Security issue fixed in 0.88.2

Forget what I said, there are some more important things inside 0.88.2 so it's easier to UVF 0.88.2

I'll attach the diff and diffstat to this bugreport

Difftstat

Debdiff

ChangeLog from upstream:

Sat Apr 29 21:30:47 CEST 2006
-----------------------------
  V 0.88.2
  Bugfixes:
    - freshclam/manager.c: fix possible buffer overflow
      Reported by Ulf Harnhammar <metaur*telia.com> and Peter <remllov_*gmx.de>
      See http://www.clamav.net/security/0.88.2.html for details.

    - libclamav/zziplib/zzip-zip.c: add missing #include "others.h"
      Patch by Alex Deiter <tiamat*komi.mts.ru>
    - fix other implicit function declarations
      Thanks to Paul Fisher <pnfisher*berkeley.edu>, Ludwig Nussel
      <ludwig.nussel*suse.de> and Stephen Gran <steve*lobefin.net>
    - shared/cfgparser.c: don't use CL_FULLSTR for file directives
      Requested by Tomasz Papszun and others
    - libclamav/mbox.c: fix compilation error on CYGWIN
    - clamav-milter: Ensure that the quarantine location reported in
      notifications is correct.
      Patch by Simon Munton <simon at nidoran.m5data.com>

Thanks and welcome back, \sh.
The debdiff contains an upgrade to the next upstream version. The actual changes seem okay to me, but there is a lot of autogenerated (autofoo) stuff, so this needs a uvf exception. I thought we could perhaps just cherrypick the security related patches from 0.88.2, but it seems you suggest to upgrade the package to the next upstream properly (although i didn't spot grave changes, so I'm okay with either way)

I'm fine with it too... the code changes are rather small, the changes sound very sane and why bother with backporting all important changes from the few changes overall?

Ok with me too. Can we sync this?

On Wednesday 03 May 2006 09:36, Daniel Holbach wrote:
> Ok with me too. Can we sync this?
>
> ** Changed in: clamav (Ubuntu)
> Status: Unconfirmed => Confirmed

hi,

sure it's already in debian

http://packages.debian.org/unstable/source/clamav

regards,

\sh

We have an Ubuntu change - can that be dropped?

Are we close to getting this in the repositories? The bug is marked as Normal here, but as Critical in Breezy Backports. Hopefully we can see this soon?

we need someone to identify if this package has local changes which need to be merged or if we can drop them by syncing the debian package.

On Saturday 06 May 2006 23:42, Reinhard Tartler wrote:
> we need someone to identify if this package has local changes which
> need to be merged or if we can drop them by syncing the debian
> package.

It can be synced directly from debian, pittis patch for
debian/clamav-base.init-stub is included in new debian package

regards,

\sh

Updating to 0.88.2 will fix bugs #40229 and #34777.

The debian initscript does not seem to create /var/run/clamav in clamav-base.init-stub like the current ubuntu package does. This package must not be synced from debian, but must be properly merged and tested.

Stephan: /var/run is now on tmpfs in dapper, this means init scripts must make sure that required directories exist in /var/run and /var/lock. There are plans to do the same in debian, but debian isn't there yet. Since you requested this exception, please provide a properly merged package.

Hi,

On Wednesday 10 May 2006 08:35, Reinhard Tartler wrote:
> The debian initscript does not seem to create /var/run/clamav in
> clamav-base.init-stub like the current ubuntu package does. This package
> must not be synced from debian, but must be properly merged and tested.
>
> Stephan: /var/run is now on tmpfs in dapper, this means init scripts must
> make sure that required directories exist in /var/run and /var/lock. There
> are plans to do the same in debian, but debian isn't there yet. Since you
> requested this exception, please provide a properly merged package.

ok, will do this during the weekend...cause right now I'm not able to work on
the packages.

Regards,

\sh

This is a debdiff between debians package 0.88.2 and the new ubuntu merge.
Please fetch first the debian version from http://packages.debian.org/unstable/source/clamav

When will an update to 0.88.2 of clamAV / clamav-daemon for breezy be available?

Wasca: Perhaps we can request a backport of clamav to breezy-backports. The changes seem to be too intrusive to warrant cherrypicking changes from the newer version, and I'm not sure if a backport is accepted in breezy-updates/universe.

If you want to work on this, I'd recommend opening a new bugtask and investigating the options I just outlined.

Hi People,

a backport was requested, and I asked jdong to wait until 0.88.2 is available.

Regards,

\sh
On Wednesday 17 May 2006 08:52, Reinhard Tartler wrote:
> Wasca: Perhaps we can request a backport of clamav to breezy-backports.
> The changes seem to be too intrusive to warrant cherrypicking changes
> from the newer version, and I'm not sure if a backport is accepted in
> breezy-updates/universe.
>
> If you want to work on this, I'd recommend opening a new bugtask and
> investigating the options I just outlined.

I requested a backport yesterday in bug #34777.

subscribing john dong, our backports master.

John: can you give us a status update on this?

Alright, perfectly fine by me, I approve it by all means. However, James
recently has not been responding to backports upload requests for over a
month, which I cannot control... If someone in IRC can talk to James for me,
that'd be awesome...

On 5/17/06, Reinhard Tartler <email address hidden> wrote:
>
> subscribing john dong, our backports master.
>
> John: can you give us a status update on this?
>
> --
> Security issue fixed in 0.88.2
> https://launchpad.net/bugs/42568
>

So, uh, does this need to be synced by the ubuntu-archive team, or is it still a manual merge? I'm so confused ...

I am just as confused...

On 5/17/06, Colin Watson <email address hidden> wrote:
>
> So, uh, does this need to be synced by the ubuntu-archive team, or is it
> still a manual merge? I'm so confused ...
>
> --
> Security issue fixed in 0.88.2
> https://launchpad.net/bugs/42568
>

Hi,

the package is merged in dapper. For breezy there must be a backport request
for this package.
I didn't test it on breezy, so someone from the backports team has to test the
package if it's compiling and running.

regards,

\sh
On Thursday 18 May 2006 01:51, John Dong wrote:
> I am just as confused...
>
> On 5/17/06, Colin Watson <email address hidden> wrote:
> > So, uh, does this need to be synced by the ubuntu-archive team, or is it
> > still a manual merge? I'm so confused ...
> >
> > --
> > Security issue fixed in 0.88.2
> > https://launchpad.net/bugs/42568

The dapper task has been uploaded and built on all architectures. Setting it 'fix released' therefore.

It was unjustified that ubuntu-archive has been subscribed, because this package required a manual merge.

I subscribed jdong to this bug, because someone asked if this package could be backported to breezy-backports. Please create another bugtask for this, if you think this should be done.