Releases: Cisco-Talos/clamav
ClamAV 1.3.1
ClamAV 1.3.1 is a critical patch release with the following fixes:
-
CVE-2024-20380:
Fixed a possible crash in the HTML file parser that could cause a
denial-of-service (DoS) condition.This issue affects version 1.3.0 only and does not affect prior versions.
Thank you to Błażej Pawłowski for identifying this issue.
-
Updated select Rust dependencies to the latest versions.
This resolved Cargo audit complaints and included PNG parser bug fixes. -
Fixed a bug causing some text to be truncated when converting from UTF-16.
-
Fixed assorted complaints identified by Coverity static analysis.
-
Fixed a bug causing CVDs downloaded by the
DatabaseCustomURL
Freshclam
config option to be pruned and then re-downloaded with every update. -
Added the new 'valhalla' database name to the list of optional databases in
preparation for future work. -
Added symbols to the
libclamav.map
file to enable additional build
configurations.Patch courtesy of Neil Wilson.
ClamAV 1.2.3
ClamAV 1.2.3 is a critical patch release with the following fixes:
-
Updated select Rust dependencies to the latest versions.
This resolved Cargo audit complaints and included PNG parser bug fixes. -
Fixed a bug causing some text to be truncated when converting from UTF-16.
-
Fixed assorted complaints identified by Coverity static analysis.
-
Fixed a bug causing CVDs downloaded by the
DatabaseCustomURL
Freshclam
config option to be pruned and then re-downloaded with every update. -
Added the new 'valhalla' database name to the list of optional databases in
preparation for future work. -
Silenced a warning "Unexpected early end-of-file" that occured when
scanning some PNG files.
ClamAV 1.0.6
ClamAV 1.0.6 is a critical patch release with the following fixes:
-
Updated select Rust dependencies to the latest versions.
This resolved Cargo audit complaints and included PNG parser bug fixes. -
Fixed a bug causing some text to be truncated when converting from UTF-16.
-
Fixed assorted complaints identified by Coverity static analysis.
-
Fixed a bug causing CVDs downloaded by the
DatabaseCustomURL
Freshclam
config option to be pruned and then re-downloaded with every update. -
Added the new 'valhalla' database name to the list of optional databases in
preparation for future work. -
Silenced a warning "Unexpected early end-of-file" that occured when
scanning some PNG files.
ClamAV 1.3.0
ClamAV 1.3.0 includes the following improvements and changes:
Major changes
- Added support for extracting and scanning attachments found in Microsoft
OneNote section files.
OneNote parsing will be enabled by default, but may be optionally disabled
using one of the following options:
a. Theclamscan
command line option:--scan-onenote=no
,
b. Theclamd.conf
config option:ScanOneNote no
,
c. The libclamav scan optionoptions.parse &= ~CL_SCAN_PARSE_ONENOTE;
,
d. A signature change to thedaily.cfg
dynamic configuration (DCONF).
Other improvements
-
Fixed issue when building ClamAV on the Haiku (BeOS-like) operating system.
Patch courtesy of Luca D'Amico -
ClamD: When starting, ClamD will now check if the directory specified by
TemporaryDirectory
inclamd.conf
exists. If it doesn't, ClamD
will print an error message and will exit with exit code 1.
Patch courtesy of Andrew Kiggins. -
CMake: If configured to build static libraries, CMake will now also
install the libclamav_rust, libclammspack, libclamunrar_iface, and
libclamunrar static libraries required by libclamav.Note: These libraries are all linked into the clamscan, clamd, sigtool,
and freshclam programs, which is why they did not need to be installed
to function. However, these libraries would be required if you wish to
build some other program that uses the libclamav static library.Patch courtesy of driverxdw.
-
Added file type recognition for compiled Python (
.pyc
) files.
The file type appears as a string parameter for these callback functions:clcb_pre_cache
clcb_pre_scan
clcb_file_inspection
When scanning a.pyc
file, thetype
parameter will now show
"CL_TYPE_PYTHON_COMPILED" instead of "CL_TYPE_BINARY_DATA".- GitHub pull request
-
Improved support for decrypting PDF's with empty passwords.
-
Assorted minor improvements and typo fixes.
Bug fixes
-
Fixed a warning when scanning some HTML files.
-
Fixed an issue decrypting some PDF's with an empty password.
-
ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.
-
ClamOnAcc: Fixed an infinite loop when a file has been deleted before a scan.
Patch courtesy of gsuehiro. -
Fixed a possible crash when processing VBA files on HP-UX/IA 64bit.
Patch courtesy of Albert Chin-A-Young. -
ClamConf: Fixed an issue printing
MaxScanSize
introduced with the change
to allow a MaxScanSize greater than 4 GiB.
Fix courtesy of teoberi. -
Fixed an issue building a ClamAV RPM in some configurations.
The issue was caused by faulty CMake logic that intended to create an
empty database directory during the install.
Acknowledgments
Special thanks to the following people for code contributions and bug reports:
- Albert Chin-A-Young
- Andrew Kiggins
- driverxdw
- gsuehiro
- Luca D'Amico
- RainRat
- teoberi
ClamAV 1.2.2
ClamAV 1.2.2 is a critical patch release with the following fix:
-
CVE-2024-20290:
Fixed a possible heap overflow read bug in the OLE2 file parser that could
cause a denial-of-service (DoS) condition.Affected versions:
- 1.0.0 through 1.0.4 (LTS)
- 1.1 (all patch versions)
- 1.2.0 and 1.2.1
Thank you to OSS-Fuzz for identifying this issue.
-
CVE-2024-20328:
Fixed a possible command injection vulnerability in theVirusEvent
feature
of ClamAV's ClamD service.To fix this issue, we disabled the '%f' format string parameter.
ClamD administrators may continue to use theCLAM_VIRUSEVENT_FILENAME
environment variable, instead of '%f'. But you should do so only from within
an executable, such as a Python script, and not directly in theclamd.conf
VirusEvent
command.Affected versions:
- 0.104 (all patch versions)
- 0.105 (all patch versions)
- 1.0.0 through 1.0.4 (LTS)
- 1.1 (all patch versions)
- 1.2.0 and 1.2.1
Thank you to Amit Schendel for identifying this issue.
ClamAV 1.0.5
ClamAV 1.0.5 is a critical patch release with the following fixes:
-
CVE-2024-20290:
Fixed a possible heap overflow read bug in the OLE2 file parser that could
cause a denial-of-service (DoS) condition.Affected versions:
- 1.0.0 through 1.0.4 (LTS)
- 1.1 (all patch versions)
- 1.2.0 and 1.2.1
Thank you to OSS-Fuzz for identifying this issue.
-
CVE-2024-20328:
Fixed a possible command injection vulnerability in theVirusEvent
feature
of ClamAV's ClamD service.To fix this issue, we disabled the '%f' format string parameter.
ClamD administrators may continue to use theCLAM_VIRUSEVENT_FILENAME
environment variable, instead of '%f'. But you should do so only from within
an executable, such as a Python script, and not directly in theclamd.conf
VirusEvent
command.Affected versions:
- 0.104 (all patch versions)
- 0.105 (all patch versions)
- 1.0.0 through 1.0.4 (LTS)
- 1.1 (all patch versions)
- 1.2.0 and 1.2.1
Thank you to Amit Schendel for identifying this issue.
ClamAV 1.3.0-rc2
ClamAV 1.3.0 includes the following improvements and changes:
Major changes
- Added support for extracting and scanning attachments found in Microsoft
OneNote section files.
OneNote parsing will be enabled by default, but may be optionally disabled
using one of the following options:
a. Theclamscan
command line option:--scan-onenote=no
,
b. Theclamd.conf
config option:ScanOneNote no
,
c. The libclamav scan optionoptions.parse &= ~CL_SCAN_PARSE_ONENOTE;
,
d. A signature change to thedaily.cfg
dynamic configuration (DCONF).
Other improvements
-
Fixed issue when building ClamAV on the Haiku (BeOS-like) operating system.
Patch courtesy of Luca D'Amico -
ClamD: When starting, ClamD will now check if the directory specified by
TemporaryDirectory
inclamd.conf
exists. If it doesn't, ClamD
will print an error message and will exit with exit code 1.
Patch courtesy of Andrew Kiggins. -
CMake: If configured to build static libraries, CMake will now also
install the libclamav_rust, libclammspack, libclamunrar_iface, and
libclamunrar static libraries required by libclamav.Note: These libraries are all linked into the clamscan, clamd, sigtool,
and freshclam programs, which is why they did not need to be installed
to function. However, these libraries would be required if you wish to
build some other program that uses the libclamav static library.Patch courtesy of driverxdw.
-
Added file type recognition for compiled Python (
.pyc
) files.
The file type appears as a string parameter for these callback functions:clcb_pre_cache
clcb_pre_scan
clcb_file_inspection
When scanning a.pyc
file, thetype
parameter will now show
"CL_TYPE_PYTHON_COMPILED" instead of "CL_TYPE_BINARY_DATA".- GitHub pull request
-
Improved support for decrypting PDF's with empty passwords.
-
Assorted minor improvements and typo fixes.
Bug fixes
-
Fixed a warning when scanning some HTML files.
-
Fixed an issue decrypting some PDF's with an empty password.
-
ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.
-
ClamOnAcc: Fixed an infinite loop when a file has been deleted before a scan.
Patch courtesy of gsuehiro. -
Fixed a possible crash when processing VBA files on HP-UX/IA 64bit.
Patch courtesy of Albert Chin-A-Young. -
ClamConf: Fixed an issue printing
MaxScanSize
introduced with the change
to allow a MaxScanSize greater than 4 GiB.
Fix courtesy of teoberi. -
Fixed an issue building a ClamAV RPM in some configurations.
The issue was caused by faulty CMake logic that intended to create an
empty database directory during the install.
Acknowledgments
Special thanks to the following people for code contributions and bug reports:
- Albert Chin-A-Young
- Andrew Kiggins
- driverxdw
- gsuehiro
- Luca D'Amico
- RainRat
- teoberi
ClamAV 1.3.0-rc
ClamAV 1.3.0 release candidate includes the following improvements and changes:
Major changes
- Added support for extracting and scanning attachments found in Microsoft
OneNote section files.
OneNote parsing will be enabled by default, but may be optionally disabled
using one of the following options:
a. Theclamscan
command line option:--scan-onenote=no
,
b. Theclamd.conf
config option:ScanOneNote no
,
c. The libclamav scan optionoptions.parse &= ~CL_SCAN_PARSE_ONENOTE;
,
d. A signature change to thedaily.cfg
dynamic configuration (DCONF).
Other improvements
-
Fixed issue when building ClamAV on the Haiku (BeOS-like) operating system.
Patch courtesy of Luca D'Amico -
ClamD: When starting, ClamD will now check if the directory specified by
TemporaryDirectory
inclamd.conf
exists. If it doesn't, ClamD
will print an error message and will exit with exit code 1.
Patch courtesy of Andrew Kiggins. -
CMake: If configured to build static libraries, CMake will now also
install the libclamav_rust, libclammspack, libclamunrar_iface, and
libclamunrar static libraries required by libclamav.Note: These libraries are all linked into the clamscan, clamd, sigtool,
and freshclam programs, which is why they did not need to be installed
to function. However, these libraries would be required if you wish to
build some other program that uses the libclamav static library.Patch courtesy of driverxdw.
-
Added file type recognition for compiled Python (
.pyc
) files.
The file type appears as a string parameter for these callback functions:clcb_pre_cache
clcb_pre_scan
clcb_file_inspection
When scanning a.pyc
file, thetype
parameter will now show
"CL_TYPE_PYTHON_COMPILED" instead of "CL_TYPE_BINARY_DATA".- GitHub pull request
-
Assorted minor improvements and typo fixes.
Bug fixes
-
Fixed a warning when scanning some HTML files.
-
Fixed an issue decrypting some PDF's with an empty password.
-
ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.
-
Fixed a possible crash when processing VBA files on HP-UX/IA 64bit.
Patch courtesy of Albert Chin-A-Young.
Acknowledgments
Special thanks to the following people for code contributions and bug reports:
- Albert Chin-A-Young
- Andrew Kiggins
- driverxdw
- Luca D'Amico
- RainRat
ClamAV 1.2.1
ClamAV 1.2.1 is a patch release with the following fixes:
-
Eliminate security warning about unused "atty" dependency.
- GitHub pull request: #1033
-
Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.12.
- GitHub pull request: #1056
-
Build system: Fix link error with Clang/LLVM/LLD version 17.
Patch courtesy of Yasuhiro Kimura.- GitHub pull request: #1060
-
Fix alert-exceeds-max feature for files > 2GB and < max-filesize.
- GitHub pull request: #1039
Special thanks to the following people for code contributions and bug reports:
- Yasuhiro Kimura
ClamAV 1.1.3
ClamAV 1.1.3 is a patch release with the following fixes:
-
Eliminate security warning about unused "atty" dependency.
- GitHub pull request: #1034
-
Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.12.
- GitHub pull request: #1055
-
Windows: libjson-c 0.17 compatibility fix. with ssize_t type definition.
- GitHub pull request: #1063
-
Build system: Fix link error with Clang/LLVM/LLD version 17.
Patch courtesy of Yasuhiro Kimura.- GitHub pull request: #1059
-
Fix alert-exceeds-max feature for files > 2GB and < max-filesize.
- GitHub pull request: #1040
Special thanks to the following people for code contributions and bug reports:
- Yasuhiro Kimura