[clamav-users] version numbers of updated libraries in 0.105.1-2

G.W. Haywood clamav at jubileegroup.co.uk
Wed Nov 2 13:03:38 UTC 2022 

Hi there,

On Wed, 2 Nov 2022, Anjana Patel via clamav-users wrote:

> During the build process of 0.105.1-2 on a RHEL7 system (installing
> from source) I noticed the following scroll up (I've only listed the
> two that are relevant) :
> 
> Compiling jpeg-decoder v0.2.6
> Compiling tiff v0.7.3
>
> The email announcement said that the issues in the JPEG and TIFF
> libraries were resolved in image-tiff version 0.7.4 and jpeg-decoder
> version 0.3.0.  I have double-checked that I had downloaded the
> correct tar file (clamav-0.105.1-2.tar.gz).  Should I be seeing the
> later version numbers during the build?

Yes, I'd have thought so.

Micah says in his announcement that critical vulnerabilities exist in
the 'jpeg-decoder' and 'tiff' rust libraries which are bundled with
the source tarball for 0.105.1.  He further says that these have been
addressed in 0.105.1-2, and 1.0.0-rc.  I'm still unfamiliar with the
new build system but so far I've found no evidence that the packages
for the libraries in the tarballs have changed since 0.105.1:

8<----------------------------------------------------------------------
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/jpeg-decoder/ clamav-0.105.1-2/libclamav_rust/.cargo/vendor/jpeg-decoder/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/ clamav-0.105.1-2/libclamav_rust/.cargo/vendor/tiff/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/jpeg-decoder/ clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/jpeg-decoder/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/ clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/tiff/
$
8<----------------------------------------------------------------------

Here's the change log for example for jpeg-decoder bundled in 0.105.1-2:

8<----------------------------------------------------------------------
$ head clamav-0.105.1-2/libclamav_rust/.cargo/vendor/jpeg-decoder/CHANGELOG.md 
# Change Log
All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/).

## v0.2.6 (2022-05-09)

- Another fix to allow usage in WASM target.
- Decoding in the WASM target is now actively tested in CI.

## v0.2.5 (2022-05-02)
8<----------------------------------------------------------------------

As you can see it's still at 0.2.6.

Maybe we're missing something?

-- 

73,
Ged.

More information about the clamav-users mailing list