_ENGINE_BYTECODE_DISABLEJIT, opt->numarg); + + if((opt = optget(opts, "tempdir"))->enabled) { + if((ret = cl_engine_set_str(engine, CL_ENGINE_TMPDIR, opt->strarg))) { +--- a/docs/man/clamd.conf.5.in ++++ a/docs/man/clamd.conf.5.in +@@ -253,6 +253,12 @@ Default: TrustSigned + Set bytecode timeout in milliseconds. + .br + Default: 60000 ++.TP ++\fBBytecodeDisableJIT BOOL\fR ++Disable the JIT and fallback to interpreter mode. ++WARNING: disabling the JIT affects performance! ++.br ++Default: No + .TP + \fBDetectPUA BOOL\fR + Detect Possibly Unwanted Applications. +--- a/docs/man/clamscan.1.in ++++ a/docs/man/clamscan.1.in +@@ -86,6 +86,10 @@ This option disables safety checks and makes ClamAV trust all bytecode. It shoul + .TP + \fB\-\-bytecode\-timeout=N\fR + Set bytecode timeout in milliseconds (default: 60000 = 60s) ++.TP ++\fB\-\-bytecode\-disable\-jit\fR ++Disable the JIT and fallback to interpreter mode. ++WARNING: disable the JIT affects performance! + .TP + \fB\-\-detect\-pua[=yes/no(*)]\fR + Detect Possibly Unwanted Applications. +--- a/etc/clamd.conf ++++ a/etc/clamd.conf +@@ -474,3 +474,8 @@ Example + # + # Default: 60000 + # BytecodeTimeout 60000 ++ ++# Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance. ++# ++# Default: no ++#BytecodeDisableJIT no +--- a/libclamav/clamav.h ++++ a/libclamav/clamav.h +@@ -142,7 +142,8 @@ enum cl_engine_field { + CL_ENGINE_TMPDIR, /* (char *) */ + CL_ENGINE_KEEPTMP, /* uint32_t */ + CL_ENGINE_BYTECODE_SECURITY, /* uint32_t */ +- CL_ENGINE_BYTECODE_TIMEOUT /* uint32_t */ ++ CL_ENGINE_BYTECODE_TIMEOUT, /* uint32_t */ ++ CL_ENGINE_BYTECODE_DISABLEJIT /* uint32_t */ + }; + + enum bytecode_security { +--- a/libclamav/others.c ++++ a/libclamav/others.c +@@ -301,6 +301,7 @@ struct cl_engine *cl_engine_new(void) + new->bytecode_security = CL_BYTECODE_TRUST_SIGNED; + /* 5 seconds timeout */ + new->bytecode_timeout = 60000; ++ new->disablejit = 0; + new->refcount = 1; + new->ac_only = 0; + new->ac_mindepth = CLI_DEFAULT_AC_MINDEPTH; +@@ -395,6 +396,9 @@ int cl_engine_set_num(struct cl_engine *engine, enum cl_engine_field field, long + case CL_ENGINE_BYTECODE_TIMEOUT: + engine->bytecode_timeout = num; + break; ++ case CL_ENGINE_BYTECODE_DISABLEJIT: ++ engine->disablejit = num; ++ break; + default: + cli_errmsg("cl_engine_set_num: Incorrect field number\n"); + return CL_EARG; +--- a/libclamav/others.h ++++ a/libclamav/others.h +@@ -249,6 +249,7 @@ struct cl_engine { + unsigned hook_lsig_ids; + enum bytecode_security bytecode_security; + uint32_t bytecode_timeout; ++ unsigned disablejit; + }; + + struct cl_settings { +--- a/libclamav/readdb.c ++++ a/libclamav/readdb.c +@@ -2566,7 +2566,10 @@ int cl_load(const char *path, struct cl_engine *engine, unsigned int *signo, uns + return ret; + + if((dboptions & CL_DB_BYTECODE) && !engine->bcs.engine && (engine->dconf->bytecode & BYTECODE_ENGINE_MASK)) { +- if((ret = cli_bytecode_init(&engine->bcs, engine->dconf->bytecode))) ++ unsigned dconfmask = engine->dconf->bytecode; ++ if (engine->disablejit) ++ dconfmask &= BYTECODE_INTERPRETER; ++ if((ret = cli_bytecode_init(&engine->bcs, dconfmask))) + return ret; + } else { + cli_dbgmsg("Bytecode engine disabled\n"); +--- a/shared/optparser.c ++++ a/shared/optparser.c +@@ -252,6 +252,9 @@ const struct clam_option __clam_options[] = { + "Set bytecode security level.\nPossible values:\n\tNone - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"}, + { "BytecodeTimeout", "bytecode-timeout", 0, TYPE_NUMBER, MATCH_NUMBER, 60000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, + "Set bytecode timeout in miliseconds.\n","60000"}, ++ { "BytecodeDisableJIT", "bytecode-disable-jit", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, ++ "Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance.\n","no"}, ++ + { "DetectPUA", "detect-pua", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect Potentially Unwanted Applications.", "yes" }, + + { "ExcludePUA", "exclude-pua", 0, TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_CLAMSCAN, "Exclude a specific PUA category. This directive can be used multiple times.\nSee http://www.clamav.net/support/pua for the complete list of PUA\ncategories.", "NetTool\nPWTool" }, diff --git a/clamav-0.96-jitoff.patch b/clamav-0.96-jitoff.patch new file mode 100644 index 0000000..f78aba3 --- /dev/null +++ b/clamav-0.96-jitoff.patch @@ -0,0 +1,30 @@ +Index: clamav-0.96/etc/clamd.conf +=================================================================== +--- clamav-0.96.orig/etc/clamd.conf ++++ clamav-0.96/etc/clamd.conf +@@ -476,6 +476,10 @@ AllowSupplementaryGroups yes + # BytecodeTimeout 60000 + + # Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance. +-# +-# Default: no ++# ++# This option has been turned off in Fedora due to security concerns ++# by default. You might need to enable the 'clamd_use_jit' SELinux ++# boolean after enabling this option. ++# ++# Default: yes + #BytecodeDisableJIT no +Index: clamav-0.96/shared/optparser.c +=================================================================== +--- clamav-0.96.orig/shared/optparser.c ++++ clamav-0.96/shared/optparser.c +@@ -252,7 +252,7 @@ const struct clam_option __clam_options[ + "Set bytecode security level.\nPossible values:\n\tNone - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"}, + { "BytecodeTimeout", "bytecode-timeout", 0, TYPE_NUMBER, MATCH_NUMBER, 60000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, + "Set bytecode timeout in miliseconds.\n","60000"}, +- { "BytecodeDisableJIT", "bytecode-disable-jit", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, ++ { "BytecodeDisableJIT", "bytecode-disable-jit", 0, TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, + "Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance.\n","no"}, + + { "DetectPUA", "detect-pua", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect Potentially Unwanted Applications.", "yes" }, diff --git a/clamav.spec b/clamav.spec index 12940dc..85dd1ac 100644 --- a/clamav.spec +++ b/clamav.spec @@ -1,11 +1,11 @@ -%global prerelease rc1 +#global prerelease rc1 ## Fedora Extras specific customization below... %bcond_without fedora %bcond_without upstart %bcond_with unrar %bcond_without noarch -%bcond_with bytecode +%bcond_without bytecode ## %global username clamupdate @@ -27,7 +27,7 @@ Summary: End-user tools for the Clam Antivirus scanner Name: clamav Version: 0.96 -Release: %release_func 1401 +Release: %release_func 1402 License: %{?with_unrar:proprietary}%{!?with_unrar:GPLv2} Group: Applications/File URL: http://www.clamav.net @@ -52,6 +52,9 @@ Patch24: clamav-0.92-private.patch Patch25: clamav-0.92-open.patch Patch26: clamav-0.95-cliopts.patch Patch27: clamav-0.95.3-umask.patch +# https://bugzilla.redhat.com/attachment.cgi?id=403775&action=diff&context=patch&collapsed=&headers=1&format=raw +Patch28: clamav-0.96-disable-jit.patch +Patch29: clamav-0.96-jitoff.patch BuildRoot: %_tmppath/%name-%version-%release-root Requires: clamav-lib = %version-%release Requires: data(clamav) @@ -83,8 +86,6 @@ Group: Development/Libraries Source100: clamd-gen Requires: clamav-lib = %version-%release Requires: clamav-filesystem = %version-%release -Requires(pre): %_libdir/pkgconfig -Requires: pkgconfig %package data Summary: Virus signature data for the Clam Antivirus scanner @@ -316,6 +317,8 @@ The Upstart initscripts for clamav-milter. %apply -n25 -p1 -b .open %apply -n26 -p1 -b .cliopts %apply -n27 -p1 -b .umask +%apply -n28 -p1 -b .jit-disable +%apply -n29 -p1 -b .jitoff install -p -m0644 %SOURCE300 clamav-milter/ @@ -334,7 +337,6 @@ sed -ri \ sed -ri \ -e 's!^#?(UpdateLogFile )!#\1!g;' \ -e 's!^#?(LogSyslog).*!\1 yes!g' \ - -e 's!^#?(Bytecode).*!\1 no!g' \ -e 's!(DatabaseOwner *)clamav$!\1%username!g' etc/freshclam.conf @@ -703,6 +705,13 @@ test "$1" != "0" || /sbin/initctl -q stop clamav-milter || : %changelog +* Wed Apr 21 2010 Enrico Scholz - 0.96-1402 +- updated to final 0.96 +- applied upstream patch which allows to disable JIT compiler (#573191) +- build JIT compiler again +- disabled JIT compiler by default +- removed explicit 'pkgconfig' requirements in -devel (#533956) + * Sat Mar 20 2010 Enrico Scholz - 0.96-0.1401.rc1 - do not build the bytecode JIT compiler for now until it can be disabled at runtime (#573191) diff --git a/lastver b/lastver index 4d8fc8c..10b1865 100644 --- a/lastver +++ b/lastver @@ -1 +1 @@ -0.95.3 +0.96 diff --git a/sources b/sources index b453ab3..7c7ad84 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2f591b9598fa938a8a517a59fea04ac7 clamav-0.96rc1-norar.tar.xz +fea833e7185926330222788eeed249af clamav-0.96-norar.tar.xz