Gentoo Archives: gentoo-commits

From: Michael Orlitzky <mjo@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: app-antivirus/clamav-unofficial-sigs/files/, ...
Date: Wed, 05 Feb 2020 15:56:38
Message-Id: 1580917739.2082ac48958748441a089943e3fa188a92b24e4b.mjo@gentoo
1 commit: 2082ac48958748441a089943e3fa188a92b24e4b
2 Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
3 AuthorDate: Wed Feb 5 02:09:41 2020 +0000
4 Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org>
5 CommitDate: Wed Feb 5 15:48:59 2020 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2082ac48
7
8 app-antivirus/clamav-unofficial-sigs: new version 7.0.1.
9
10 I am reluctantly adding this new version so that we don't fall too far
11 behind. Every release of this package gets crazier, and it attempts to
12 do... let's say "ill-advised" things... to your filesystem when run as
13 root. To minimize that risk, I've patched the script to exit with an
14 error if it's run as EUID 0. Running it as "clamav" should still be
15 safe, in the sense that it can only break your clamav. We have our own
16 systemd service that runs as a restricted user, so that upstream
17 vulnerability is fixed in Gentoo too.
18
19 Package-Manager: Portage-2.3.84, Repoman-2.3.20
20 Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org>
21
22 app-antivirus/clamav-unofficial-sigs/Manifest | 1 +
23 .../clamav-unofficial-sigs-7.0.1.ebuild | 107 +++++++++++++++++++++
24 ...unofficial-sigs-7.0.1-disable-run-as-root.patch | 39 ++++++++
25 ...official-sigs-7.0.1-fix-mbl-database-name.patch | 35 +++++++
26 .../clamav-unofficial-sigs-7.0.1-fix-mbl-url.patch | 22 +++++
27 .../files/clamav-unofficial-sigs-7.0.1.man.8 | 77 +++++++++++++++
28 6 files changed, 281 insertions(+)
29
30 diff --git a/app-antivirus/clamav-unofficial-sigs/Manifest b/app-antivirus/clamav-unofficial-sigs/Manifest
31 index a557118db75..639d0b6e012 100644
32 --- a/app-antivirus/clamav-unofficial-sigs/Manifest
33 +++ b/app-antivirus/clamav-unofficial-sigs/Manifest
34 @@ -1,2 +1,3 @@
35 DIST clamav-unofficial-sigs-5.6.2.tar.gz 50931 BLAKE2B 6fea42f8f76ae5344c2b96c9203d2b09e755573d03f2b9d3d9ee2a488150fbb6f598e052b730daf12c551920a71fd8daad1dc10002fca12fa4a74554cf7d445e SHA512 79978db065a22d778490d0a2673f5a0bb7ab73e42de64563e7d26ac23459f7e5b2e73b0548e1ea6483e3c5f43eed65cdbc6814037cc0c46a339366a0150e5427
36 DIST clamav-unofficial-sigs-6.0.1.tar.gz 52262 BLAKE2B 9523da749e88c5e93f0986d7d4a234c3b1eff7c207ceb266e63cd76d7cffdf4a85aedf90aa746f7e1c82be97018f40896bbaa2dfd8f749f3c167d3bff74293d7 SHA512 d4f619628c9b2804a6d5ad533adaad72e323bb0604334c045cf92fc550ffb114493653d097b68337b33f51dc1215dc073b4ec9dc42abea8707cb03aefa40b289
37 +DIST clamav-unofficial-sigs-7.0.1.tar.gz 59517 BLAKE2B 36da6d7748cd7fcf35dde4790a8fb6777a97a6c0a7b2c080e0f0ac939041b5fd2372f0d58fb00558a7f57db78866c3235205e2cb8a8083575efcf1a5e73c9a3b SHA512 2cba341bce50b03d17f46662b499a3378d4e5750f4abe837bbddee5c671636553660723243c4b90de96c84210926f6406f554b7936600c3ae618644af40bf802
38
39 diff --git a/app-antivirus/clamav-unofficial-sigs/clamav-unofficial-sigs-7.0.1.ebuild b/app-antivirus/clamav-unofficial-sigs/clamav-unofficial-sigs-7.0.1.ebuild
40 new file mode 100644
41 index 00000000000..d906ed530ac
42 --- /dev/null
43 +++ b/app-antivirus/clamav-unofficial-sigs/clamav-unofficial-sigs-7.0.1.ebuild
44 @@ -0,0 +1,107 @@
45 +# Copyright 1999-2020 Gentoo Authors
46 +# Distributed under the terms of the GNU General Public License v2
47 +
48 +EAPI=7
49 +
50 +inherit systemd
51 +
52 +DESCRIPTION="Download and install third-party clamav signatures"
53 +HOMEPAGE="https://github.com/extremeshok/clamav-unofficial-sigs"
54 +SRC_URI="https://github.com/extremeshok/clamav-unofficial-sigs/archive/${PV}.tar.gz -> ${P}.tar.gz"
55 +
56 +LICENSE="BSD"
57 +SLOT="0"
58 +KEYWORDS="~amd64 ~x86"
59 +IUSE="cron"
60 +
61 +# Require acct-{user,group}/clamav at build time so that we can set
62 +# the permissions on /var/lib/${PN} in src_install rather than in
63 +# pkg_postinst; calling "chown" on the live filesystem scares me.
64 +DEPEND="acct-group/clamav
65 + acct-user/clamav"
66 +
67 +# The script relies on either net-misc/socat, or Perl's
68 +# IO::Socket::UNIX. We already depend on Perl, and Gentoo's Perl ships
69 +# with IO::Socket::UNIX, so we can leave out net-misc/socat here.
70 +#
71 +# Recent versions will crash if you don't have "clamscan" available,
72 +# so we are forced to depend on app-antivirus/clamav finally.
73 +RDEPEND="${DEPEND}
74 + app-antivirus/clamav
75 + app-crypt/gnupg
76 + dev-lang/perl
77 + net-dns/bind-tools
78 + || ( net-misc/wget net-misc/curl )"
79 +
80 +# This script is cccrrraaaaaaazzzzzzzzyyyyyy. It does a million
81 +# insecure things. Let's not accidentally run it as root.
82 +PATCHES=(
83 + "${FILESDIR}/${P}-disable-run-as-root.patch"
84 + "${FILESDIR}/${P}-fix-mbl-database-name.patch"
85 + "${FILESDIR}/${P}-fix-mbl-url.patch"
86 +)
87 +
88 +src_prepare() {
89 + default
90 +
91 + # https://github.com/extremeshok/clamav-unofficial-sigs/pull/301
92 + echo 'allow_upgrades="no"' >> config/os/os.gentoo.conf || die
93 + echo 'allow_update_checks="no"' >> config/os/os.gentoo.conf || die
94 +}
95 +
96 +src_install() {
97 + dobin "${PN}.sh"
98 +
99 + insinto /etc/logrotate.d
100 + newins "${FILESDIR}/${PN}.logrotate" "${PN}"
101 +
102 + insinto "/etc/${PN}"
103 + doins config/{master,user}.conf
104 + newins config/os/os.gentoo.conf os.conf
105 +
106 + # To generate the man page, you have to first install the package,
107 + # and then issue some ridiculous command like
108 + #
109 + # $ sudo su -s /bin/sh \
110 + # -c 'man_dir=/tmp clamav-unofficial-sigs.sh --install-man' \
111 + # clamav
112 + #
113 + # That'll stick it in /tmp, which is unsafe-ish, but the example is
114 + # easily modified.
115 + newman "${FILESDIR}/${P}.man.8" "${PN}.8"
116 + dodoc README.md
117 +
118 + if use cron; then
119 + # Beware, this directory is not completely standard. However,
120 + # we need this to run as "clamav" with a non-default shell and
121 + # home directory (bug 694054), and this seems like the most
122 + # reliable way to accomplish that.
123 + insinto "/etc/cron.d"
124 + newins "${FILESDIR}/${PN}.crond" "${PN}"
125 + else
126 + dodoc "${FILESDIR}/${PN}.crond"
127 + fi
128 +
129 + # Install the systemd service and timer unconditionally, because
130 + # the timer is disabled by default (and won't annoy people until
131 + # after they've configured the script).
132 + systemd_dounit "${FILESDIR}/${PN}".{service,timer}
133 +
134 + # The script's working directory, as set in the configuration
135 + # file. By default, the script runs as clamav:clamav because
136 + # it needs write access to the clamav databases.
137 + diropts -o clamav -g clamav
138 + keepdir "/var/lib/${PN}"
139 +}
140 +
141 +pkg_postinst() {
142 + elog ''
143 + elog "You will need to select databases in /etc/${PN}/master.conf."
144 + elog "For details, please see the ${PN}(8) manual page."
145 + elog ''
146 + elog 'An up-to-date description of the available Sanesecurity'
147 + elog 'databases is available at,'
148 + elog ''
149 + elog ' http://sanesecurity.com/usage/signatures/'
150 + elog ''
151 +}
152
153 diff --git a/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-disable-run-as-root.patch b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-disable-run-as-root.patch
154 new file mode 100644
155 index 00000000000..2b40c982309
156 --- /dev/null
157 +++ b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-disable-run-as-root.patch
158 @@ -0,0 +1,39 @@
159 +From 5235a5e518a1b17f50eb0f56c088f3808d939626 Mon Sep 17 00:00:00 2001
160 +From: Michael Orlitzky <michael@××××××××.com>
161 +Date: Tue, 4 Feb 2020 19:34:56 -0500
162 +Subject: [PATCH 1/1] clamav-unofficial-sigs.sh: disable running as root.
163 +
164 +The only way I'm going to let this be installed on my machine is if
165 +it never runs as root. The shit that it does is insane (a priori)
166 +and also implemented insecurely. There's no good reason to run the
167 +script as root on Gentoo anyway. A cron job is provided for you,
168 +or you can use "su -s /bin/bash -c ... clamav" to run it as the
169 +clamav user.
170 +---
171 + clamav-unofficial-sigs.sh | 10 ++++++++++
172 + 1 file changed, 10 insertions(+)
173 +
174 +diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh
175 +index aa70db1..60d305b 100644
176 +--- a/clamav-unofficial-sigs.sh
177 ++++ b/clamav-unofficial-sigs.sh
178 +@@ -3,6 +3,16 @@
179 + # shellcheck disable=SC2120
180 + # shellcheck disable=SC2128
181 + # shellcheck disable=SC2154
182 ++
183 ++if [[ ${EUID} -eq 0 ]]; then
184 ++ exec 1>&2
185 ++ echo "This script has been patched by the Gentoo maintainer to disable"
186 ++ echo "running it as root (effective UID 0). When run as root, the script"
187 ++ echo "performs a number of operations insecurely. You should never need"
188 ++ echo "to run this as root on Gentoo in the first place."
189 ++ exit 1;
190 ++fi
191 ++
192 + ################################################################################
193 + # This is property of eXtremeSHOK.com
194 + # You are free to use, modify and distribute, however you may not remove this notice.
195 +--
196 +2.24.1
197 +
198
199 diff --git a/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-database-name.patch b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-database-name.patch
200 new file mode 100644
201 index 00000000000..c991dacb412
202 --- /dev/null
203 +++ b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-database-name.patch
204 @@ -0,0 +1,35 @@
205 +From 837439354cd4692a7228f9f356e0c4acd32202f3 Mon Sep 17 00:00:00 2001
206 +From: Michael Orlitzky <michael@××××××××.com>
207 +Date: Tue, 4 Feb 2020 20:11:16 -0500
208 +Subject: [PATCH 1/1] clamav-unofficial-sigs.sh: fix malwarepatrol extended
209 + database name.
210 +
211 +The database suffix needs to be ".db" regardless of whether you choose
212 +the "basic" signatures or the "extended" ones. This patch is a quick
213 +fix, and just forces the correct name at the beginning of the script.
214 +
215 +Issue: https://github.com/extremeshok/clamav-unofficial-sigs/issues/300
216 +---
217 + clamav-unofficial-sigs.sh | 6 +-----
218 + 1 file changed, 1 insertion(+), 5 deletions(-)
219 +
220 +diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh
221 +index aa70db1..d8031c8 100644
222 +--- a/clamav-unofficial-sigs.sh
223 ++++ b/clamav-unofficial-sigs.sh
224 +@@ -2235,11 +2235,7 @@ else
225 + fi
226 + fi
227 +
228 +-if [ $malwarepatrol_list == "clamav_basic" ] ; then
229 +- malwarepatrol_db="malwarepatrol.db"
230 +-else
231 +- malwarepatrol_db="malwarepatrol.ndb"
232 +-fi
233 ++malwarepatrol_db="malwarepatrol.db"
234 + malwarepatrol_url="${malwarepatrol_url}?receipt=${malwarepatrol_receipt_code}&product=${malwarepatrol_product_code}&list=${malwarepatrol_list}"
235 +
236 + # If "ham_dir" variable is set, then create initial whitelist files (skipped if first-time script run).
237 +--
238 +2.24.1
239 +
240
241 diff --git a/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-url.patch b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-url.patch
242 new file mode 100644
243 index 00000000000..e647ec9beea
244 --- /dev/null
245 +++ b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-url.patch
246 @@ -0,0 +1,22 @@
247 +From be934c77f029aa52c84ede976cf7ab91bf053c03 Mon Sep 17 00:00:00 2001
248 +From: Michael Urspringer <michael@××××××××××.de>
249 +Date: Sun, 26 Jan 2020 11:46:07 +0100
250 +Subject: [PATCH] Fixed wrong download URL for MalwarePatrol
251 +
252 +---
253 + clamav-unofficial-sigs.sh | 2 +-
254 + 1 file changed, 1 insertion(+), 1 deletion(-)
255 +
256 +diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh
257 +index aa70db1..c2f31d6 100644
258 +--- a/clamav-unofficial-sigs.sh
259 ++++ b/clamav-unofficial-sigs.sh
260 +@@ -2979,7 +2979,7 @@ if [ "$malwarepatrol_enabled" == "yes" ] ; then
261 + xshok_pretty_echo_and_log "Checking for updated MalwarePatrol database file: ${malwarepatrol_db}"
262 + malwarepatrol_db_update="0"
263 +
264 +- xshok_file_download "${work_dir_malwarepatrol}/${malwarepatrol_db}" "${malwarepatrol_url}&receipt=${malwarepatrol_receipt_code}"
265 ++ xshok_file_download "${work_dir_malwarepatrol}/${malwarepatrol_db}" "${malwarepatrol_url}"
266 +
267 + ret="$?"
268 + if [ "$ret" -eq 0 ] ; then
269
270 diff --git a/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1.man.8 b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1.man.8
271 new file mode 100644
272 index 00000000000..7f5555e27f0
273 --- /dev/null
274 +++ b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1.man.8
275 @@ -0,0 +1,77 @@
276 +
277 +.\" Manual page for eXtremeSHOK.com ClamAV Unofficial Signature Updater
278 +.TH clamav-unofficial-sigs 8 "2020-01-25" "Version: 7.0.1" "SCRIPT COMMANDS"
279 +.SH NAME
280 +clamav-unofficial-sigs \- Download, test, and install third-party ClamAV signature databases.
281 +.SH SYNOPSIS
282 +.B clamav-unofficial-sigs
283 +.RI [ options ]
284 +.SH DESCRIPTION
285 +\fBclamav-unofficial-sigs\fP provides a simple way to download, test, and update third-party signature databases provided by Sanesecurity, FOXHOLE, OITC, Scamnailer, BOFHLAND, CRDF, Porcupine, Securiteinfo, MalwarePatrol, Yara-Rules Project, etc. It will also generate and install cron, logrotate, and man files.
286 +.SH UPDATES
287 +Script updates can be found at: \fBhttps://github.com/extremeshok/clamav-unofficial-sigs\fP
288 +.SH OPTIONS
289 +This script follows the standard GNU command line syntax.
290 +.LP
291 +\fB Usage: clamav\-unofficial\-sigs.sh \fR [OPTION] [PATH|FILE]
292 +.TP
293 +\fB \-c, \-\-config \fR Use a specific configuration file or directory eg: '\-c /your/dir' or ' \-c /your/file.name' Note: If a directory is specified the directory must contain atleast: master.conf, os.conf or user.conf Default Directory: /etc/clamav\-unofficial\-sigs
294 +.TP
295 +\fB \-F, \-\-force \fR Force all databases to be downloaded, could cause ip to be blocked
296 +.TP
297 +\fB \-h, \-\-help \fR Display this script's help and usage information
298 +.TP
299 +\fB \-V, \-\-version \fR Output script version and date information
300 +.TP
301 +\fB \-v, \-\-verbose \fR Be verbose, enabled when not run under cron
302 +.TP
303 +\fB \-s, \-\-silence \fR Only output error messages, enabled when run under cron
304 +.TP
305 +\fB \-d, \-\-decode\-sig \fR Decode a third\-party signature either by signature name (eg: Sanesecurity.Junk.15248) or hexadecimal string. This flag will 'NOT' decode image signatures
306 +.TP
307 +\fB \-e, \-\-encode\-string \fR Hexadecimal encode an entire input string that can be used in any '*.ndb' signature database file
308 +.TP
309 +\fB \-f, \-\-encode\-formatted \fR Hexadecimal encode a formatted input string containing signature spacing fields '{}, (), *', without encoding the spacing fields, so that the encoded signature can be used in any '*.ndb' signature database file
310 +.TP
311 +\fB \-g, \-\-gpg\-verify \fR GPG verify a specific Sanesecurity database file eg: '\-g filename.ext' (do not include file path)
312 +.TP
313 +\fB \-i, \-\-information \fR Output system and configuration information for viewing or possible debugging purposes
314 +.TP
315 +\fB \-m, \-\-make\-database \fR Make a signature database from an ascii file containing data strings, with one data string per line. Additional information is provided when using this flag
316 +.TP
317 +\fB \-t, \-\-test\-database \fR Clamscan integrity test a specific database file eg: '\-t filename.ext' (do not include file path)
318 +.TP
319 +\fB \-o, \-\-output\-triggered \fR If HAM directory scanning is enabled in the script's configuration file, then output names of any third\-party signatures that triggered during the HAM directory scan
320 +.TP
321 +\fB \-w, \-\-whitelist <signature\-name> \fR Adds a signature whitelist entry in the newer ClamAV IGN2 format to 'my\-whitelist.ign2' in order to temporarily resolve a false\-positive issue with a specific third\-party signature. Script added whitelist entries will automatically be removed if the original signature is either modified or removed from the third\-party signature database
322 +.TP
323 +\fB \-\-check\-clamav \fR If ClamD status check is enabled and the socket path is correctly specifiedthen test to see if clamd is running or not
324 +.TP
325 +\fB \-\-upgrade \fR Upgrades this script and master.conf to the latest available version
326 +.TP
327 +\fB \-\-install\-all \fR Install and generate the cron, logroate and man files, autodetects the values based on your config files
328 +.TP
329 +\fB \-\-install\-cron \fR Install and generate the cron file, autodetects the values based on your config files
330 +.TP
331 +\fB \-\-install\-logrotate \fR Install and generate the logrotate file, autodetects the values based on your config files
332 +.TP
333 +\fB \-\-install\-man \fR Install and generate the man file, autodetects the values based on your config files
334 +.TP
335 +\fB \-\-remove\-script \fR Remove the clamav\-unofficial\-sigs script and all of its associated files and databases from the system
336 +.TP
337 +.SH SEE ALSO
338 +.BR clamd (8),
339 +.BR clamscan (1)
340 +.SH COPYRIGHT
341 +Copyright (c) Adrian Jon Kriel :: admin@×××××××××××.com
342 +.TP
343 +You are free to use, modify and distribute, however you may not remove this notice.
344 +.SH LICENSE
345 +BSD (Berkeley Software Distribution)
346 +.SH BUGS
347 +Report bugs to \fBhttps://github.com/extremeshok/clamav-unofficial-sigs\fP
348 +.SH AUTHOR
349 +Adrian Jon Kriel :: admin@×××××××××××.com
350 +Originially based on Script provide by Bill Landry
351 +
352 +