[clamav-users] version numbers of updated libraries in 0.105.1-2

Micah Snyder (micasnyd) micasnyd at cisco.com
Wed Nov 2 23:44:06 UTC 2022 

Hello Anjana, Ged,

I'm both grateful and embarrassed that you tracked this down.  I believe the fault is mine.

We built 0.105.1-2, tested it, signed it, and even staged it on the website in preparations for release on Monday.  However, the tiff​ project released an update on Saturday so we rebuilt/tested/signed the release files for 0.105.1-2 on Monday to get the tiff​ fixes in.  I removed the old 0.105.1-2 release files from the website and uploaded the new ones*.

*I think this is where things went wrong.  I double-checked my local files. The second set of packages for 0.105.1-2 does have the newer image-tiff​ version, but the one on the website does not.  My best guess is that I simply re-uploaded the first set packages from Friday instead of the ones from Monday.

With regards to the jpeg-decoder​ version update, it seems that the image library and image-tiff​ libraries still the minimum required jpeg-decoder​ release set to the previous version.  I am working with them now to update that so we can include the latest jpeg-decoder​ version.

I apologize for the mistake. We will publish another update to the 0.105.1 packages as soon as we're able to include the updates to both the tiff​ and jpeg​ libraries.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces at lists.clamav.net> on behalf of G.W. Haywood via clamav-users <clamav-users at lists.clamav.net>
Sent: Wednesday, November 2, 2022 6:03 AM
To: Anjana Patel via clamav-users <clamav-users at lists.clamav.net>
Cc: G.W. Haywood <clamav at jubileegroup.co.uk>
Subject: Re: [clamav-users] version numbers of updated libraries in 0.105.1-2

Hi there,

On Wed, 2 Nov 2022, Anjana Patel via clamav-users wrote:

> During the build process of 0.105.1-2 on a RHEL7 system (installing
> from source) I noticed the following scroll up (I've only listed the
> two that are relevant) :
>
> Compiling jpeg-decoder v0.2.6
> Compiling tiff v0.7.3
>
> The email announcement said that the issues in the JPEG and TIFF
> libraries were resolved in image-tiff version 0.7.4 and jpeg-decoder
> version 0.3.0.  I have double-checked that I had downloaded the
> correct tar file (clamav-0.105.1-2.tar.gz).  Should I be seeing the
> later version numbers during the build?

Yes, I'd have thought so.

Micah says in his announcement that critical vulnerabilities exist in
the 'jpeg-decoder' and 'tiff' rust libraries which are bundled with
the source tarball for 0.105.1.  He further says that these have been
addressed in 0.105.1-2, and 1.0.0-rc.  I'm still unfamiliar with the
new build system but so far I've found no evidence that the packages
for the libraries in the tarballs have changed since 0.105.1:

8<----------------------------------------------------------------------
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/jpeg-decoder/ clamav-0.105.1-2/libclamav_rust/.cargo/vendor/jpeg-decoder/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/ clamav-0.105.1-2/libclamav_rust/.cargo/vendor/tiff/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/jpeg-decoder/ clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/jpeg-decoder/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/ clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/tiff/
$
8<----------------------------------------------------------------------

Here's the change log for example for jpeg-decoder bundled in 0.105.1-2:

8<----------------------------------------------------------------------
$ head clamav-0.105.1-2/libclamav_rust/.cargo/vendor/jpeg-decoder/CHANGELOG.md
# Change Log
All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/).

## v0.2.6 (2022-05-09)

- Another fix to allow usage in WASM target.
- Decoding in the WASM target is now actively tested in CI.

## v0.2.5 (2022-05-02)
8<----------------------------------------------------------------------

As you can see it's still at 0.2.6.

Maybe we're missing something?

--

73,
Ged.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20221102/9441a9ee/attachment.htm>

More information about the clamav-users mailing list