diff options
| author |   Michael Orlitzky <mjo@gentoo.org> | 2020-02-04 21:09:41 -0500 |
|---|---|---|
| committer | Michael Orlitzky <mjo@gentoo.org> | 2020-02-05 10:48:59 -0500 |
| commit | 2082ac48958748441a089943e3fa188a92b24e4b (patch) | |
| tree | 6d6dc4fc4e4a10d71458b6e106d8be2c4dedb8c1 /app-antivirus | |
| parent | app-antivirus/clamav-unofficial-sigs: new revision in /usr/bin. (diff) | |
| download | gentoo-2082ac48958748441a089943e3fa188a92b24e4b.tar.gz gentoo-2082ac48958748441a089943e3fa188a92b24e4b.tar.bz2 gentoo-2082ac48958748441a089943e3fa188a92b24e4b.zip | |
app-antivirus/clamav-unofficial-sigs: new version 7.0.1.
I am reluctantly adding this new version so that we don't fall too far
behind. Every release of this package gets crazier, and it attempts to
do... let's say "ill-advised" things... to your filesystem when run as
root. To minimize that risk, I've patched the script to exit with an
error if it's run as EUID 0. Running it as "clamav" should still be
safe, in the sense that it can only break your clamav. We have our own
systemd service that runs as a restricted user, so that upstream
vulnerability is fixed in Gentoo too.
Package-Manager: Portage-2.3.84, Repoman-2.3.20
Signed-off-by: Michael Orlitzky <mjo@gentoo.org>
Diffstat (limited to 'app-antivirus')
6 files changed, 281 insertions, 0 deletions
diff --git a/app-antivirus/clamav-unofficial-sigs/Manifest b/app-antivirus/clamav-unofficial-sigs/Manifest index a557118db755..639d0b6e0124 100644 --- a/app-antivirus/clamav-unofficial-sigs/Manifest +++ b/app-antivirus/clamav-unofficial-sigs/Manifest @@ -1,2 +1,3 @@ DIST clamav-unofficial-sigs-5.6.2.tar.gz 50931 BLAKE2B 6fea42f8f76ae5344c2b96c9203d2b09e755573d03f2b9d3d9ee2a488150fbb6f598e052b730daf12c551920a71fd8daad1dc10002fca12fa4a74554cf7d445e SHA512 79978db065a22d778490d0a2673f5a0bb7ab73e42de64563e7d26ac23459f7e5b2e73b0548e1ea6483e3c5f43eed65cdbc6814037cc0c46a339366a0150e5427 DIST clamav-unofficial-sigs-6.0.1.tar.gz 52262 BLAKE2B 9523da749e88c5e93f0986d7d4a234c3b1eff7c207ceb266e63cd76d7cffdf4a85aedf90aa746f7e1c82be97018f40896bbaa2dfd8f749f3c167d3bff74293d7 SHA512 d4f619628c9b2804a6d5ad533adaad72e323bb0604334c045cf92fc550ffb114493653d097b68337b33f51dc1215dc073b4ec9dc42abea8707cb03aefa40b289 +DIST clamav-unofficial-sigs-7.0.1.tar.gz 59517 BLAKE2B 36da6d7748cd7fcf35dde4790a8fb6777a97a6c0a7b2c080e0f0ac939041b5fd2372f0d58fb00558a7f57db78866c3235205e2cb8a8083575efcf1a5e73c9a3b SHA512 2cba341bce50b03d17f46662b499a3378d4e5750f4abe837bbddee5c671636553660723243c4b90de96c84210926f6406f554b7936600c3ae618644af40bf802 diff --git a/app-antivirus/clamav-unofficial-sigs/clamav-unofficial-sigs-7.0.1.ebuild b/app-antivirus/clamav-unofficial-sigs/clamav-unofficial-sigs-7.0.1.ebuild new file mode 100644 index 000000000000..d906ed530acb --- /dev/null +++ b/app-antivirus/clamav-unofficial-sigs/clamav-unofficial-sigs-7.0.1.ebuild @@ -0,0 +1,107 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit systemd + +DESCRIPTION="Download and install third-party clamav signatures" +HOMEPAGE="https://github.com/extremeshok/clamav-unofficial-sigs" +SRC_URI="https://github.com/extremeshok/clamav-unofficial-sigs/archive/${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="BSD" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="cron" + +# Require acct-{user,group}/clamav at build time so that we can set +# the permissions on /var/lib/${PN} in src_install rather than in +# pkg_postinst; calling "chown" on the live filesystem scares me. +DEPEND="acct-group/clamav + acct-user/clamav" + +# The script relies on either net-misc/socat, or Perl's +# IO::Socket::UNIX. We already depend on Perl, and Gentoo's Perl ships +# with IO::Socket::UNIX, so we can leave out net-misc/socat here. +# +# Recent versions will crash if you don't have "clamscan" available, +# so we are forced to depend on app-antivirus/clamav finally. +RDEPEND="${DEPEND} + app-antivirus/clamav + app-crypt/gnupg + dev-lang/perl + net-dns/bind-tools + || ( net-misc/wget net-misc/curl )" + +# This script is cccrrraaaaaaazzzzzzzzyyyyyy. It does a million +# insecure things. Let's not accidentally run it as root. +PATCHES=( + "${FILESDIR}/${P}-disable-run-as-root.patch" + "${FILESDIR}/${P}-fix-mbl-database-name.patch" + "${FILESDIR}/${P}-fix-mbl-url.patch" +) + +src_prepare() { + default + + # https://github.com/extremeshok/clamav-unofficial-sigs/pull/301 + echo 'allow_upgrades="no"' >> config/os/os.gentoo.conf || die + echo 'allow_update_checks="no"' >> config/os/os.gentoo.conf || die +} + +src_install() { + dobin "${PN}.sh" + + insinto /etc/logrotate.d + newins "${FILESDIR}/${PN}.logrotate" "${PN}" + + insinto "/etc/${PN}" + doins config/{master,user}.conf + newins config/os/os.gentoo.conf os.conf + + # To generate the man page, you have to first install the package, + # and then issue some ridiculous command like + # + # $ sudo su -s /bin/sh \ + # -c 'man_dir=/tmp clamav-unofficial-sigs.sh --install-man' \ + # clamav + # + # That'll stick it in /tmp, which is unsafe-ish, but the example is + # easily modified. + newman "${FILESDIR}/${P}.man.8" "${PN}.8" + dodoc README.md + + if use cron; then + # Beware, this directory is not completely standard. However, + # we need this to run as "clamav" with a non-default shell and + # home directory (bug 694054), and this seems like the most + # reliable way to accomplish that. + insinto "/etc/cron.d" + newins "${FILESDIR}/${PN}.crond" "${PN}" + else + dodoc "${FILESDIR}/${PN}.crond" + fi + + # Install the systemd service and timer unconditionally, because + # the timer is disabled by default (and won't annoy people until + # after they've configured the script). + systemd_dounit "${FILESDIR}/${PN}".{service,timer} + + # The script's working directory, as set in the configuration + # file. By default, the script runs as clamav:clamav because + # it needs write access to the clamav databases. + diropts -o clamav -g clamav + keepdir "/var/lib/${PN}" +} + +pkg_postinst() { + elog '' + elog "You will need to select databases in /etc/${PN}/master.conf." + elog "For details, please see the ${PN}(8) manual page." + elog '' + elog 'An up-to-date description of the available Sanesecurity' + elog 'databases is available at,' + elog '' + elog ' http://sanesecurity.com/usage/signatures/' + elog '' +} diff --git a/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-disable-run-as-root.patch b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-disable-run-as-root.patch new file mode 100644 index 000000000000..2b40c982309b --- /dev/null +++ b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-disable-run-as-root.patch @@ -0,0 +1,39 @@ +From 5235a5e518a1b17f50eb0f56c088f3808d939626 Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky <michael@orlitzky.com> +Date: Tue, 4 Feb 2020 19:34:56 -0500 +Subject: [PATCH 1/1] clamav-unofficial-sigs.sh: disable running as root. + +The only way I'm going to let this be installed on my machine is if +it never runs as root. The shit that it does is insane (a priori) +and also implemented insecurely. There's no good reason to run the +script as root on Gentoo anyway. A cron job is provided for you, +or you can use "su -s /bin/bash -c ... clamav" to run it as the +clamav user. +--- + clamav-unofficial-sigs.sh | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh +index aa70db1..60d305b 100644 +--- a/clamav-unofficial-sigs.sh ++++ b/clamav-unofficial-sigs.sh +@@ -3,6 +3,16 @@ + # shellcheck disable=SC2120 + # shellcheck disable=SC2128 + # shellcheck disable=SC2154 ++ ++if [[ ${EUID} -eq 0 ]]; then ++ exec 1>&2 ++ echo "This script has been patched by the Gentoo maintainer to disable" ++ echo "running it as root (effective UID 0). When run as root, the script" ++ echo "performs a number of operations insecurely. You should never need" ++ echo "to run this as root on Gentoo in the first place." ++ exit 1; ++fi ++ + ################################################################################ + # This is property of eXtremeSHOK.com + # You are free to use, modify and distribute, however you may not remove this notice. +-- +2.24.1 + diff --git a/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-database-name.patch b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-database-name.patch new file mode 100644 index 000000000000..c991dacb412f --- /dev/null +++ b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-database-name.patch @@ -0,0 +1,35 @@ +From 837439354cd4692a7228f9f356e0c4acd32202f3 Mon Sep 17 00:00:00 2001 +From: Michael Orlitzky <michael@orlitzky.com> +Date: Tue, 4 Feb 2020 20:11:16 -0500 +Subject: [PATCH 1/1] clamav-unofficial-sigs.sh: fix malwarepatrol extended + database name. + +The database suffix needs to be ".db" regardless of whether you choose +the "basic" signatures or the "extended" ones. This patch is a quick +fix, and just forces the correct name at the beginning of the script. + +Issue: https://github.com/extremeshok/clamav-unofficial-sigs/issues/300 +--- + clamav-unofficial-sigs.sh | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh +index aa70db1..d8031c8 100644 +--- a/clamav-unofficial-sigs.sh ++++ b/clamav-unofficial-sigs.sh +@@ -2235,11 +2235,7 @@ else + fi + fi + +-if [ $malwarepatrol_list == "clamav_basic" ] ; then +- malwarepatrol_db="malwarepatrol.db" +-else +- malwarepatrol_db="malwarepatrol.ndb" +-fi ++malwarepatrol_db="malwarepatrol.db" + malwarepatrol_url="${malwarepatrol_url}?receipt=${malwarepatrol_receipt_code}&product=${malwarepatrol_product_code}&list=${malwarepatrol_list}" + + # If "ham_dir" variable is set, then create initial whitelist files (skipped if first-time script run). +-- +2.24.1 + diff --git a/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-url.patch b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-url.patch new file mode 100644 index 000000000000..e647ec9beea6 --- /dev/null +++ b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1-fix-mbl-url.patch @@ -0,0 +1,22 @@ +From be934c77f029aa52c84ede976cf7ab91bf053c03 Mon Sep 17 00:00:00 2001 +From: Michael Urspringer <michael@urspringer.de> +Date: Sun, 26 Jan 2020 11:46:07 +0100 +Subject: [PATCH] Fixed wrong download URL for MalwarePatrol + +--- + clamav-unofficial-sigs.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/clamav-unofficial-sigs.sh b/clamav-unofficial-sigs.sh +index aa70db1..c2f31d6 100644 +--- a/clamav-unofficial-sigs.sh ++++ b/clamav-unofficial-sigs.sh +@@ -2979,7 +2979,7 @@ if [ "$malwarepatrol_enabled" == "yes" ] ; then + xshok_pretty_echo_and_log "Checking for updated MalwarePatrol database file: ${malwarepatrol_db}" + malwarepatrol_db_update="0" + +- xshok_file_download "${work_dir_malwarepatrol}/${malwarepatrol_db}" "${malwarepatrol_url}&receipt=${malwarepatrol_receipt_code}" ++ xshok_file_download "${work_dir_malwarepatrol}/${malwarepatrol_db}" "${malwarepatrol_url}" + + ret="$?" + if [ "$ret" -eq 0 ] ; then diff --git a/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1.man.8 b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1.man.8 new file mode 100644 index 000000000000..7f5555e27f06 --- /dev/null +++ b/app-antivirus/clamav-unofficial-sigs/files/clamav-unofficial-sigs-7.0.1.man.8 @@ -0,0 +1,77 @@ + +.\" Manual page for eXtremeSHOK.com ClamAV Unofficial Signature Updater +.TH clamav-unofficial-sigs 8 "2020-01-25" "Version: 7.0.1" "SCRIPT COMMANDS" +.SH NAME +clamav-unofficial-sigs \- Download, test, and install third-party ClamAV signature databases. +.SH SYNOPSIS +.B clamav-unofficial-sigs +.RI [ options ] +.SH DESCRIPTION +\fBclamav-unofficial-sigs\fP provides a simple way to download, test, and update third-party signature databases provided by Sanesecurity, FOXHOLE, OITC, Scamnailer, BOFHLAND, CRDF, Porcupine, Securiteinfo, MalwarePatrol, Yara-Rules Project, etc. It will also generate and install cron, logrotate, and man files. +.SH UPDATES +Script updates can be found at: \fBhttps://github.com/extremeshok/clamav-unofficial-sigs\fP +.SH OPTIONS +This script follows the standard GNU command line syntax. +.LP +\fB Usage: clamav\-unofficial\-sigs.sh \fR [OPTION] [PATH|FILE] +.TP +\fB \-c, \-\-config \fR Use a specific configuration file or directory eg: '\-c /your/dir' or ' \-c /your/file.name' Note: If a directory is specified the directory must contain atleast: master.conf, os.conf or user.conf Default Directory: /etc/clamav\-unofficial\-sigs +.TP +\fB \-F, \-\-force \fR Force all databases to be downloaded, could cause ip to be blocked +.TP +\fB \-h, \-\-help \fR Display this script's help and usage information +.TP +\fB \-V, \-\-version \fR Output script version and date information +.TP +\fB \-v, \-\-verbose \fR Be verbose, enabled when not run under cron +.TP +\fB \-s, \-\-silence \fR Only output error messages, enabled when run under cron +.TP +\fB \-d, \-\-decode\-sig \fR Decode a third\-party signature either by signature name (eg: Sanesecurity.Junk.15248) or hexadecimal string. This flag will 'NOT' decode image signatures +.TP +\fB \-e, \-\-encode\-string \fR Hexadecimal encode an entire input string that can be used in any '*.ndb' signature database file +.TP +\fB \-f, \-\-encode\-formatted \fR Hexadecimal encode a formatted input string containing signature spacing fields '{}, (), *', without encoding the spacing fields, so that the encoded signature can be used in any '*.ndb' signature database file +.TP +\fB \-g, \-\-gpg\-verify \fR GPG verify a specific Sanesecurity database file eg: '\-g filename.ext' (do not include file path) +.TP +\fB \-i, \-\-information \fR Output system and configuration information for viewing or possible debugging purposes +.TP +\fB \-m, \-\-make\-database \fR Make a signature database from an ascii file containing data strings, with one data string per line. Additional information is provided when using this flag +.TP +\fB \-t, \-\-test\-database \fR Clamscan integrity test a specific database file eg: '\-t filename.ext' (do not include file path) +.TP +\fB \-o, \-\-output\-triggered \fR If HAM directory scanning is enabled in the script's configuration file, then output names of any third\-party signatures that triggered during the HAM directory scan +.TP +\fB \-w, \-\-whitelist <signature\-name> \fR Adds a signature whitelist entry in the newer ClamAV IGN2 format to 'my\-whitelist.ign2' in order to temporarily resolve a false\-positive issue with a specific third\-party signature. Script added whitelist entries will automatically be removed if the original signature is either modified or removed from the third\-party signature database +.TP +\fB \-\-check\-clamav \fR If ClamD status check is enabled and the socket path is correctly specifiedthen test to see if clamd is running or not +.TP +\fB \-\-upgrade \fR Upgrades this script and master.conf to the latest available version +.TP +\fB \-\-install\-all \fR Install and generate the cron, logroate and man files, autodetects the values based on your config files +.TP +\fB \-\-install\-cron \fR Install and generate the cron file, autodetects the values based on your config files +.TP +\fB \-\-install\-logrotate \fR Install and generate the logrotate file, autodetects the values based on your config files +.TP +\fB \-\-install\-man \fR Install and generate the man file, autodetects the values based on your config files +.TP +\fB \-\-remove\-script \fR Remove the clamav\-unofficial\-sigs script and all of its associated files and databases from the system +.TP +.SH SEE ALSO +.BR clamd (8), +.BR clamscan (1) +.SH COPYRIGHT +Copyright (c) Adrian Jon Kriel :: admin@extremeshok.com +.TP +You are free to use, modify and distribute, however you may not remove this notice. +.SH LICENSE +BSD (Berkeley Software Distribution) +.SH BUGS +Report bugs to \fBhttps://github.com/extremeshok/clamav-unofficial-sigs\fP +.SH AUTHOR +Adrian Jon Kriel :: admin@extremeshok.com +Originially based on Script provide by Bill Landry + + |