1 |
commit: 2082ac48958748441a089943e3fa188a92b24e4b |
2 |
Author: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
3 |
AuthorDate: Wed Feb 5 02:09:41 2020 +0000 |
4 |
Commit: Michael Orlitzky <mjo <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Feb 5 15:48:59 2020 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2082ac48 |
7 |
|
8 |
app-antivirus/clamav-unofficial-sigs: new version 7.0.1. |
9 |
|
10 |
I am reluctantly adding this new version so that we don't fall too far |
11 |
behind. Every release of this package gets crazier, and it attempts to |
12 |
do... let's say "ill-advised" things... to your filesystem when run as |
13 |
root. To minimize that risk, I've patched the script to exit with an |
14 |
error if it's run as EUID 0. Running it as "clamav" should still be |
15 |
safe, in the sense that it can only break your clamav. We have our own |
16 |
systemd service that runs as a restricted user, so that upstream |
17 |
vulnerability is fixed in Gentoo too. |
18 |
|
19 |
Package-Manager: Portage-2.3.84, Repoman-2.3.20 |
20 |
Signed-off-by: Michael Orlitzky <mjo <AT> gentoo.org> |
21 |
|
22 |
app-antivirus/clamav-unofficial-sigs/Manifest | 1 + |
23 |
.../clamav-unofficial-sigs-7.0.1.ebuild | 107 +++++++++++++++++++++ |
24 |
...unofficial-sigs-7.0.1-disable-run-as-root.patch | 39 ++++++++ |
25 |
...official-sigs-7.0.1-fix-mbl-database-name.patch | 35 +++++++ |
26 |
.../clamav-unofficial-sigs-7.0.1-fix-mbl-url.patch | 22 +++++ |
27 |
.../files/clamav-unofficial-sigs-7.0.1.man.8 | 77 +++++++++++++++ |
28 |
6 files changed, 281 insertions(+) |
29 |
|
30 |
diff --git a/app-antivirus/clamav-unofficial-sigs/Manifest b/app-antivirus/clamav-unofficial-sigs/Manifest |
31 |
index a557118db75..639d0b6e012 100644 |
32 |
--- a/app-antivirus/clamav-unofficial-sigs/Manifest |
33 |
+++ b/app-antivirus/clamav-unofficial-sigs/Manifest |
34 |
@@ -1,2 +1,3 @@ |
35 |
DIST clamav-unofficial-sigs-5.6.2.tar.gz 50931 BLAKE2B 6fea42f8f76ae5344c2b96c9203d2b09e755573d03f2b9d3d9ee2a488150fbb6f598e052b730daf12c551920a71fd8daad1dc10002fca12fa4a74554cf7d445e SHA512 79978db065a22d778490d0a2673f5a0bb7ab73e42de64563e7d26ac23459f7e5b2e73b0548e1ea6483e3c5f43eed65cdbc6814037cc0c46a339366a0150e5427 |
36 |
DIST clamav-unofficial-sigs-6.0.1.tar.gz 52262 BLAKE2B 9523da749e88c5e93f0986d7d4a234c3b1eff7c207ceb266e63cd76d7cffdf4a85aedf90aa746f7e1c82be97018f40896bbaa2dfd8f749f3c167d3bff74293d7 SHA512 d4f619628c9b2804a6d5ad533adaad72e323bb0604334c045cf92fc550ffb114493653d097b68337b33f51dc1215dc073b4ec9dc42abea8707cb03aefa40b289 |
37 |
+DIST clamav-unofficial-sigs-7.0.1.tar.gz 59517 BLAKE2B 36da6d7748cd7fcf35dde4790a8fb6777a97a6c0a7b2c080e0f0ac939041b5fd2372f0d58fb00558a7f57db78866c3235205e2cb8a8083575efcf1a5e73c9a3b SHA512 2cba341bce50b03d17f46662b499a3378d4e5750f4abe837bbddee5c671636553660723243c4b90de96c84210926f6406f554b7936600c3ae618644af40bf802 |
38 |
|
39 |
diff --git a/app-antivirus/clamav-unofficial-sigs/clamav-unofficial-sigs-7.0.1.ebuild b/app-antivirus/clamav-unofficial-sigs/clamav-unofficial-sigs-7.0.1.ebuild |
40 |
new file mode 100644 |
41 |
index 00000000000..d906ed530ac |
42 |
--- /dev/null |
43 |
+++ b/app-antivirus/clamav-unofficial-sigs/clamav-unofficial-sigs-7.0.1.ebuild |
44 |
@@ -0,0 +1,107 @@ |
45 |
+# Copyright 1999-2020 Gentoo Authors |
46 |
+# Distributed under the terms of the GNU General Public License v2 |
47 |
+ |
48 |
+EAPI=7 |
49 |
+ |
50 |
+inherit systemd |
51 |
+ |
52 |
+DESCRIPTION="Download and install third-party clamav signatures" |
53 |
+HOMEPAGE="https://github.com/extremeshok/clamav-unofficial-sigs" |
54 |
+SRC_URI="https://github.com/extremeshok/clamav-unofficial-sigs/archive/${PV}.tar.gz -> ${P}.tar.gz" |
55 |
+ |
56 |
+LICENSE="BSD" |
57 |
+SLOT="0" |
58 |
+KEYWORDS="~amd64 ~x86" |
59 |
+IUSE="cron" |
60 |
+ |
61 |
+# Require acct-{user,group}/clamav at build time so that we can set |
62 |
+# the permissions on /var/lib/${PN} in src_install rather than in |
63 |
+# pkg_postinst; calling "chown" on the live filesystem scares me. |
64 |
+DEPEND="acct-group/clamav |
65 |
+ acct-user/clamav" |
66 |
+ |
67 |
+# The script relies on either net-misc/socat, or Perl's |
68 |
+# IO::Socket::UNIX. We already depend on Perl, and Gentoo's Perl ships |
69 |
+# with IO::Socket::UNIX, so we can leave out net-misc/socat here. |
70 |
+# |
71 |
+# Recent versions will crash if you don't have "clamscan" available, |
72 |
+# so we are forced to depend on app-antivirus/clamav finally. |
73 |
+RDEPEND="${DEPEND} |
74 |
+ app-antivirus/clamav |
75 |
+ app-crypt/gnupg |
76 |
+ dev-lang/perl |
77 |
+ net-dns/bind-tools |
78 |
+ || ( net-misc/wget net-misc/curl )" |
79 |
+ |
80 |
+# This script is cccrrraaaaaaazzzzzzzzyyyyyy. It does a million |
81 |
+# insecure things. Let's not accidentally run it as root. |
82 |
+PATCHES=( |
83 |
+ "${FILESDIR}/${P}-disable-run-as-root.patch" |
84 |
+ "${FILESDIR}/${P}-fix-mbl-database-name.patch" |
85 |
+ "${FILESDIR}/${P}-fix-mbl-url.patch" |
86 |
+) |
87 |
+ |
88 |
+src_prepare() { |
89 |
+ default |
90 |
+ |
91 |
+ # https://github.com/extremeshok/clamav-unofficial-sigs/pull/301 |
92 |
+ echo 'allow_upgrades="no"' >> config/os/os.gentoo.conf || die |
93 |
+ echo 'allow_update_checks="no"' >> config/os/os.gentoo.conf || die |
94 |
+} |
95 |
+ |
96 |
+src_install() { |
97 |
+ dobin "${PN}.sh" |
98 |
+ |
99 |
+ insinto /etc/logrotate.d |
100 |
+ newins "${FILESDIR}/${PN}.logrotate" "${PN}" |
101 |
+ |
102 |
+ insinto "/etc/${PN}" |
103 |
+ doins config/{master,user}.conf |
104 |
+ newins config/os/os.gentoo.conf os.conf |
105 |
+ |
106 |
+ # To generate the man page, you have to first install the package, |
107 |
+ # and then issue some ridiculous command like |
108 |
+ # |
109 |
+ # $ sudo su -s /bin/sh \ |
110 |
+ # -c 'man_dir=/tmp clamav-unofficial-sigs.sh --install-man' \ |
111 |
+ # clamav |
112 |
+ # |
113 |
+ # That'll stick it in /tmp, which is unsafe-ish, but the example is |
114 |
+ # easily modified. |
115 |
+ newman "${FILESDIR}/${P}.man.8" "${PN}.8" |
116 |
+ dodoc README.md |
117 |
+ |
118 |
+ if use cron; then |
119 |
+ # Beware, this directory is not completely standard. However, |
120 |
+ # we need this to run as "clamav" with a non-default shell and |
121 |
+ # home directory (bug 694054), and this seems like the most |
122 |
+ # reliable way to accomplish that. |
123 |
+ insinto "/etc/cron.d" |
124 |
+ newins "${FILESDIR}/${PN}.crond" "${PN}" |
125 |
+ else |
126 |
+ dodoc "${FILESDIR}/${PN}.crond" |
127 |
+ fi |
128 |
+ |
129 |
+ # Install the systemd service and timer unconditionally, because |
130 |
+ # the timer is disabled by default (and won't annoy people until |
131 |
+ # after they've configured the script). |
132 |
+ systemd_dounit "${FILESDIR}/${PN}".{service,timer} |
133 |
+ |
134 |
+ # The script's working directory, as set in the configuration |
135 |
+ # file. By default, the script runs as clamav:clamav because |
136 |
+ # it needs write access to the clamav databases. |
137 |
+ diropts -o clamav -g clamav |
138 |
+ keepdir "/var/lib/${PN}" |
139 |
+} |
140 |
+ |
141 |
+pkg_postinst() { |
142 |
+ elog '' |
143 |
+ elog "You will need to select databases in /etc/${PN}/master.conf." |
144 |
+ elog "For details, please see the ${PN}(8) manual page." |
145 |
+ elog '' |
146 |
+ elog 'An up-to-date description of the available Sanesecurity' |
147 |
+ elog 'databases is available at,' |
148 |
+ elog '' |
149 |
+ elog ' http://sanesecurity.com/usage/signatures/' |
150 |
+ elog '' |
151 |
+} |
152 |
|
153 |
diff --git a/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-disable-run-as-root.patch b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-disable-run-as-root.patch |
154 |
new file mode 100644 |
155 |
index 00000000000..2b40c982309 |
156 |
--- /dev/null |
157 |
+++ b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-disable-run-as-root.patch |
158 |
@@ -0,0 +1,39 @@ |
159 |
+From 5235a5e518a1b17f50eb0f56c088f3808d939626 Mon Sep 17 00:00:00 2001 |
160 |
+From: Michael Orlitzky <michael@××××××××.com> |
161 |
+Date: Tue, 4 Feb 2020 19:34:56 -0500 |
162 |
+Subject: [PATCH 1/1] clamav-unofficial-sigs.sh: disable running as root. |
163 |
+ |
164 |
+The only way I'm going to let this be installed on my machine is if |
165 |
+it never runs as root. The shit that it does is insane (a priori) |
166 |
+and also implemented insecurely. There's no good reason to run the |
167 |
+script as root on Gentoo anyway. A cron job is provided for you, |
168 |
+or you can use "su -s /bin/bash -c ... clamav" to run it as the |
169 |
+clamav user. |
170 |
+--- |
171 |
+ clamav-unofficial-sigs.sh | 10 ++++++++++ |
172 |
+ 1 file changed, 10 insertions(+) |
173 |
+ |
174 |
+diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh |
175 |
+index aa70db1..60d305b 100644 |
176 |
+--- a/clamav-unofficial-sigs.sh |
177 |
++++ b/clamav-unofficial-sigs.sh |
178 |
+@@ -3,6 +3,16 @@ |
179 |
+ # shellcheck disable=SC2120 |
180 |
+ # shellcheck disable=SC2128 |
181 |
+ # shellcheck disable=SC2154 |
182 |
++ |
183 |
++if [[ ${EUID} -eq 0 ]]; then |
184 |
++ exec 1>&2 |
185 |
++ echo "This script has been patched by the Gentoo maintainer to disable" |
186 |
++ echo "running it as root (effective UID 0). When run as root, the script" |
187 |
++ echo "performs a number of operations insecurely. You should never need" |
188 |
++ echo "to run this as root on Gentoo in the first place." |
189 |
++ exit 1; |
190 |
++fi |
191 |
++ |
192 |
+ ################################################################################ |
193 |
+ # This is property of eXtremeSHOK.com |
194 |
+ # You are free to use, modify and distribute, however you may not remove this notice. |
195 |
+-- |
196 |
+2.24.1 |
197 |
+ |
198 |
|
199 |
diff --git a/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-database-name.patch b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-database-name.patch |
200 |
new file mode 100644 |
201 |
index 00000000000..c991dacb412 |
202 |
--- /dev/null |
203 |
+++ b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-database-name.patch |
204 |
@@ -0,0 +1,35 @@ |
205 |
+From 837439354cd4692a7228f9f356e0c4acd32202f3 Mon Sep 17 00:00:00 2001 |
206 |
+From: Michael Orlitzky <michael@××××××××.com> |
207 |
+Date: Tue, 4 Feb 2020 20:11:16 -0500 |
208 |
+Subject: [PATCH 1/1] clamav-unofficial-sigs.sh: fix malwarepatrol extended |
209 |
+ database name. |
210 |
+ |
211 |
+The database suffix needs to be ".db" regardless of whether you choose |
212 |
+the "basic" signatures or the "extended" ones. This patch is a quick |
213 |
+fix, and just forces the correct name at the beginning of the script. |
214 |
+ |
215 |
+Issue: https://github.com/extremeshok/clamav-unofficial-sigs/issues/300 |
216 |
+--- |
217 |
+ clamav-unofficial-sigs.sh | 6 +----- |
218 |
+ 1 file changed, 1 insertion(+), 5 deletions(-) |
219 |
+ |
220 |
+diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh |
221 |
+index aa70db1..d8031c8 100644 |
222 |
+--- a/clamav-unofficial-sigs.sh |
223 |
++++ b/clamav-unofficial-sigs.sh |
224 |
+@@ -2235,11 +2235,7 @@ else |
225 |
+ fi |
226 |
+ fi |
227 |
+ |
228 |
+-if [ $malwarepatrol_list == "clamav_basic" ] ; then |
229 |
+- malwarepatrol_db="malwarepatrol.db" |
230 |
+-else |
231 |
+- malwarepatrol_db="malwarepatrol.ndb" |
232 |
+-fi |
233 |
++malwarepatrol_db="malwarepatrol.db" |
234 |
+ malwarepatrol_url="${malwarepatrol_url}?receipt=${malwarepatrol_receipt_code}&product=${malwarepatrol_product_code}&list=${malwarepatrol_list}" |
235 |
+ |
236 |
+ # If "ham_dir" variable is set, then create initial whitelist files (skipped if first-time script run). |
237 |
+-- |
238 |
+2.24.1 |
239 |
+ |
240 |
|
241 |
diff --git a/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-url.patch b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-url.patch |
242 |
new file mode 100644 |
243 |
index 00000000000..e647ec9beea |
244 |
--- /dev/null |
245 |
+++ b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-url.patch |
246 |
@@ -0,0 +1,22 @@ |
247 |
+From be934c77f029aa52c84ede976cf7ab91bf053c03 Mon Sep 17 00:00:00 2001 |
248 |
+From: Michael Urspringer <michael@××××××××××.de> |
249 |
+Date: Sun, 26 Jan 2020 11:46:07 +0100 |
250 |
+Subject: [PATCH] Fixed wrong download URL for MalwarePatrol |
251 |
+ |
252 |
+--- |
253 |
+ clamav-unofficial-sigs.sh | 2 +- |
254 |
+ 1 file changed, 1 insertion(+), 1 deletion(-) |
255 |
+ |
256 |
+diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh |
257 |
+index aa70db1..c2f31d6 100644 |
258 |
+--- a/clamav-unofficial-sigs.sh |
259 |
++++ b/clamav-unofficial-sigs.sh |
260 |
+@@ -2979,7 +2979,7 @@ if [ "$malwarepatrol_enabled" == "yes" ] ; then |
261 |
+ xshok_pretty_echo_and_log "Checking for updated MalwarePatrol database file: ${malwarepatrol_db}" |
262 |
+ malwarepatrol_db_update="0" |
263 |
+ |
264 |
+- xshok_file_download "${work_dir_malwarepatrol}/${malwarepatrol_db}" "${malwarepatrol_url}&receipt=${malwarepatrol_receipt_code}" |
265 |
++ xshok_file_download "${work_dir_malwarepatrol}/${malwarepatrol_db}" "${malwarepatrol_url}" |
266 |
+ |
267 |
+ ret="$?" |
268 |
+ if [ "$ret" -eq 0 ] ; then |
269 |
|
270 |
diff --git a/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1.man.8 b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1.man.8 |
271 |
new file mode 100644 |
272 |
index 00000000000..7f5555e27f0 |
273 |
--- /dev/null |
274 |
+++ b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1.man.8 |
275 |
@@ -0,0 +1,77 @@ |
276 |
+ |
277 |
+.\" Manual page for eXtremeSHOK.com ClamAV Unofficial Signature Updater |
278 |
+.TH clamav-unofficial-sigs 8 "2020-01-25" "Version: 7.0.1" "SCRIPT COMMANDS" |
279 |
+.SH NAME |
280 |
+clamav-unofficial-sigs \- Download, test, and install third-party ClamAV signature databases. |
281 |
+.SH SYNOPSIS |
282 |
+.B clamav-unofficial-sigs |
283 |
+.RI [ options ] |
284 |
+.SH DESCRIPTION |
285 |
+\fBclamav-unofficial-sigs\fP provides a simple way to download, test, and update third-party signature databases provided by Sanesecurity, FOXHOLE, OITC, Scamnailer, BOFHLAND, CRDF, Porcupine, Securiteinfo, MalwarePatrol, Yara-Rules Project, etc. It will also generate and install cron, logrotate, and man files. |
286 |
+.SH UPDATES |
287 |
+Script updates can be found at: \fBhttps://github.com/extremeshok/clamav-unofficial-sigs\fP |
288 |
+.SH OPTIONS |
289 |
+This script follows the standard GNU command line syntax. |
290 |
+.LP |
291 |
+\fB Usage: clamav\-unofficial\-sigs.sh \fR [OPTION] [PATH|FILE] |
292 |
+.TP |
293 |
+\fB \-c, \-\-config \fR Use a specific configuration file or directory eg: '\-c /your/dir' or ' \-c /your/file.name' Note: If a directory is specified the directory must contain atleast: master.conf, os.conf or user.conf Default Directory: /etc/clamav\-unofficial\-sigs |
294 |
+.TP |
295 |
+\fB \-F, \-\-force \fR Force all databases to be downloaded, could cause ip to be blocked |
296 |
+.TP |
297 |
+\fB \-h, \-\-help \fR Display this script's help and usage information |
298 |
+.TP |
299 |
+\fB \-V, \-\-version \fR Output script version and date information |
300 |
+.TP |
301 |
+\fB \-v, \-\-verbose \fR Be verbose, enabled when not run under cron |
302 |
+.TP |
303 |
+\fB \-s, \-\-silence \fR Only output error messages, enabled when run under cron |
304 |
+.TP |
305 |
+\fB \-d, \-\-decode\-sig \fR Decode a third\-party signature either by signature name (eg: Sanesecurity.Junk.15248) or hexadecimal string. This flag will 'NOT' decode image signatures |
306 |
+.TP |
307 |
+\fB \-e, \-\-encode\-string \fR Hexadecimal encode an entire input string that can be used in any '*.ndb' signature database file |
308 |
+.TP |
309 |
+\fB \-f, \-\-encode\-formatted \fR Hexadecimal encode a formatted input string containing signature spacing fields '{}, (), *', without encoding the spacing fields, so that the encoded signature can be used in any '*.ndb' signature database file |
310 |
+.TP |
311 |
+\fB \-g, \-\-gpg\-verify \fR GPG verify a specific Sanesecurity database file eg: '\-g filename.ext' (do not include file path) |
312 |
+.TP |
313 |
+\fB \-i, \-\-information \fR Output system and configuration information for viewing or possible debugging purposes |
314 |
+.TP |
315 |
+\fB \-m, \-\-make\-database \fR Make a signature database from an ascii file containing data strings, with one data string per line. Additional information is provided when using this flag |
316 |
+.TP |
317 |
+\fB \-t, \-\-test\-database \fR Clamscan integrity test a specific database file eg: '\-t filename.ext' (do not include file path) |
318 |
+.TP |
319 |
+\fB \-o, \-\-output\-triggered \fR If HAM directory scanning is enabled in the script's configuration file, then output names of any third\-party signatures that triggered during the HAM directory scan |
320 |
+.TP |
321 |
+\fB \-w, \-\-whitelist <signature\-name> \fR Adds a signature whitelist entry in the newer ClamAV IGN2 format to 'my\-whitelist.ign2' in order to temporarily resolve a false\-positive issue with a specific third\-party signature. Script added whitelist entries will automatically be removed if the original signature is either modified or removed from the third\-party signature database |
322 |
+.TP |
323 |
+\fB \-\-check\-clamav \fR If ClamD status check is enabled and the socket path is correctly specifiedthen test to see if clamd is running or not |
324 |
+.TP |
325 |
+\fB \-\-upgrade \fR Upgrades this script and master.conf to the latest available version |
326 |
+.TP |
327 |
+\fB \-\-install\-all \fR Install and generate the cron, logroate and man files, autodetects the values based on your config files |
328 |
+.TP |
329 |
+\fB \-\-install\-cron \fR Install and generate the cron file, autodetects the values based on your config files |
330 |
+.TP |
331 |
+\fB \-\-install\-logrotate \fR Install and generate the logrotate file, autodetects the values based on your config files |
332 |
+.TP |
333 |
+\fB \-\-install\-man \fR Install and generate the man file, autodetects the values based on your config files |
334 |
+.TP |
335 |
+\fB \-\-remove\-script \fR Remove the clamav\-unofficial\-sigs script and all of its associated files and databases from the system |
336 |
+.TP |
337 |
+.SH SEE ALSO |
338 |
+.BR clamd (8), |
339 |
+.BR clamscan (1) |
340 |
+.SH COPYRIGHT |
341 |
+Copyright (c) Adrian Jon Kriel :: admin@×××××××××××.com |
342 |
+.TP |
343 |
+You are free to use, modify and distribute, however you may not remove this notice. |
344 |
+.SH LICENSE |
345 |
+BSD (Berkeley Software Distribution) |
346 |
+.SH BUGS |
347 |
+Report bugs to \fBhttps://github.com/extremeshok/clamav-unofficial-sigs\fP |
348 |
+.SH AUTHOR |
349 |
+Adrian Jon Kriel :: admin@×××××××××××.com |
350 |
+Originially based on Script provide by Bill Landry |
351 |
+ |
352 |
+ |