ClamAV 1.1.0

ClamAV 1.1.0 includes the following improvements and changes:

Major changes

• Added the ability to extract images embedded in HTML CSS <style> blocks.

  • GitHub pull request: #813

• Updated to Sigtool so that the --vba option will extract VBA code from
  Microsoft Office documents the same way that libclamav extracts VBA.
  This resolves several issues where Sigtool could not extract VBA.
  Sigtool will also now display the normalized VBA code instead of the
  pre-normalized VBA code.

  • GitHub pull request: #852

• Added a new ClamScan and ClamD option: --fail-if-cvd-older-than=days.
  Additionally, we introduce FailIfCvdOlderThan as a clamd.conf synonym for
  --fail-if-cvd-older-than. When passed, it causes ClamD to exit on startup
  with a non-zero return code if the virus database is older than the specified
  number of days.

  • GitHub pull request: #867

• Added a new function cl_cvdgetage() to the libclamav API.
  This function will retrieve the age in seconds of the youngest file in a
  database directory, or the age of a single CVD (or CLD) file.

  • GitHub pull request: #867

• Added a new function cl_engine_set_clcb_vba() to the libclamav API.
  Use this function to set a cb_vba callback function.
  The cb_vba callback function will be run whenever VBA is extracted from
  office documents. The provided data will be a normalized copy of the
  extracted VBA.
  This callback was added to support Sigtool so that it can use the same VBA
  extraction logic that ClamAV uses to scan documents.

  • GitHub pull request: #852

Other improvements

• Removed the vendored TomsFastMath library in favor of using OpenSSL to
  perform "big number"/multiprecision math operations.
  Work courtesy of Sebastian Andrzej Siewior.

  • GitHub pull request: #840

• Build system: Added CMake option DO_NOT_SET_RPATH to avoid setting
  RPATH on Unix systems.
  Feature courtesy of Sebastian Andrzej Siewior.

  • GitHub pull request: #815

• Build system: Enabled version-scripts with CMake to limit symbol exports for
  libclamav, libfreshclam, libclamunrar_iface, and libclamunrar shared
  libraries on Unix systems, excluding macOS.
  Improvement courtesy of Orion Poplawski and Sebastian Andrzej Siewior.

  • GitHub pull request: #776

• Build system: Enabled users to pass in custom Rust compiler flags using the
  RUSTFLAGS CMake variable.
  Feature courtesy of Orion Poplawski.

  • GitHub pull request: #835

• Removed a hard-coded alert for CVE-2004-0597.
  The CVE is old enough that it is no longer a threat and the detection had
  occasional false-positives.

  • GitHub pull request: #855

• Set Git attributes to prevent Git from altering line endings for Rust
  vendored libraries. Third-party Rust libraries are bundled in the ClamAV
  release tarball. We do not commit them to our own Git repository, but
  community package maintainers may now store the tarball contents in Git.
  The Rust build system verifies the library manifest, and this change
  ensures that the hashes are correct.
  Improvement courtesy of Nicolas R.

  • GitHub pull request: #800

• Fixed compile time warnings.
  Improvement courtesy of Răzvan Cojocaru.

  • GitHub pull request: #795

• Added a minor optimization when matching domain name regex signatures for
  PDB, WDB and CDB type signatures.

  • GitHub pull request: #837

• Build system: Enabled the ability to select a specific Python version.
  When building, you may use the CMake option -D PYTHON_FIND_VER=<version>
  to choose a specific Python version.
  Feature courtesy of Matt Jolly.

  • GitHub pull request: #787

• Added improvements to the ClamOnAcc process log output so that it is
  easier to diagnose bugs.

  • GitHub pull request: #822

• Windows: Enabled the MSI installer to upgrade between feature versions more
  easily when ClamAV is installed to a location different from the default
  (i.e., not C:\Program Files\ClamAV). This means that the MSI installer can
  find a previous ClamAV 1.0.x installation to upgrade to ClamAV 1.1.0.

  • GitHub pull request: #872

• Sigtool: Added the ability to change the location of the temp directory
  using the --tempdir option and added the ability to retain the temp files
  created by Sigtool using the --leave-temps option.

  • GitHub pull request: #852

• Other minor improvements.

Bug fixes

• Fixed the broken ExcludePUA / --exclude-pua feature.
  Fix courtesy of Ged Haywood and Shawn Iverson.

  • GitHub pull request: #780

• Fixed an issue with integer endianness when parsing Windows executables on
  big-endian systems.
  Fix courtesy of Sebastian Andrzej Siewior.

  • GitHub pull request: #814

• Fixed a possible stack overflow read when parsing WDB signatures.
  This issue is not a vulnerability.

  • GitHub pull request: #807

• Fixed a possible index out of bounds when loading CRB signatures.
  This issue is not a vulnerability.

  • GitHub pull request: #810

• Fixed a possible use after free when reading logical signatures.
  This issue is not a vulnerability.

  • GitHub pull request: #811

• Fixed a possible heap overflow read when reading PDB signatures.
  This issue is not a vulnerability.

  • GitHub pull request: #812

• Fixed a possible heap overflow read in javascript normalizer module.
  This issue is not a vulnerability.

  • GitHub pull request: #868

• Fixed two bugs that would cause Freshclam to fail update when applying a
  CDIFF database patch if that patch adds a file to the database archive
  or removes a file from the database archive.
  This bug also caused Sigtool to fail to create such a patch.

  • GitHub pull request: #893

• Fixed an assortment of complaints identified by Coverity static analysis.

  • GitHub pull requests:
    • #891
    • #899

• Fixed one of the Freshclam tests that was failing on some Fedora systems
  due to a bug printing debug-level log messages to stdout.
  Fix courtesy of Arjen de Korte.

  • GitHub pull request: #881

• Correctly remove temporary files generated by the VBA and XLM extraction
  modules so that the files are not leaked in patched versions of ClamAV
  where temporary files are written directly to the temp-directory instead
  of writing to a unique subdirectory.

  • GitHub pull request: #894

Acknowledgments

Special thanks to the following people for code contributions and bug reports:

• Arjen de Korte
• Craig Andrews
• Ged Haywood
• Matt Jolly
• Orion Poplawski
• Nicolas R.
• Răzvan Cojocaru
• Red
• Shawn Iverson
• Sebastian Andrzej Siewior
• The OSS-Fuzz project

ClamAV 1.1.0-rc

ClamAV 1.1.0 includes the following improvements and changes:

Major changes

• Added the ability to extract images embedded in HTML CSS <style> blocks.

  • GitHub pull request: #813

• Updated to Sigtool so that the --vba option will extract VBA code from
  Microsoft Office documents the same way that libclamav extracts VBA.
  This resolves several issues where Sigtool could not extract VBA.
  Sigtool will also now display the normalized VBA code instead of the
  pre-normalized VBA code.

  • GitHub pull request: #852

• Added a new ClamScan and ClamD option: --fail-if-cvd-older-than=days.
  Additionally, we introduce FailIfCvdOlderThan as a clamd.conf synonym for
  --fail-if-cvd-older-than. When passed, it causes ClamD to exit on startup
  with a non-zero return code if the virus database is older than the specified
  number of days.

  • GitHub pull request: #867

• Added a new function cl_cvdgetage() to the libclamav API.
  This function will retrieve the age in seconds of the youngest file in a
  database directory, or the age of a single CVD (or CLD) file.

  • GitHub pull request: #867

• Added a new function cl_engine_set_clcb_vba() to the libclamav API.
  Use this function to set a cb_vba callback function.
  The cb_vba callback function will be run whenever VBA is extracted from
  office documents. The provided data will be a normalized copy of the
  extracted VBA.
  This callback was added to support Sigtool so that it can use the same VBA
  extraction logic that ClamAV uses to scan documents.

  • GitHub pull request: #852

Other improvements

• Removed the vendored TomsFastMath library in favor of using OpenSSL to
  perform "big number"/multiprecision math operations.
  Work courtesy of Sebastian Andrzej Siewior.

  • GitHub pull request: #840

• Build system: Added CMake option DO_NOT_SET_RPATH to avoid setting
  RPATH on Unix systems.
  Feature courtesy of Sebastian Andrzej Siewior.

  • GitHub pull request: #815

• Build system: Enabled version-scripts with CMake to limit symbol exports for
  libclamav, libfreshclam, libclamunrar_iface, and libclamunrar shared
  libraries on Unix systems, excluding macOS.
  Improvement courtesy of Orion Poplawski and Sebastian Andrzej Siewior.

  • GitHub pull request: #776

• Build system: Enabled users to pass in custom Rust compiler flags using the
  RUSTFLAGS CMake variable.
  Feature courtesy of Orion Poplawski.

  • GitHub pull request: #835

• Removed a hard-coded alert for CVE-2004-0597.
  The CVE is old enough that it is no longer a threat and the detection had
  occasional false-positives.

  • GitHub pull request: #855

• Set Git attributes to prevent Git from altering line endings for Rust
  vendored libraries. Third-party Rust libraries are bundled in the ClamAV
  release tarball. We do not commit them to our own Git repository, but
  community package maintainers may now store the tarball contents in Git.
  The Rust build system verifies the library manifest, and this change
  ensures that the hashes are correct.
  Improvement courtesy of Nicolas R.

  • GitHub pull request: #800

• Fixed compile time warnings.
  Improvement courtesy of Răzvan Cojocaru.

  • GitHub pull request: #795

• Added a minor optimization when matching domain name regex signatures for
  PDB, WDB and CDB type signatures.

  • GitHub pull request: #837

• Build system: Enabled the ability to select a specific Python version.
  When building, you may use the CMake option -D PYTHON_FIND_VER=<version>
  to choose a specific Python version.
  Feature courtesy of Matt Jolly.

  • GitHub pull request: #787

• Added improvements to the ClamOnAcc process log output so that it is
  easier to diagnose bugs.

  • GitHub pull request: #822

• Windows: Enabled the MSI installer to upgrade between feature versions more
  easily when ClamAV is installed to a location different from the default
  (i.e., not C:\Program Files\ClamAV). This means that the MSI installer can
  find a previous ClamAV 1.0.x installation to upgrade to ClamAV 1.1.0.

  • GitHub pull request: #872

• Sigtool: Added the ability to change the location of the temp directory
  using the --tempdir option and added the ability to retain the temp files
  created by Sigtool using the --leave-temps option.

  • GitHub pull request: #852

• Other minor improvements.

Bug fixes

• Fixed the broken ExcludePUA / --exclude-pua feature.
  Fix courtesy of Ged Haywood and Shawn Iverson.

  • GitHub pull request: #780

• Fixed an issue with integer endianness when parsing Windows executables on
  big-endian systems.
  Fix courtesy of Sebastian Andrzej Siewior.

  • GitHub pull request: #814

• Fixed a possible stack overflow read when parsing WDB signatures.
  This issue is not a vulnerability.

  • GitHub pull request: #807

• Fixed a possible index out of bounds when loading CRB signatures.
  This issue is not a vulnerability.

  • GitHub pull request: #810

• Fixed a possible use after free when reading logical signatures.
  This issue is not a vulnerability.

  • GitHub pull request: #811

• Fixed a possible heap overflow read when reading PDB signatures.
  This issue is not a vulnerability.

  • GitHub pull request: #812

Acknowledgments

Special thanks to the following people for code contributions and bug reports:

• Craig Andrews
• Ged Haywood
• Matt Jolly
• Orion Poplawski
• Nicolas R.
• Răzvan Cojocaru
• Red
• Shawn Iverson
• Sebastian Andrzej Siewior
• The OSS-Fuzz project

ClamAV 1.0.1

ClamAV 1.0.1 is a critical patch release with the following fixes:

• CVE-2023-20032:
  Fixed a possible remote code execution vulnerability in the HFS+ file parser.
  Issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and
  earlier.
  Thank you to Simon Scannell for reporting this issue.

• CVE-2023-20052:
  Fixed a possible remote information leak vulnerability in the DMG file parser.
  Issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and
  earlier.
  Thank you to Simon Scannell for reporting this issue.

• Fix allmatch detection issue with the preclass bytecode hook.

  • GitHub pull request: #825

• Update vendored libmspack library to version 0.11alpha.

  • GitHub pull request: #828

Special thanks to the following people for code contributions and bug reports:

• Simon Scannell

ClamAV 0.105.2

ClamAV 0.105.2 is a critical patch release with the following fixes:

• CVE-2023-20032:
  Fixed a possible remote code execution vulnerability in the HFS+ file parser.
  Issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and
  earlier.
  Thank you to Simon Scannell for reporting this issue.

• CVE-2023-20052:
  Fixed a possible remote information leak vulnerability in the DMG file parser.
  Issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and
  earlier.
  Thank you to Simon Scannell for reporting this issue.

• Fixed an issue loading Yara rules containing regex strings with an escaped
  forward-slash (\/) followed by a colon (:).

  • GitHub pull request: #695

• Moved the ClamAV Docker files for building containers to a new Git repository.
  The Docker files are now in https://github.com/Cisco-Talos/clamav-docker.
  This change enables us to fix issues with the images and with the supporting
  scripts used to publish and update the images without committing changes
  directly to files in the ClamAV release branches.

  • GitHub pull request: #765

• Update vendored libmspack library to version 0.11alpha.

  • GitHub pull request: #829

Special thanks to the following people for code contributions and bug reports:

• Simon Scannell

ClamAV 0.103.8

ClamAV 0.103.8 is a critical patch release with the following fixes:

• CVE-2023-20032:
  Fixed a possible remote code execution vulnerability in the HFS+ file parser.
  Issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and
  earlier.
  Thank you to Simon Scannell for reporting this issue.

• CVE-2023-20052:
  Fixed a possible remote information leak vulnerability in the DMG file parser.
  Issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and
  earlier.
  Thank you to Simon Scannell for reporting this issue.

• Update vendored libmspack library to version 0.11alpha.

  • GitHub pull request: #830

Special thanks to the following people for code contributions and bug reports:

• Simon Scannell

ClamAV 1.0.0

ClamAV 1.0.0 includes the following improvements and changes.

Major changes

• Support for decrypting read-only OLE2-based XLS files that are encrypted with
  the default password.
  Use of the default password will now appear in the metadata JSON.

  • GitHub pull request: #700

• Overhauled the implementation of the all-match feature. The newer code is more
  reliable and easier to maintain.

  • This project fixed several known issues with signature detection in all-
    match mode:
    • Enabled embedded file-type recognition signatures to match when a malware
      signature also matched in a scan of the same layer.
    • Enabled bytecode signatures to run in all-match mode after a match has
      occurred.
    • Fixed an assortment of all-match edge case issues.
  • Added multiple test cases to verify correct all-match behavior.
  • GitHub pull request: #687

• Added a new callback to the public API for inspecting file content during a
  scan at each layer of archive extraction.

  • The new callback function type is clcb_file_inspection defined in
    clamav.h.
  • The function cl_engine_set_clcb_file_inspection() may be used to enable
    the callback prior to performing a scan.
  • This new callback is to be considered unstable for the 1.0 release.
    We may alter this function in a subsequent feature version.
  • GitHub pull request: #170

• Added a new function to the public API for unpacking CVD signature archives.

  • The new function is cl_cvdunpack(). The last parameter for the function
    may be set to verify if a CVD's signature is valid before unpacking the CVD
    content to the destination directory.
  • GitHub pull request: #690

• The option to build with an external TomsFastMath library has been removed.
  ClamAV requires non-default build options for TomsFastMath to support bigger
  floating point numbers. Without this change, database and Windows EXE/DLL
  authenticode certificate validation may fail.
  The ENABLE_EXTERNAL_TOMSFASTMATH build is now ignored.

  • GitHub pull request: #742

• Moved the Dockerfile and supporting scripts from the main ClamAV repository
  over to a new repository: https://github.com/Cisco-Talos/clamav-docker

  The separate repository will make it easier to update the images and fix
  issues with images for released ClamAV versions.

  Any users building the ClamAV Docker image rather than pulling them from
  Docker Hub will have to get the latest Docker files from the new location.

  • GitHub pull request: #764

• Increased the SONAME major version for libclamav because of ABI changes
  between the 0.103 LTS release and the 1.0 LTS release.

  • GitHub pull request: #778

Other improvements

• Add checks to limit PDF object extraction recursion.

  • GitHub pull request: #629

• Increased the limit for memory allocations based on untrusted input and
  altered the warning message when the limit is exceeded so that it is more
  helpful and less dramatic.

  • GitHub pull request: #723

• Dramatically improved the build time of libclamav-Rust unit tests.
  The unit test build is included in the time limit for the test itself and was
  timing out on slower systems. The ClamAV Rust code modules now share the same
  build directory, which also reduces the amount of disk space used for the
  build.

  • GitHub pull request: #694

• For Windows: The debugging symbol (PDB) files are now installed alongside the
  DLL and LIB library files when built in "RelWithDebInfo" or "Debug" mode.

  • GitHub pull request: #669

• Relaxed the constraints on the check for overlapping ZIP file entries so as
  not to alert on slightly malformed, but non-malicious, Java (JAR) archives.

  • GitHub pull request: #561

• Increased the time limit in FreshClam before warning if the DNS entry is
  stale. In combination with changes to update the DNS entry more
  frequently, this should prevent false alarms of failures in the database
  publication system.

  • GitHub pull request: #597

• Docker: The C library header files are now included in the Docker image.
  Patch courtesy of GitHub user TerminalFi.

  • GitHub pull request: #693

• Show the BYTECODE_RUNTIME build options when using the ccmake GUI for CMake.
  Patch courtesy of Дилян Палаузов.

  • GitHub pull request: #678

• Added explicit minimum and maximum supported LLVM versions so that the build
  will fail if you try to build with a version that is too old or too new and
  will print a helpful message rather than simply failing to compile because of
  compatibility issues. Patch courtesy of Matt Jolly.

  • GitHub pull request: #692

• Fixed compiler warnings that may turn into errors in Clang 16.
  Patch courtesy of Michael Orlitzky.

  • GitHub pull request: #767

• Allow building with a custom RPATH so that the executables may be moved after
  build in a development environment to a final installation directory.

  • GitHub pull request: #768

Bug fixes

• Assorted code quality fixes. These are not security issues and will not be
  backported to prior feature versions:

  • Several heap buffer overflows while loading PDB and WDB databases were found
    by OSS-Fuzz and by Michał Dardas.

    • GitHub pull request: #530
    • Follow-up Optimization: #712

  • oss-fuzz 43843: heap buffer overflow read (1) cli_sigopts_handler

    • GitHub pull request: #560

  • oss-fuzz 44849: heap buffer overflow read (4) in HTML/js-norm

    • GitHub pull request: #503

  • oss-fuzz 43816: heap buffer overflow read (8) in cli_bcomp_freemeta

    • GitHub pull request: #583

  • oss-fuzz 43832: heap buffer overflow read (2) in cli_parse_add

    • GitHub pull request: #611

  • oss-fuzz 44493: integer overflow in cli_scannulsft

    • GitHub pull request: #554

  • CIFuzz leak detected in IDB parser

    • GitHub pull request: #547

  • oss-fuzz assorted signature parser leaks

    • GitHub pull requests:
      • #532
      • #533
      • #535

  • oss-fuzz 40601: leak detected in pdf_parseobj

    • GitHub pull request: #553

• Fixed a build failure when using LIBCLAMAV_ONLY mode with tests enabled.

  • GitHub pull request: #714

• Fixed an issue verifying EXE/DLL authenticode signatures to determine a given
  file can be trusted (skipped).

  • GitHub pull request: #727

• Fixed a caching bug relating to the Container and Intermediates logical
  signature condition.

  • GitHub pull request: #724

• Fixed a build issue when build with RAR disabled or when building with an
  external libmspack library rather than the bundled library.

  • GitHub pull request: #672

• Fixed the capitalization of the -W option for clamonacc in the clamonacc
  manpage. Patch courtesy of GitHub user monkz.

  • GitHub pull requests:
    • #709
    • #710

• macOS: Fixed an issue with memory-map (mmap) system call detection affecting
  versions 0.105 and 0.104. Memory maps may be used in ClamAV to improve
  signature load performance and scan performance, as well as RAM usage.

  • GitHub pull request: #705

• Fixed a performance issue with Rust code when the build type is not explicitly
  set to "Release" or "RelWithDebInfo". The Rust default build type is now
  "RelWithDebInfo" just like the C code, instead of Debug.
  This means it is now optimized by default.

  • GitHub pull request: #701

• Fixed an issue loading Yara rules containing regex strings with an escaped
  forward-slash (\/) followed by a colon (:).

  • GitHub pull request: #696

• Fixed an issue detecting and scanning ZIP file entries appended to very small
  files. The fix is part of the all-match feature overhaul.

• Fixed a detection issue with EXE/DLL import-address-table hash signatures that
  specify a wildcard (*) for the size field. The fix is part of the all-match
  feature overhaul.

• Fixed the default bytecode timeout value listed in the manpages and in the
  sample config files. Patches courtesy of Liam Jarvis and Ben Bodenmiller.

  • GitHub pull requests:
    • #631
    • #661

• Fixed an issue building the libclamav_rust test program when running ctest
  if building with `BYTEC...

ClamAV 1.0.0 Release Candidate 2

ClamAV 1.0.0 includes the following improvements and changes.

Major changes

• Support for decrypting read-only OLE2-based XLS files that are encrypted with
  the default "VelvetSweatshop" password.
  Use of the VelvetSweatshop password will now appear in the metadata JSON.

  • GitHub pull request: #700

• Overhauled the implementation of the all-match feature. The newer code is more
  reliable and easier to maintain.

  • This project fixed several known issues with signature detection in all-
    match mode:
    • Enabled embedded file-type-recognition-signatures to match when a malware
      signature also matched in a scan of the same layer.
    • Enabled bytecode signatures to run in all-match mode after a match has
      occurred.
    • Fixed an assortment of all-match edge case issues.
  • Added multiple test cases to verify correct all-match behavior.
  • GitHub pull request: #687

• Added a new callback to the public API for inspecting file content during a
  scan at each layer of archive extraction.

  • The new callback function type is clcb_file_inspection defined in
    clamav.h.
  • The function cl_engine_set_clcb_file_inspection() may be used to enable
    the callback prior to performing a scan.
  • This new callback is to be considered unstable for the 1.0 release.
    We may alter this function in a subsequent feature version.
  • GitHub pull request: #170

• Added a new function to the public API for unpacking CVD signature archives.

  • The new function is cl_cvdunpack(). The last parameter for the function
    may be set to verify if a CVD's signature is valid before unpacking the CVD
    content to the destination directory.
  • GitHub pull request: #690

• The option to build with an external TomsFastMath library has been removed.
  ClamAV requires non-default build options for TomsFastMath to support bigger
  floating point numbers. Without this change, database and Windows EXE/DLL
  authenticode certificate validation may fail.
  The ENABLE_EXTERNAL_TOMSFASTMATH build is now ignored.

  • GitHub pull request: #742

Other improvements

• Add checks to limit PDF object extraction recursion.

  • GitHub pull request: #629

• Increased the limit for memory allocations based on untrusted input and
  altered the warning message when the limit is exceeded so that it is more
  helpful and less dramatic.

  • GitHub pull request: #723

• Dramatically improved the build time of libclamav-Rust unit tests.
  The unit test build is included in the time limit for the test itself and was
  timing out on slower systems. The ClamAV Rust code modules now share the same
  build directory, which also reduces the amount of disk space used for the
  build.

  • GitHub pull request: #694

• Windows: The debugging symbol (PDB) files are now installed alongside the DLL

• and LIB library files when built in "RelWithDebInfo" or "Debug" mode.

  • GitHub pull request: #669

• Relaxed the constraints on the check for overlapping ZIP file entries so as
  not to alert on slightly malformed, but non-malicious, Java (JAR) archives.

  • Talos escalations issues:
  • GitHub pull request: #561

• Increased the time limit in FreshClam before warning if the DNS entry is
  stale. In combination with changes to update the DNS entry more
  frequently, this should prevent false alarms of failures in the database
  publication system.

  • GitHub pull request: #597

• Docker: The C library header files are now included in the Docker image.
  Patch courtesy of GitHub user TerminalFi.

  • GitHub pull request: #693

• Show the BYTECODE_RUNTIME build options when using the ccmake GUI for CMake.
  Patch courtesy of Дилян Палаузов.

  • GitHub pull request: #678

• Added explicit minimum and maximum supported LLVM versions so that the build
  will fail if you try to build with the version that is too old or too new and
  will print a helpful message rather than simply failing to compile because of
  compatibility issues. Patch courtesy of Matt Jolly.

  • GitHub pull request: #692

Bug fixes

• Assorted code quality fixes. These are not security issues and will not be
  backported to prior feature versions:

  • Several heap buffer overflows while loading PDB and WDB databases were found
    by OSS-Fuzz and by Michał Dardas.

    • GitHub pull request: #530
    • Follow-up Optimization: #712

  • oss-fuzz 43843: heap buffer overflow read (1) cli_sigopts_handler

    • GitHub pull request: #560

  • oss-fuzz 44849: heap buffer overflow read (4) in HTML/js-norm

    • GitHub pull request: #503

  • oss-fuzz 43816: heap buffer overflow read (8) in cli_bcomp_freemeta

    • GitHub pull request: #583

  • oss-fuzz 43832: heap buffer overflow read (2) in cli_parse_add

    • GitHub pull request: #611

  • oss-fuzz 44493: integer overflow in cli_scannulsft

    • GitHub pull request: #554

  • CIFuzz leak detected in IDB parser

    • GitHub pull request: #547

  • oss-fuzz assorted signature parser leaks

    • GitHub pull requests:
      • #532
      • #533
      • #535

  • oss-fuzz 40601: leak detected in pdf_parseobj

    • GitHub pull request: #553

• Fixed a build failure when using LIBCLAMAV_ONLY mode with tests enabled.

  • GitHub pull request: #714

• Fixed an issue verifying EXE/DLL authenticode signatures to determine a given
  file can be trusted (skipped).

  • GitHub pull request: #727

• Fixed a caching bug relating to the Container and Intermediates logical
  signature condition.

  • GitHub pull request: #724

• Fixed a build issues when build with RAR disabled or when building with an
  external libmspack library rather than the vendored library.

  • GitHub pull request: #672

• Fixed the capitalization of the -W option for clamonacc in the clamonacc
  manpage. Patch courtesy of GitHub user monkz.

  • GitHub pull requests:
    • #709
    • #710

• macOS: Fixed an issue with memory-map (mmap) system call detection affecting
  versions 0.105 and 0.104. Memory maps may be used in ClamAV to improve
  signature load performance, scan performance, and RAM usage.

  • GitHub pull request: #705

• Fixed a performance issue with Rust code when the build type is not explicitly
  set to "Release" or "RelWithDebInfo". The Rust default build type is now
  "RelWithDebInfo" just like the C code, instead of Debug.
  This means it is now optimized by default.

  • GitHub pull request: #701

• Fixed an issue loading Yara rules containing regex strings with an escaped
  forward-slash (\/) followed by a colon (:).

  • GitHub pull request: #696

• Fixed an issue detecting and scanning ZIP file entries appended to very small
  files. The fix is part of the all-match feature overhaul.

• Fixed a detection issue with EXE/DLL import-address-table hash signatures that
  specify a wildcard (*) for the size field. The fix is part of the all-match
  feature overhaul.

• Fixed the default bytecode timeout value listed in the manpages and in the
  sample config files. Patches courtesy of Liam Jarvis and Ben Bodenmiller.

  • GitHub pull requests:
    • #631
    • #661

• Fixed an issue building the libclamav_rust test program when running ctest
  if building with BYTECODE_RUNTIME=llvm and when the FindLLVM.cmake module
  is used to find the LLVM libraries. Patch courtesy of GitHub user teoberi.

  • GitHub pull request: #572

• Fixed an issue where scans sent to clamd with the all-match mode enabled
  caused all subsequent scans to also use all-match mode.

  • GitHub pull request: #741

Acknowledgments

Special thanks to the following people for code contributions and bug reports:

• Ben Bodenmiller
• Дилян Палаузов
• Liam Jarvis
• Matt Jolly
• monkz
• teoberi
• TerminalFi

ClamAV 1.0.0 Release Candidate

ClamAV 1.0.0 includes the following improvements and changes.

Major changes

• Support for decrypting read-only OLE2-based XLS files that are encrypted with
  the default "VelvetSweatshop" password.
  Use of the VelvetSweatshop password will now appear in the metadata JSON.

  • GitHub pull request: #700

• Overhauled the implementation of the all-match feature. The newer code is more
  reliable and easier to maintain.

  • This project fixed several known issues with signature detection in all-
    match mode:
    • Enabled embedded file-type-recognition-signatures to match when a malware
      signature also matched in a scan of the same layer.
    • Enabled bytecode signatures to run in all-match mode after a match has
      occurred.
    • Fixed an assortment of all-match edge case issues:
  • Added multiple test cases to verify correct all-match behavior.
  • GitHub pull request: #687

• Added a new callback to the public API for inspecting file content during a
  scan at each layer of archive extraction.

  • The new callback function type is clcb_file_inspection defined in
    clamav.h.
  • The function cl_engine_set_clcb_file_inspection() may be used to enable
    the callback prior to performing a scan.
  • This new callback is to be considered unstable for the 1.0 release.
    We may alter this function in a subsequent feature version.
  • GitHub pull request: #170

• Added a new function to the public API for unpacking CVD signature archives.

  • The new function is cl_cvdunpack(). The last parameter for the function
    may be set to verify if a CVD's signature is valid before unpacking the CVD
    content to the destination directory.
  • GitHub pull request: #690

Other improvements

• Add checks to limit PDF object extraction recursion.

  • GitHub pull request: #629

• Increased the limit for memory allocations based on untrusted input and
  altered the warning message when the limit is exceeded so that it is more
  helpful and less dramatic.

  • GitHub pull request: #723

• Dramatically improved the build time of libclamav-Rust unit tests.
  The unit test build is included in the time limit for the test itself and was
  timing out on slower systems. The ClamAV Rust code modules now share the same
  build directory, which also reduces the amount of disk space used for the
  build.

  • GitHub pull request: #694

• Windows: The debugging symbol (PDB) files are now installed alongside the DLL

• and LIB library files when built in "RelWithDebInfo" or "Debug" mode.

  • GitHub pull request: #669

• Relaxed the constraints on the check for overlapping ZIP file entries so as
  not to alert on slightly malformed, but non-malicious, Java (JAR) archives.

  • Talos escalations issues:
  • GitHub pull request: #561

• Increased the time limit in FreshClam before warning if the DNS entry is
  stale. In combination with changes to update the DNS entry more
  frequently, this should prevent false alarms of failures in the database
  publication system.

  • GitHub pull request: #597

• Docker: The C library header files are now included in the Docker image.
  Patch courtesy of GitHub user TerminalFi.

  • GitHub pull request: #693

• Show the BYTECODE_RUNTIME build options when using the ccmake GUI for CMake.
  Patch courtesy of Дилян Палаузов.

  • GitHub pull request: #678

• Added explicit minimum and maximum supported LLVM versions so that the build
  will fail if you try to build with the version that is too old or too new and
  will print a helpful message rather than simply failing to compile because of
  compatibility issues. Patch courtesy of Matt Jolly.

  • GitHub pull request: #692

Bug fixes

• Assorted code quality fixes. These are not security issues and will not be
  backported to prior feature versions:

  • Several heap buffer overflows while loading PDB and WDB databases were found
    by OSS-Fuzz and by Michał Dardas.

    • GitHub pull request: #530
    • Follow-up Optimization: #712

  • oss-fuzz 43843: heap buffer overflow read (1) cli_sigopts_handler

    • GitHub pull request: #560

  • oss-fuzz 44849: heap buffer overflow read (4) in HTML/js-norm

    • GitHub pull request: #503

  • oss-fuzz 43816: heap buffer overflow read (8) in cli_bcomp_freemeta

    • GitHub pull request: #583

  • oss-fuzz 43832: heap buffer overflow read (2) in cli_parse_add

    • GitHub pull request: #611

  • oss-fuzz 44493: integer overflow in cli_scannulsft

    • GitHub pull request: #554

  • CIFuzz leak detected in IDB parser

    • GitHub pull request: #547

  • oss-fuzz assorted signature parser leaks

    • GitHub pull requests:
      • #532
      • #533
      • #535

  • oss-fuzz 40601: leak detected in pdf_parseobj

    • GitHub pull request: #553

• Fixed a build failure when using LIBCLAMAV_ONLY mode with tests enabled.

  • GitHub pull request: #714

• Fixed an issue verifying EXE/DLL authenticode signatures to determine a given
  file can be trusted (skipped).

  • GitHub pull request: #727

• Fixed a caching bug relating to the Container and Intermediates logical
  signature condition.

  • GitHub pull request: #724

• Fixed a build issues when build with RAR disabled or when building with an
  external libmspack library rather than the vendored library.

  • GitHub pull request: #672

• Fixed the capitalization of the -W option for clamonacc in the clamonacc
  manpage. Patch courtesy of GitHub user monkz.

  • GitHub pull requests:
    • #709
    • #710

• macOS: Fixed an issue with memory-map (mmap) system call detection affecting
  versions 0.105 and 0.104. Memory maps may be used in ClamAV to improve
  signature load performance, scan performance, and RAM usage.

  • GitHub pull request: #705

• Fixed a performance issue with Rust code when the build type is not explicitly
  set to "Release" or "RelWithDebInfo". The Rust default build type is now
  "RelWithDebInfo" just like the C code, instead of Debug.
  This means it is now optimized by default.

  • GitHub pull request: #701

• Fixed an issue loading Yara rules containing regex strings with an escaped
  forward-slash (\/) followed by a colon (:).

  • GitHub pull request: #696

• Fixed an issue detecting and scanning ZIP file entries appended to very small
  files. The fix is part of the all-match feature overhaul.

• Fixed a detection issue with EXE/DLL import-address-table hash signatures that
  specify a wildcard (*) for the size field. The fix is part of the all-match
  feature overhaul.

• Fix the default bytecode timeout value listed in the manpages and in the
  sample config files. Patches courtesy of Liam Jarvis and Ben Bodenmiller.

  • GitHub pull requests:
    • #631
    • #661

• Fix issue building the libclamav_rust test program when running ctest if
  building with BYTECODE_RUNTIME=llvm and when the FindLLVM.cmake module is
  used to find the LLVM libraries. Patch courtesy of GitHub user teoberi.

  • GitHub pull request: #572

Acknowledgments

Special thanks to the following people for code contributions and bug reports:

• Ben Bodenmiller
• Дилян Палаузов
• Liam Jarvis
• Matt Jolly
• monkz
• teoberi
• TerminalFi