Update to 0.103.8 to fix CVE-2023-20032 and CVE-2023-20052

clamav-freshclam.service.patch

@@ -1,6 +1,13 @@
---- ./freshclam/clamav-freshclam.service.in.orig	2021-02-01 20:49:25.000000000 +0000
-+++ ./freshclam/clamav-freshclam.service.in	2021-03-07 22:59:34.476455890 +0000
-@@ -8,7 +8,6 @@ After=network-online.target
+--- ./freshclam/clamav-freshclam.service.in.orig	2021-06-14 10:36:39.029730737 +0100
++++ ./freshclam/clamav-freshclam.service.in	2021-06-14 10:37:53.621423748 +0100
+@@ -2,13 +2,12 @@
+ Description=ClamAV virus database updater
+ Documentation=man:freshclam(1) man:freshclam.conf(5) https://docs.clamav.net/
+ # If user wants it run from cron, don't start the daemon.
+-ConditionPathExists=!/etc/cron.d/clamav-freshclam
++# ConditionPathExists=!/etc/cron.d/clamav-update
+ Wants=network-online.target
+ After=network-online.target
  
  [Service]
  ExecStart=@prefix@/bin/freshclam -d --foreground=true

clamav-type-conversion.patch

@@ -1,57 +0,0 @@
-From adcae42c2094096606a26976fb5829aa1ce5937b Mon Sep 17 00:00:00 2001
-From: caodongxia <315816521@qq.com>
-Date: Mon, 31 May 2021 16:43:12 +0800
-Subject: [PATCH] create patch
-
----
- libclamav/upx.c             | 6 +++---
- libclammspack/mspack/cabd.c | 2 +-
- 2 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/libclamav/upx.c b/libclamav/upx.c
-index 4663861..0e7b2c8 100644
---- a/libclamav/upx.c
-+++ b/libclamav/upx.c
-@@ -333,7 +333,7 @@ int upx_inflate2b(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u
-                 return -1;
-             if (backbytes & 0xff000000)
-                 return -1;
--            backbytes <<= 8;
-+            backbytes = (int32_t)((uint32_t)(backbytes) << 8);
-             backbytes += (unsigned char)(src[scur++]);
-             backbytes ^= 0xffffffff;
- 
-@@ -425,7 +425,7 @@ int upx_inflate2d(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u
-                 return -1;
-             if (backbytes & 0xff000000)
-                 return -1;
--            backbytes <<= 8;
-+            backbytes = (int32_t)((uint32_t)(backbytes) << 8); 
-             backbytes += (unsigned char)(src[scur++]);
-             backbytes ^= 0xffffffff;
- 
-@@ -517,7 +517,7 @@ int upx_inflate2e(const char *src, uint32_t ssize, char *dst, uint32_t *dsize, u
-                 return -1;
-             if (backbytes & 0xff000000)
-                 return -1;
--            backbytes <<= 8;
-+            backbytes = (int32_t)((uint32_t)(backbytes) << 8);
-             backbytes += (unsigned char)(src[scur++]);
-             backbytes ^= 0xffffffff;
- 
-diff --git a/libclammspack/mspack/cabd.c b/libclammspack/mspack/cabd.c
-index 75ef277..4dffd6b 100644
---- a/libclammspack/mspack/cabd.c
-+++ b/libclammspack/mspack/cabd.c
-@@ -1398,7 +1398,7 @@ static unsigned int cabd_checksum(unsigned char *data, unsigned int bytes,
-   unsigned int len, ul = 0;
- 
-   for (len = bytes >> 2; len--; data += 4) {
--    cksum ^= ((data[0]) | (data[1]<<8) | (data[2]<<16) | (data[3]<<24));
-+    cksum ^= ((data[0]) | ((unsigned int)(data[1])<<8) | ((unsigned int)(data[2])<<16) | ((unsigned int)(data[3])<<24));
-   }
- 
-   switch (bytes & 3) {
--- 
-2.27.0
-

clamav-update.crond

@@ -3,4 +3,4 @@ MAILTO=root
 
 ## It is ok to execute it as root; freshclam drops privileges and becomes
 ## user 'clamupdate' as soon as possible
-0  */3 * * * root /usr/share/clamav/freshclam-sleep
+0  */3 * * * root /usr/share/clamav/freshclam-sleep > /dev/null

clamav-update.logrotate

@@ -1,4 +1,8 @@
 /var/log/freshclam.log {
         monthly
         notifempty
+        missingok
+        postrotate
+                systemctl try-restart clamav-freshclam.service
+        endscript
 }

clamav.spec

@@ -1,16 +1,16 @@
 Name:           clamav
 Summary:        End-user tools for the Clam Antivirus scanner
-Version:        0.103.6
-Release:        3
+Version:        0.103.8
+Release:        1
 
 License:        GPLv2 and Public Domain and bzip2-1.0.6 and Zlib and Apache-2.0
 URL:            https://www.clamav.net/
 Source0:        https://www.clamav.net/downloads/production/clamav-%{version}.tar.gz
 Source1:        clamd.sysconfig
 Source2:        clamd.logrotate
-Source3:        main-58.cvd
-Source4:        daily-25550.cvd
-Source5:        bytecode-330.cvd
+Source3:        main-62.cvd
+Source4:        daily-26818.cvd
+Source5:        bytecode-333.cvd
 Source7:        freshclam-sleep
 Source8:        freshclam.sysconfig
 Source9:        clamav-update.crond
@@ -26,10 +26,9 @@ Patch0002:      clamav-default_confs.patch
 Patch0003:      clamav-0.99-private.patch
 Patch0005:	clamav-clamonacc-service.patch
 Patch0006:      clamav-freshclam.service.patch
-Patch0007:      clamav-type-conversion.patch
-Patch0008:      clamav-clamonacc-version-return.patch
-Patch0009:      fix-clamonacc-w-error.patch
-Patch0010:      fix-the-failure-to-execute-the-clambc-command-under-the-clamav-package.patch
+Patch0007:      clamav-clamonacc-version-return.patch
+Patch0008:      fix-clamonacc-w-error.patch
+Patch0019:      fix-the-failure-to-execute-the-clambc-command-under-the-clamav-package.patch
 
 BuildRequires:  autoconf automake gettext-devel libtool libtool-ltdl-devel
 BuildRequires:  gcc-c++ zlib-devel bzip2-devel gmp-devel curl-devel json-c-devel
@@ -414,6 +413,9 @@ test -e %_var/log/clamav-milter.log || {
 
 
 %changelog
+* Wed Mar 15 2023 yaoxin <yaoxin30@h-partners.com> - 0.103.8-1
+- Update to 0.103.8 to fix CVE-2023-20032 and CVE-2023-20052
+
 * Thu May 26 2022 liyanan <liyanan32@h-partners.com> - 0.103.6-3
 - Fix the failure to execute the clambc command under the clamav package
 - Fix clamonacc -w error

clamd@.service

@@ -7,7 +7,7 @@ After = syslog.target nss-lookup.target network.target
 Type = forking
 ExecStart = /usr/sbin/clamd -c /etc/clamd.d/%i.conf
 # Reload the database
-# ExecReload=/bin/kill -USR2 $MAINPID
+ExecReload=/bin/kill -USR2 $MAINPID
 Restart = on-failure
 TimeoutStartSec=420
 

freshclam-sleep

@@ -49,4 +49,4 @@ WARNING: update of clamav database is disabled; please see
 	;;
 esac
 
-/usr/bin/freshclam --quiet
+/usr/bin/freshclam --quiet > /dev/null