diff --git a/.cvsignore b/.cvsignore index 5b7c836..495edab 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -clamav-0.95.3-norar.tar.bz2 +clamav-0.96.1-norar.tar.xz diff --git a/clamav-0.92-open.patch b/clamav-0.92-open.patch index 040fc20..48ad0c1 100644 --- a/clamav-0.92-open.patch +++ b/clamav-0.92-open.patch @@ -1,5 +1,7 @@ ---- clamav-0.91.2/clamd/dazukoio_compat12.c.open 2007-03-06 14:38:06.000000000 +0100 -+++ clamav-0.91.2/clamd/dazukoio_compat12.c 2007-08-25 12:36:30.000000000 +0200 +Index: clamav-0.96.1/clamd/dazukoio_compat12.c +=================================================================== +--- clamav-0.96.1.orig/clamd/dazukoio_compat12.c ++++ clamav-0.96.1/clamd/dazukoio_compat12.c @@ -89,7 +89,7 @@ int dazukoRegister_TS_compat12(struct da if (dazuko->device < 0) { diff --git a/clamav-0.92-private.patch b/clamav-0.92-private.patch index bab2948..61625a1 100644 --- a/clamav-0.92-private.patch +++ b/clamav-0.92-private.patch @@ -1,5 +1,7 @@ ---- clamav-0.92/libclamav.pc.in.private -+++ clamav-0.92/libclamav.pc.in +Index: clamav-0.96.1/libclamav.pc.in +=================================================================== +--- clamav-0.96.1.orig/libclamav.pc.in ++++ clamav-0.96.1/libclamav.pc.in @@ -6,6 +6,6 @@ includedir=@includedir@ Name: libclamav Description: A GPL virus scanner @@ -10,8 +12,10 @@ +Libs: -L${libdir} -lclamav +Libs.private: -L${libdir} -lclamav @LIBCLAMAV_LIBS@ +Cflags: -I${includedir} ---- clamav-0.92/clamav-config.in.private -+++ clamav-0.92/clamav-config.in +Index: clamav-0.96.1/clamav-config.in +=================================================================== +--- clamav-0.96.1.orig/clamav-config.in ++++ clamav-0.96.1/clamav-config.in @@ -54,12 +54,8 @@ while test $# -gt 0; do usage 0 ;; diff --git a/clamav-0.95-cliopts.patch b/clamav-0.95-cliopts.patch index 90d173f..7d94b28 100644 --- a/clamav-0.95-cliopts.patch +++ b/clamav-0.95-cliopts.patch @@ -1,8 +1,8 @@ -Index: clamav-0.95rc1/shared/optparser.c +Index: clamav-0.96.1/shared/optparser.c =================================================================== ---- clamav-0.95rc1.orig/shared/optparser.c -+++ clamav-0.95rc1/shared/optparser.c -@@ -211,7 +211,7 @@ const struct clam_option clam_options[] +--- clamav-0.96.1.orig/shared/optparser.c ++++ clamav-0.96.1/shared/optparser.c +@@ -236,7 +236,7 @@ const struct clam_option __clam_options[ { "ExitOnOOM", NULL, 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Stop the daemon when libclamav reports an out of memory condition.", "yes" }, diff --git a/clamav-0.95.3-umask.patch b/clamav-0.95.3-umask.patch index 220f7ab..ada0fcd 100644 --- a/clamav-0.95.3-umask.patch +++ b/clamav-0.95.3-umask.patch @@ -1,8 +1,8 @@ -Index: clamav-0.95.3/clamav-milter/clamav-milter.c +Index: clamav-0.96.1/clamav-milter/clamav-milter.c =================================================================== ---- clamav-0.95.3.orig/clamav-milter/clamav-milter.c -+++ clamav-0.95.3/clamav-milter/clamav-milter.c -@@ -306,7 +306,7 @@ int main(int argc, char **argv) { +--- clamav-0.96.1.orig/clamav-milter/clamav-milter.c ++++ clamav-0.96.1/clamav-milter/clamav-milter.c +@@ -365,7 +365,7 @@ int main(int argc, char **argv) { if((opt = optget(opts, "PidFile"))->enabled) { FILE *fd; @@ -11,11 +11,11 @@ Index: clamav-0.95.3/clamav-milter/clamav-milter.c if((fd = fopen(opt->strarg, "w")) == NULL) { logg("!Can't save PID in file %s\n", opt->strarg); -Index: clamav-0.95.3/shared/output.c +Index: clamav-0.96.1/shared/output.c =================================================================== ---- clamav-0.95.3.orig/shared/output.c -+++ clamav-0.95.3/shared/output.c -@@ -270,7 +270,7 @@ int logg(const char *str, ...) +--- clamav-0.96.1.orig/shared/output.c ++++ clamav-0.96.1/shared/output.c +@@ -280,7 +280,7 @@ int logg(const char *str, ...) #endif if(logg_file) { if(!logg_fp) { @@ -24,11 +24,11 @@ Index: clamav-0.95.3/shared/output.c if((logg_fp = fopen(logg_file, "at")) == NULL) { umask(old_umask); #ifdef CL_THREAD_SAFE -Index: clamav-0.95.3/freshclam/freshclam.c +Index: clamav-0.96.1/freshclam/freshclam.c =================================================================== ---- clamav-0.95.3.orig/freshclam/freshclam.c -+++ clamav-0.95.3/freshclam/freshclam.c -@@ -102,7 +102,7 @@ static void writepid(const char *pidfile +--- clamav-0.96.1.orig/freshclam/freshclam.c ++++ clamav-0.96.1/freshclam/freshclam.c +@@ -106,7 +106,7 @@ static void writepid(const char *pidfile { FILE *fd; int old_umask; diff --git a/clamav-0.96-disable-jit.patch b/clamav-0.96-disable-jit.patch new file mode 100644 index 0000000..01b3c79 --- /dev/null +++ b/clamav-0.96-disable-jit.patch @@ -0,0 +1,150 @@ +Index: clamav-0.96.1/clamd/clamd.c +=================================================================== +--- clamav-0.96.1.orig/clamd/clamd.c ++++ clamav-0.96.1/clamd/clamd.c +@@ -434,6 +434,9 @@ int main(int argc, char **argv) + if((opt = optget(opts,"BytecodeTimeout"))->enabled) { + cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg); + } ++ if((opt = optget(opts,"BytecodeDisableJIT"))->enabled) { ++ cl_engine_set_num(engine, CL_ENGINE_BYTECODE_DISABLEJIT, opt->numarg); ++ } + + if(optget(opts,"PhishingScanURLs")->enabled) + dboptions |= CL_DB_PHISHING_URLS; +Index: clamav-0.96.1/clamscan/manager.c +=================================================================== +--- clamav-0.96.1.orig/clamscan/manager.c ++++ clamav-0.96.1/clamscan/manager.c +@@ -404,6 +404,8 @@ int scanmanager(const struct optstruct * + cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, CL_BYTECODE_TRUST_ALL); + if((opt = optget(opts,"bytecode-timeout"))->enabled) + cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg); ++ if((opt = optget(opts,"bytecode-disable-jit"))->enabled) ++ cl_engine_set_num(engine, CL_ENGINE_BYTECODE_DISABLEJIT, opt->numarg); + + if((opt = optget(opts, "tempdir"))->enabled) { + if((ret = cl_engine_set_str(engine, CL_ENGINE_TMPDIR, opt->strarg))) { +Index: clamav-0.96.1/docs/man/clamd.conf.5.in +=================================================================== +--- clamav-0.96.1.orig/docs/man/clamd.conf.5.in ++++ clamav-0.96.1/docs/man/clamd.conf.5.in +@@ -253,6 +253,12 @@ Default: TrustSigned + Set bytecode timeout in milliseconds. + .br + Default: 60000 ++.TP ++\fBBytecodeDisableJIT BOOL\fR ++Disable the JIT and fallback to interpreter mode. ++WARNING: disabling the JIT affects performance! ++.br ++Default: No + .TP + \fBDetectPUA BOOL\fR + Detect Possibly Unwanted Applications. +Index: clamav-0.96.1/docs/man/clamscan.1.in +=================================================================== +--- clamav-0.96.1.orig/docs/man/clamscan.1.in ++++ clamav-0.96.1/docs/man/clamscan.1.in +@@ -86,6 +86,10 @@ This option disables safety checks and m + .TP + \fB\-\-bytecode\-timeout=N\fR + Set bytecode timeout in milliseconds (default: 60000 = 60s) ++.TP ++\fB\-\-bytecode\-disable\-jit\fR ++Disable the JIT and fallback to interpreter mode. ++WARNING: disable the JIT affects performance! + .TP + \fB\-\-detect\-pua[=yes/no(*)]\fR + Detect Possibly Unwanted Applications. +Index: clamav-0.96.1/etc/clamd.conf +=================================================================== +--- clamav-0.96.1.orig/etc/clamd.conf ++++ clamav-0.96.1/etc/clamd.conf +@@ -472,3 +472,8 @@ Example + # + # Default: 60000 + # BytecodeTimeout 60000 ++ ++# Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance. ++# ++# Default: no ++#BytecodeDisableJIT no +Index: clamav-0.96.1/libclamav/clamav.h +=================================================================== +--- clamav-0.96.1.orig/libclamav/clamav.h ++++ clamav-0.96.1/libclamav/clamav.h +@@ -144,7 +144,8 @@ enum cl_engine_field { + CL_ENGINE_TMPDIR, /* (char *) */ + CL_ENGINE_KEEPTMP, /* uint32_t */ + CL_ENGINE_BYTECODE_SECURITY, /* uint32_t */ +- CL_ENGINE_BYTECODE_TIMEOUT /* uint32_t */ ++ CL_ENGINE_BYTECODE_TIMEOUT, /* uint32_t */ ++ CL_ENGINE_BYTECODE_DISABLEJIT /* uint32_t */ + }; + + enum bytecode_security { +Index: clamav-0.96.1/libclamav/others.c +=================================================================== +--- clamav-0.96.1.orig/libclamav/others.c ++++ clamav-0.96.1/libclamav/others.c +@@ -301,6 +301,7 @@ struct cl_engine *cl_engine_new(void) + new->bytecode_security = CL_BYTECODE_TRUST_SIGNED; + /* 5 seconds timeout */ + new->bytecode_timeout = 60000; ++ new->disablejit = 0; + new->refcount = 1; + new->ac_only = 0; + new->ac_mindepth = CLI_DEFAULT_AC_MINDEPTH; +@@ -399,6 +400,9 @@ int cl_engine_set_num(struct cl_engine * + case CL_ENGINE_BYTECODE_TIMEOUT: + engine->bytecode_timeout = num; + break; ++ case CL_ENGINE_BYTECODE_DISABLEJIT: ++ engine->disablejit = num; ++ break; + default: + cli_errmsg("cl_engine_set_num: Incorrect field number\n"); + return CL_EARG; +Index: clamav-0.96.1/libclamav/others.h +=================================================================== +--- clamav-0.96.1.orig/libclamav/others.h ++++ clamav-0.96.1/libclamav/others.h +@@ -253,6 +253,7 @@ struct cl_engine { + unsigned hook_lsig_ids; + enum bytecode_security bytecode_security; + uint32_t bytecode_timeout; ++ unsigned disablejit; + }; + + struct cl_settings { +Index: clamav-0.96.1/libclamav/readdb.c +=================================================================== +--- clamav-0.96.1.orig/libclamav/readdb.c ++++ clamav-0.96.1/libclamav/readdb.c +@@ -2595,7 +2595,10 @@ int cl_load(const char *path, struct cl_ + return ret; + + if((dboptions & CL_DB_BYTECODE) && !engine->bcs.engine && (engine->dconf->bytecode & BYTECODE_ENGINE_MASK)) { +- if((ret = cli_bytecode_init(&engine->bcs, engine->dconf->bytecode))) ++ unsigned dconfmask = engine->dconf->bytecode; ++ if (engine->disablejit) ++ dconfmask &= BYTECODE_INTERPRETER; ++ if((ret = cli_bytecode_init(&engine->bcs, dconfmask))) + return ret; + } else { + cli_dbgmsg("Bytecode engine disabled\n"); +Index: clamav-0.96.1/shared/optparser.c +=================================================================== +--- clamav-0.96.1.orig/shared/optparser.c ++++ clamav-0.96.1/shared/optparser.c +@@ -252,6 +252,9 @@ const struct clam_option __clam_options[ + "Set bytecode security level.\nPossible values:\n\tNone - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"}, + { "BytecodeTimeout", "bytecode-timeout", 0, TYPE_NUMBER, MATCH_NUMBER, 60000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, + "Set bytecode timeout in miliseconds.\n","60000"}, ++ { "BytecodeDisableJIT", "bytecode-disable-jit", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, ++ "Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance.\n","no"}, ++ + { "DetectPUA", "detect-pua", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect Potentially Unwanted Applications.", "yes" }, + + { "ExcludePUA", "exclude-pua", 0, TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_CLAMSCAN, "Exclude a specific PUA category. This directive can be used multiple times.\nSee http://www.clamav.net/support/pua for the complete list of PUA\ncategories.", "NetTool\nPWTool" }, diff --git a/clamav-0.96-jitoff.patch b/clamav-0.96-jitoff.patch new file mode 100644 index 0000000..cea2e5a --- /dev/null +++ b/clamav-0.96-jitoff.patch @@ -0,0 +1,80 @@ +Index: clamav-0.96.1/etc/clamd.conf +=================================================================== +--- clamav-0.96.1.orig/etc/clamd.conf ++++ clamav-0.96.1/etc/clamd.conf +@@ -11,7 +11,7 @@ Example + # LogFile must be writable for the user running daemon. + # A full path is required. + # Default: disabled +-#LogFile /tmp/clamd.log ++#LogFile /var/log/clamd. + + # By default the log file is locked for writing - the lock protects against + # running clamd multiple times (if want to run another clamd, please +@@ -40,7 +40,7 @@ Example + + # Use system logger (can work together with LogFile). + # Default: no +-#LogSyslog yes ++LogSyslog yes + + # Specify the type of syslog messages - please refer to 'man syslog' + # for facility names. +@@ -54,7 +54,7 @@ Example + # This option allows you to save a process identifier of the listening + # daemon (main thread). + # Default: disabled +-#PidFile /var/run/clamd.pid ++#PidFile /var/run/clamd./clamd.pid + + # Optional path to the global temporary directory. + # Default: system specific (usually /tmp or /var/tmp). +@@ -73,7 +73,7 @@ Example + + # Path to a local socket file the daemon will listen on. + # Default: disabled (must be specified by a user) +-#LocalSocket /tmp/clamd.socket ++#LocalSocket /var/run/clamd./clamd.sock + + # Sets the group ownership on the unix socket. + # Default: disabled (the primary group of the user running clamd) +@@ -183,11 +183,11 @@ Example + + # Run as another user (clamd must be started by root for this option to work) + # Default: don't drop privileges +-#User clamav ++User + + # Initialize supplementary group access (clamd must be started by root). + # Default: no +-#AllowSupplementaryGroups no ++AllowSupplementaryGroups yes + + # Stop daemon when libclamav reports out of memory condition. + #ExitOnOOM yes +@@ -474,6 +474,10 @@ Example + # BytecodeTimeout 60000 + + # Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance. +-# +-# Default: no ++# ++# This option has been turned off in Fedora due to security concerns ++# by default. You might need to enable the 'clamd_use_jit' SELinux ++# boolean after enabling this option. ++# ++# Default: yes + #BytecodeDisableJIT no +Index: clamav-0.96.1/shared/optparser.c +=================================================================== +--- clamav-0.96.1.orig/shared/optparser.c ++++ clamav-0.96.1/shared/optparser.c +@@ -252,7 +252,7 @@ const struct clam_option __clam_options[ + "Set bytecode security level.\nPossible values:\n\tNone - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"}, + { "BytecodeTimeout", "bytecode-timeout", 0, TYPE_NUMBER, MATCH_NUMBER, 60000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, + "Set bytecode timeout in miliseconds.\n","60000"}, +- { "BytecodeDisableJIT", "bytecode-disable-jit", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, ++ { "BytecodeDisableJIT", "bytecode-disable-jit", 0, TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, + "Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance.\n","no"}, + + { "DetectPUA", "detect-pua", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect Potentially Unwanted Applications.", "yes" }, diff --git a/clamav.spec b/clamav.spec index 88935d7..d8a88e7 100644 --- a/clamav.spec +++ b/clamav.spec @@ -5,6 +5,7 @@ %bcond_without upstart %bcond_with unrar %bcond_without noarch +%bcond_without bytecode ## %global username clamupdate @@ -23,7 +24,7 @@ Summary: End-user tools for the Clam Antivirus scanner Name: clamav -Version: 0.95.3 +Version: 0.96.1 Release: %release_func 1200%{?snapshot:.%snapshot} License: %{?with_unrar:proprietary}%{!?with_unrar:GPLv2} @@ -37,7 +38,7 @@ Source999: http://download.sourceforge.net/sourceforge/clamav/%name-%version%{?s # incompatible unrar from RARlabs. We have to pull this code out. # tarball was created by # make clean-sources [TARBALL=] [VERSION=] -Source0: %name-%version%{?snapshot}-norar.tar.bz2 +Source0: %name-%version%{?snapshot}-norar.tar.xz %endif Source1: clamd-wrapper Source2: clamd.sysconfig @@ -50,13 +51,16 @@ Patch24: clamav-0.92-private.patch Patch25: clamav-0.92-open.patch Patch26: clamav-0.95-cliopts.patch Patch27: clamav-0.95.3-umask.patch +# https://bugzilla.redhat.com/attachment.cgi?id=403775&action=diff&context=patch&collapsed=&headers=1&format=raw +Patch28: clamav-0.96-disable-jit.patch +Patch29: clamav-0.96-jitoff.patch BuildRoot: %_tmppath/%name-%version-%release-root Requires: clamav-lib = %version-%release Requires: data(clamav) BuildRequires: zlib-devel bzip2-devel gmp-devel curl-devel BuildRequires: ncurses-devel BuildRequires: %_includedir/tcpd.h -BuildRequires: bc +%{?with_bytecode:BuildRequires: bc tcl ocaml groff graphviz} %package filesystem Summary: Filesystem structure for clamav @@ -81,8 +85,6 @@ Group: Development/Libraries Source100: clamd-gen Requires: clamav-lib = %version-%release Requires: clamav-filesystem = %version-%release -Requires(pre): %_libdir/pkgconfig -Requires: pkgconfig %package data Summary: Virus signature data for the Clam Antivirus scanner @@ -316,6 +318,8 @@ The Upstart initscripts for clamav-milter. %patch25 -p1 -b .open %patch26 -p1 -b .cliopts %patch27 -p1 -b .umask +%patch28 -p1 -b .jit-disable +%patch29 -p1 -b .jitoff install -p -m0644 %SOURCE300 clamav-milter/ @@ -342,15 +346,21 @@ sed -ri \ %build CFLAGS="$RPM_OPT_FLAGS -Wall -W -Wmissing-prototypes -Wmissing-declarations -std=gnu99" export LDFLAGS='-Wl,--as-needed' -# HACK: remove me, when configure uses $LIBS instead of $LDFLAGS for milter check -export LIBS='-lmilter -lpthread' +# HACK: remove me... +export FRESHCLAM_LIBS='-lz' # IPv6 check is buggy and does not work when there are no IPv6 interface on build machine export have_cv_ipv6=yes -%configure --disable-clamav --with-dbdir=/var/lib/clamav \ - --enable-milter --disable-static \ - --disable-rpath \ - --with-user=%username \ - --with-group=%username \ +%configure \ + --disable-static \ + --disable-rpath \ + --disable-silent-rules \ + --disable-clamav \ + --with-user=%username \ + --with-group=%username \ + --with-dbdir=/var/lib/clamav \ + --enable-milter \ + --enable-clamdtop \ + %{!?with_bytecode:--disable-llvm} \ %{!?with_unrar:--disable-unrar} # TODO: check periodically that CLAMAVUSER is used for freshclam only @@ -696,6 +706,14 @@ test "$1" != "0" || /sbin/initctl -q stop clamav-milter || : %changelog +* Sun Jun 20 2010 Enrico Scholz - 0.96.1-1200 +- updated to 0.96.1 +- applied upstream patch which allows to disable JIT compiler (#573191) +- disabled JIT compiler by default +- removed explicit 'pkgconfig' requirements in -devel (#533956) +- added some BRs +- rediffed patches + * Sat Nov 21 2009 Enrico Scholz - adjusted chkconfig positions for clamav-milter (#530101) diff --git a/lastver b/lastver index 4d8fc8c..483b771 100644 --- a/lastver +++ b/lastver @@ -1 +1 @@ -0.95.3 +0.96.1 diff --git a/sources b/sources index 898c137..b30d6e5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -7a76425f5cffb9973d6ee45580dc2094 clamav-0.95.3-norar.tar.bz2 +d7a79bcd71da15817d6c731f989cf73a clamav-0.96.1-norar.tar.xz