- updated to final 0.96

- applied upstream patch which allows to disable JIT compiler (#573191)
- build JIT compiler again
- disabled JIT compiler by default
- removed explicit 'pkgconfig' requirements in -devel (#533956)

.cvsignore

@@ -1 +1 @@
-clamav-0.96rc1-norar.tar.xz
+clamav-0.96-norar.tar.xz

clamav-0.96-disable-jit.patch

@@ -0,0 +1,130 @@
+--- a/clamd/clamd.c	
++++ a/clamd/clamd.c	
+@@ -431,6 +431,9 @@ int main(int argc, char **argv)
+     if((opt = optget(opts,"BytecodeTimeout"))->enabled) {
+ 	cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg);
+     }
++    if((opt = optget(opts,"BytecodeDisableJIT"))->enabled) {
++	cl_engine_set_num(engine, CL_ENGINE_BYTECODE_DISABLEJIT, opt->numarg);
++    }
+ 
+     if(optget(opts,"PhishingScanURLs")->enabled)
+ 	dboptions |= CL_DB_PHISHING_URLS;
+--- a/clamscan/manager.c	
++++ a/clamscan/manager.c	
+@@ -405,6 +405,8 @@ int scanmanager(const struct optstruct *opts)
+ 	cl_engine_set_num(engine, CL_ENGINE_BYTECODE_SECURITY, CL_BYTECODE_TRUST_ALL);
+     if((opt = optget(opts,"bytecode-timeout"))->enabled)
+ 	cl_engine_set_num(engine, CL_ENGINE_BYTECODE_TIMEOUT, opt->numarg);
++    if((opt = optget(opts,"bytecode-disable-jit"))->enabled)
++	cl_engine_set_num(engine, CL_ENGINE_BYTECODE_DISABLEJIT, opt->numarg);
+ 
+     if((opt = optget(opts, "tempdir"))->enabled) {
+ 	if((ret = cl_engine_set_str(engine, CL_ENGINE_TMPDIR, opt->strarg))) {
+--- a/docs/man/clamd.conf.5.in	
++++ a/docs/man/clamd.conf.5.in	
+@@ -253,6 +253,12 @@ Default: TrustSigned
+ Set bytecode timeout in milliseconds.
+ .br
+ Default: 60000
++.TP
++\fBBytecodeDisableJIT BOOL\fR
++Disable the JIT and fallback to interpreter mode.
++WARNING: disabling the JIT affects performance!
++.br
++Default: No
+ .TP 
+ \fBDetectPUA BOOL\fR
+ Detect Possibly Unwanted Applications.
+--- a/docs/man/clamscan.1.in	
++++ a/docs/man/clamscan.1.in	
+@@ -86,6 +86,10 @@ This option disables safety checks and makes ClamAV trust all bytecode. It shoul
+ .TP 
+ \fB\-\-bytecode\-timeout=N\fR
+ Set bytecode timeout in milliseconds (default: 60000 = 60s)
++.TP
++\fB\-\-bytecode\-disable\-jit\fR
++Disable the JIT and fallback to interpreter mode.
++WARNING: disable the JIT affects performance!
+ .TP 
+ \fB\-\-detect\-pua[=yes/no(*)]\fR
+ Detect Possibly Unwanted Applications.
+--- a/etc/clamd.conf	
++++ a/etc/clamd.conf	
+@@ -474,3 +474,8 @@ Example
+ # 
+ # Default: 60000
+ # BytecodeTimeout 60000
++ 
++# Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance.
++# 
++# Default: no
++#BytecodeDisableJIT no
+--- a/libclamav/clamav.h	
++++ a/libclamav/clamav.h	
+@@ -142,7 +142,8 @@ enum cl_engine_field {
+     CL_ENGINE_TMPDIR,		    /* (char *) */
+     CL_ENGINE_KEEPTMP,		    /* uint32_t */
+     CL_ENGINE_BYTECODE_SECURITY,     /* uint32_t */
+-    CL_ENGINE_BYTECODE_TIMEOUT       /* uint32_t */
++    CL_ENGINE_BYTECODE_TIMEOUT,       /* uint32_t */
++    CL_ENGINE_BYTECODE_DISABLEJIT        /* uint32_t */
+ };
+ 
+ enum bytecode_security {
+--- a/libclamav/others.c	
++++ a/libclamav/others.c	
+@@ -301,6 +301,7 @@ struct cl_engine *cl_engine_new(void)
+     new->bytecode_security = CL_BYTECODE_TRUST_SIGNED;
+     /* 5 seconds timeout */
+     new->bytecode_timeout = 60000;
++    new->disablejit = 0;
+     new->refcount = 1;
+     new->ac_only = 0;
+     new->ac_mindepth = CLI_DEFAULT_AC_MINDEPTH;
+@@ -395,6 +396,9 @@ int cl_engine_set_num(struct cl_engine *engine, enum cl_engine_field field, long
+ 	case CL_ENGINE_BYTECODE_TIMEOUT:
+ 	    engine->bytecode_timeout = num;
+ 	    break;
++	case CL_ENGINE_BYTECODE_DISABLEJIT:
++	    engine->disablejit = num;
++	    break;
+ 	default:
+ 	    cli_errmsg("cl_engine_set_num: Incorrect field number\n");
+ 	    return CL_EARG;
+--- a/libclamav/others.h	
++++ a/libclamav/others.h	
+@@ -249,6 +249,7 @@ struct cl_engine {
+     unsigned hook_lsig_ids;
+     enum bytecode_security bytecode_security;
+     uint32_t bytecode_timeout;
++    unsigned disablejit;
+ };
+ 
+ struct cl_settings {
+--- a/libclamav/readdb.c	
++++ a/libclamav/readdb.c	
+@@ -2566,7 +2566,10 @@ int cl_load(const char *path, struct cl_engine *engine, unsigned int *signo, uns
+ 	    return ret;
+ 
+     if((dboptions & CL_DB_BYTECODE) && !engine->bcs.engine && (engine->dconf->bytecode & BYTECODE_ENGINE_MASK)) {
+-	if((ret = cli_bytecode_init(&engine->bcs, engine->dconf->bytecode)))
++	unsigned dconfmask = engine->dconf->bytecode;
++	if (engine->disablejit)
++	    dconfmask &= BYTECODE_INTERPRETER;
++	if((ret = cli_bytecode_init(&engine->bcs, dconfmask)))
+ 	    return ret;
+     } else {
+ 	cli_dbgmsg("Bytecode engine disabled\n");
+--- a/shared/optparser.c	
++++ a/shared/optparser.c	
+@@ -252,6 +252,9 @@ const struct clam_option __clam_options[] = {
+ 	"Set bytecode security level.\nPossible values:\n\tNone - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"},
+     { "BytecodeTimeout", "bytecode-timeout", 0, TYPE_NUMBER, MATCH_NUMBER, 60000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, 
+ 	"Set bytecode timeout in miliseconds.\n","60000"},
++    { "BytecodeDisableJIT", "bytecode-disable-jit", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, 
++	"Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance.\n","no"},
++
+     { "DetectPUA", "detect-pua", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect Potentially Unwanted Applications.", "yes" },
+ 
+     { "ExcludePUA", "exclude-pua", 0, TYPE_STRING, NULL, -1, NULL, FLAG_MULTIPLE, OPT_CLAMD | OPT_CLAMSCAN, "Exclude a specific PUA category. This directive can be used multiple times.\nSee http://www.clamav.net/support/pua for the complete list of PUA\ncategories.", "NetTool\nPWTool" },

clamav-0.96-jitoff.patch

@@ -0,0 +1,30 @@
+Index: clamav-0.96/etc/clamd.conf
+===================================================================
+--- clamav-0.96.orig/etc/clamd.conf
++++ clamav-0.96/etc/clamd.conf
+@@ -476,6 +476,10 @@ AllowSupplementaryGroups yes
+ # BytecodeTimeout 60000
+  
+ # Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance.
+-# 
+-# Default: no
++#
++# This option has been turned off in Fedora due to security concerns
++# by default.  You might need to enable the 'clamd_use_jit' SELinux
++# boolean after enabling this option.
++#
++# Default: yes
+ #BytecodeDisableJIT no
+Index: clamav-0.96/shared/optparser.c
+===================================================================
+--- clamav-0.96.orig/shared/optparser.c
++++ clamav-0.96/shared/optparser.c
+@@ -252,7 +252,7 @@ const struct clam_option __clam_options[
+ 	"Set bytecode security level.\nPossible values:\n\tNone - no security at all, meant for debugging. DO NOT USE THIS ON PRODUCTION SYSTEMS\n\tTrustSigned - trust bytecode loaded from signed .c[lv]d files,\n\t\t insert runtime safety checks for bytecode loaded from other sources\n\tParanoid - don't trust any bytecode, insert runtime checks for all\nRecommended: TrustSigned, because bytecode in .cvd files already has these checks\n","TrustSigned"},
+     { "BytecodeTimeout", "bytecode-timeout", 0, TYPE_NUMBER, MATCH_NUMBER, 60000, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, 
+ 	"Set bytecode timeout in miliseconds.\n","60000"},
+-    { "BytecodeDisableJIT", "bytecode-disable-jit", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, 
++    { "BytecodeDisableJIT", "bytecode-disable-jit", 0, TYPE_BOOL, MATCH_BOOL, 1, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, 
+ 	"Disable JIT and fallback to interpreter. WARNING: disabling JIT affects performance.\n","no"},
+ 
+     { "DetectPUA", "detect-pua", 0, TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "Detect Potentially Unwanted Applications.", "yes" },

clamav.spec

@@ -1,11 +1,11 @@
-%global prerelease	rc1
+#global prerelease	rc1
 
 ## Fedora Extras specific customization below...
 %bcond_without		fedora
 %bcond_without		upstart
 %bcond_with		unrar
 %bcond_without		noarch
-%bcond_with		bytecode
+%bcond_without		bytecode
 ##
 
 %global username	clamupdate
@@ -27,7 +27,7 @@
 Summary:	End-user tools for the Clam Antivirus scanner
 Name:		clamav
 Version:	0.96
-Release:	%release_func 1401
+Release:	%release_func 1402
 License:	%{?with_unrar:proprietary}%{!?with_unrar:GPLv2}
 Group:		Applications/File
 URL:		http://www.clamav.net
@@ -52,6 +52,9 @@ Patch24:	clamav-0.92-private.patch
 Patch25:	clamav-0.92-open.patch
 Patch26:	clamav-0.95-cliopts.patch
 Patch27:	clamav-0.95.3-umask.patch
+# https://bugzilla.redhat.com/attachment.cgi?id=403775&action=diff&context=patch&collapsed=&headers=1&format=raw
+Patch28:	clamav-0.96-disable-jit.patch
+Patch29:	clamav-0.96-jitoff.patch
 BuildRoot:	%_tmppath/%name-%version-%release-root
 Requires:	clamav-lib = %version-%release
 Requires:	data(clamav)
@@ -83,8 +86,6 @@ Group:		Development/Libraries
 Source100:	clamd-gen
 Requires:	clamav-lib        = %version-%release
 Requires:	clamav-filesystem = %version-%release
-Requires(pre):	%_libdir/pkgconfig
-Requires:	pkgconfig
 
 %package data
 Summary:	Virus signature data for the Clam Antivirus scanner
@@ -316,6 +317,8 @@ The Upstart initscripts for clamav-milter.
 %apply -n25 -p1 -b .open
 %apply -n26 -p1 -b .cliopts
 %apply -n27 -p1 -b .umask
+%apply -n28 -p1 -b .jit-disable
+%apply -n29 -p1 -b .jitoff
 
 install -p -m0644 %SOURCE300 clamav-milter/
 
@@ -334,7 +337,6 @@ sed -ri \
 sed -ri \
     -e 's!^#?(UpdateLogFile )!#\1!g;' \
     -e 's!^#?(LogSyslog).*!\1 yes!g' \
-    -e 's!^#?(Bytecode).*!\1 no!g' \
     -e 's!(DatabaseOwner *)clamav$!\1%username!g' etc/freshclam.conf
 
 
@@ -703,6 +705,13 @@ test "$1" != "0" || /sbin/initctl -q stop clamav-milter || :
 
 
 %changelog
+* Wed Apr 21 2010 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de> - 0.96-1402
+- updated to final 0.96
+- applied upstream patch which allows to disable JIT compiler (#573191)
+- build JIT compiler again
+- disabled JIT compiler by default
+- removed explicit 'pkgconfig' requirements in -devel (#533956)
+
 * Sat Mar 20 2010 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de> - 0.96-0.1401.rc1
 - do not build the bytecode JIT compiler for now until it can be disabled
   at runtime (#573191)

lastver

@@ -1 +1 @@
-0.95.3
+0.96

sources

@@ -1 +1 @@
-2f591b9598fa938a8a517a59fea04ac7  clamav-0.96rc1-norar.tar.xz
+fea833e7185926330222788eeed249af  clamav-0.96-norar.tar.xz