Mailing List Archive

version numbers of updated libraries in 0.105.1-2
During the build process of 0.105.1-2 on a RHEL7 system (installing from source) I noticed the following scroll up (I've only listed the two that are relevant) :

Compiling jpeg-decoder v0.2.6
Compiling tiff v0.7.3

The email announcement said that the issues in the JPEG and TIFF libraries were resolved in image-tiff version 0.7.4 and jpeg-decoder version 0.3.0. I have double-checked that I had downloaded the correct tar file (clamav-0.105.1-2.tar.gz). Should I be seeing the later version numbers during the build?



Anjana Patel
Network Specialist
IT
Building 63 (IT) G46 Open plan office,
E: Anjana.Patel@cranfield.ac.uk
T: +44 (0) 1234 75 2902
W: www.cranfield.ac.uk


This email and any attachments to it may be confidential and are intended only for the named addressee. If you are not the named addressee, please accept our apology, notify the sender immediately and then delete the email. We request that you do not disclose, use, copy or distribute any information within it.

Any opinions expressed are not necessarily the corporate view of Cranfield University. This email is not intended to be contractually binding unless specifically stated and the sender is an authorised University signatory.

Whilst we have taken steps to ensure that this email and all attachments are free from any virus, we advise that, in keeping with good computing practice, the recipient should ensure they are actually virus free.
Re: version numbers of updated libraries in 0.105.1-2 [ In reply to ]
Hi there,

On Wed, 2 Nov 2022, Anjana Patel via clamav-users wrote:

> During the build process of 0.105.1-2 on a RHEL7 system (installing
> from source) I noticed the following scroll up (I've only listed the
> two that are relevant) :
>
> Compiling jpeg-decoder v0.2.6
> Compiling tiff v0.7.3
>
> The email announcement said that the issues in the JPEG and TIFF
> libraries were resolved in image-tiff version 0.7.4 and jpeg-decoder
> version 0.3.0. I have double-checked that I had downloaded the
> correct tar file (clamav-0.105.1-2.tar.gz). Should I be seeing the
> later version numbers during the build?

Yes, I'd have thought so.

Micah says in his announcement that critical vulnerabilities exist in
the 'jpeg-decoder' and 'tiff' rust libraries which are bundled with
the source tarball for 0.105.1. He further says that these have been
addressed in 0.105.1-2, and 1.0.0-rc. I'm still unfamiliar with the
new build system but so far I've found no evidence that the packages
for the libraries in the tarballs have changed since 0.105.1:

8<----------------------------------------------------------------------
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/jpeg-decoder/ clamav-0.105.1-2/libclamav_rust/.cargo/vendor/jpeg-decoder/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/ clamav-0.105.1-2/libclamav_rust/.cargo/vendor/tiff/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/jpeg-decoder/ clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/jpeg-decoder/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/ clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/tiff/
$
8<----------------------------------------------------------------------

Here's the change log for example for jpeg-decoder bundled in 0.105.1-2:

8<----------------------------------------------------------------------
$ head clamav-0.105.1-2/libclamav_rust/.cargo/vendor/jpeg-decoder/CHANGELOG.md
# Change Log
All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/).

## v0.2.6 (2022-05-09)

- Another fix to allow usage in WASM target.
- Decoding in the WASM target is now actively tested in CI.

## v0.2.5 (2022-05-02)
8<----------------------------------------------------------------------

As you can see it's still at 0.2.6.

Maybe we're missing something?

--

73,
Ged.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat
Re: version numbers of updated libraries in 0.105.1-2 [ In reply to ]
Hello Anjana, Ged,

I'm both grateful and embarrassed that you tracked this down. I believe the fault is mine.

We built 0.105.1-2, tested it, signed it, and even staged it on the website in preparations for release on Monday. However, the tiff? project released an update on Saturday so we rebuilt/tested/signed the release files for 0.105.1-2 on Monday to get the tiff? fixes in. I removed the old 0.105.1-2 release files from the website and uploaded the new ones*.

*I think this is where things went wrong. I double-checked my local files. The second set of packages for 0.105.1-2 does have the newer image-tiff? version, but the one on the website does not. My best guess is that I simply re-uploaded the first set packages from Friday instead of the ones from Monday.

With regards to the jpeg-decoder? version update, it seems that the image library and image-tiff? libraries still the minimum required jpeg-decoder? release set to the previous version. I am working with them now to update that so we can include the latest jpeg-decoder? version.

I apologize for the mistake. We will publish another update to the 0.105.1 packages as soon as we're able to include the updates to both the tiff? and jpeg? libraries.

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of G.W. Haywood via clamav-users <clamav-users@lists.clamav.net>
Sent: Wednesday, November 2, 2022 6:03 AM
To: Anjana Patel via clamav-users <clamav-users@lists.clamav.net>
Cc: G.W. Haywood <clamav@jubileegroup.co.uk>
Subject: Re: [clamav-users] version numbers of updated libraries in 0.105.1-2

Hi there,

On Wed, 2 Nov 2022, Anjana Patel via clamav-users wrote:

> During the build process of 0.105.1-2 on a RHEL7 system (installing
> from source) I noticed the following scroll up (I've only listed the
> two that are relevant) :
>
> Compiling jpeg-decoder v0.2.6
> Compiling tiff v0.7.3
>
> The email announcement said that the issues in the JPEG and TIFF
> libraries were resolved in image-tiff version 0.7.4 and jpeg-decoder
> version 0.3.0. I have double-checked that I had downloaded the
> correct tar file (clamav-0.105.1-2.tar.gz). Should I be seeing the
> later version numbers during the build?

Yes, I'd have thought so.

Micah says in his announcement that critical vulnerabilities exist in
the 'jpeg-decoder' and 'tiff' rust libraries which are bundled with
the source tarball for 0.105.1. He further says that these have been
addressed in 0.105.1-2, and 1.0.0-rc. I'm still unfamiliar with the
new build system but so far I've found no evidence that the packages
for the libraries in the tarballs have changed since 0.105.1:

8<----------------------------------------------------------------------
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/jpeg-decoder/ clamav-0.105.1-2/libclamav_rust/.cargo/vendor/jpeg-decoder/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/ clamav-0.105.1-2/libclamav_rust/.cargo/vendor/tiff/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/jpeg-decoder/ clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/jpeg-decoder/
$ diff -r -U3 clamav-0.105.1/libclamav_rust/.cargo/vendor/tiff/ clamav-1.0.0-rc/libclamav_rust/.cargo/vendor/tiff/
$
8<----------------------------------------------------------------------

Here's the change log for example for jpeg-decoder bundled in 0.105.1-2:

8<----------------------------------------------------------------------
$ head clamav-0.105.1-2/libclamav_rust/.cargo/vendor/jpeg-decoder/CHANGELOG.md
# Change Log
All notable changes to this project will be documented in this file.
This project adheres to [Semantic Versioning](http://semver.org/).

## v0.2.6 (2022-05-09)

- Another fix to allow usage in WASM target.
- Decoding in the WASM target is now actively tested in CI.

## v0.2.5 (2022-05-02)
8<----------------------------------------------------------------------

As you can see it's still at 0.2.6.

Maybe we're missing something?

--

73,
Ged.
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat