Skip to content

Upgrade clamav to 1.0.9 to address CVE-2025-20260 [CRITICAL] #14089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 26, 2025
Merged

Upgrade clamav to 1.0.9 to address CVE-2025-20260 [CRITICAL] #14089

merged 3 commits into from
Jun 26, 2025

Conversation

kgodara912
Copy link
Contributor

@kgodara912 kgodara912 commented Jun 24, 2025
edited
Loading

Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./LICENSES-AND-NOTICES/SPECS/data/licenses.json, ./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md, ./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge
Summary

Upgrade clamav to 1.0.9 to address CVE-2025-20260

Change Log
Does this affect the toolchain?

NO

Associated issues
  • #xxxx
Links to CVEs
Test Methodology

@microsoft-github-policy-service microsoft-github-policy-service bot added Packaging fasttrack/2.0 PRs Destined for Azure Linux 2.0 labels Jun 24, 2025
@kgodara912 kgodara912 marked this pull request as ready for review June 24, 2025 10:56
@kgodara912 kgodara912 requested a review from a team as a code owner June 24, 2025 10:56
@Kanishk-Bansal Kanishk-Bansal added the CVEFixReadyForMaintainerReview When a CVE fix has been reviewed by release manager and is ready for stable maintainer review label Jun 24, 2025
aaruag
aaruag reviewed Jun 24, 2025
View reviewed changes
SPECS/clamav/clamav.spec Outdated
@@ -11,7 +11,7 @@ Source0: https://github.com/Cisco-Talos/clamav/archive/refs/tags/%{name}-
# Note: the %%{name}-%%{name}-%%{version}-cargo.tar.gz file contains a cache created by capturing the contents downloaded into $CARGO_HOME.
# To update the cache run:
# [repo_root]/toolkit/scripts/build_cargo_cache.sh %%{name}-%%{version}.tar.gz %%{name}-%%{name}-%%{version}
Source1: %{name}-%{version}-cargo.tar.gz
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cargo file needs to be updated as a part of upgrades

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a part of the upgrade, a new tar ball should be created for the closest version and updated. This would reduce nuances in the future. Also, the new version has an additional entry "clamav_rust-0.0.1.crate".

aaruag
aaruag requested changes Jun 24, 2025
View reviewed changes
Copy link

@aaruag aaruag left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see about Cargo file update

@kgodara912
Copy link
Contributor Author

@aaruag, I did see the notes to upgrade -cargo.tar.gz but I didn't find any difference between the crate requirements from 1.0.7 and 1.0.9 versions of clamav hence didn't create additional tarball. If there was an issue, it would have caught in compilation as crate versions are required for compilation. For completion, here are the lists of crates which I got from cargo registry for older version tarball and new version source download.

The crates from the vendor tarball registry:
adler-1.0.2.crate
autocfg-1.1.0.crate
bindgen-0.65.1.crate
bit_field-0.10.1.crate
bitflags-1.3.2.crate
block-buffer-0.10.3.crate
bumpalo-3.12.0.crate
bytemuck-1.13.0.crate
byteorder-1.4.3.crate
cbindgen-0.20.0.crate
cc-1.0.83.crate
cexpr-0.6.0.crate
cfg-if-1.0.0.crate
clang-sys-1.4.0.crate
color_quant-1.1.0.crate
cpufeatures-0.2.5.crate
crc32fast-1.3.2.crate
crossbeam-channel-0.5.8.crate
crossbeam-deque-0.8.2.crate
crossbeam-epoch-0.9.13.crate
crossbeam-utils-0.8.14.crate
crunchy-0.2.2.crate
crypto-common-0.1.6.crate
digest-0.10.6.crate
either-1.8.1.crate
errno-0.3.3.crate
errno-dragonfly-0.1.2.crate
exr-1.5.3.crate
fastrand-1.8.0.crate
fdeflate-0.3.4.crate
flate2-1.0.25.crate
flume-0.10.14.crate
futures-core-0.3.26.crate
futures-sink-0.3.26.crate
generic-array-0.14.6.crate
getrandom-0.2.8.crate
gif-0.11.4.crate
glob-0.3.1.crate
half-2.2.1.crate
hashbrown-0.12.3.crate
heck-0.3.3.crate
hermit-abi-0.2.6.crate
hermit-abi-0.3.3.crate
hex-0.4.3.crate
image-0.24.5.crate
indexmap-1.9.2.crate
instant-0.1.12.crate
io-lifetimes-1.0.11.crate
itoa-1.0.5.crate
jpeg-decoder-0.3.0.crate
js-sys-0.3.61.crate
lazy_static-1.4.0.crate
lazycell-1.3.0.crate
lebe-0.5.2.crate
libc-0.2.139.crate
libloading-0.7.4.crate
linux-raw-sys-0.1.4.crate
lock_api-0.4.9.crate
log-0.4.17.crate
memchr-2.5.0.crate
memoffset-0.7.1.crate
minimal-lexical-0.2.1.crate
miniz_oxide-0.6.2.crate
miniz_oxide-0.7.2.crate
nanorand-0.7.0.crate
nom-7.1.3.crate
num-complex-0.4.3.crate
num-integer-0.1.45.crate
num-rational-0.4.1.crate
num-traits-0.2.15.crate
num_cpus-1.15.0.crate
once_cell-1.17.0.crate
peeking_take_while-0.1.2.crate
pin-project-1.0.12.crate
pin-project-internal-1.0.12.crate
png-0.17.13.crate
prettyplease-0.2.4.crate
primal-check-0.3.3.crate
proc-macro2-1.0.66.crate
quote-1.0.26.crate
rayon-1.6.1.crate
rayon-core-1.10.2.crate
redox_syscall-0.2.16.crate
regex-1.7.1.crate
regex-syntax-0.6.28.crate
rustc-hash-1.1.0.crate
rustdct-0.7.1.crate
rustfft-6.1.0.crate
rustix-0.36.15.crate
ryu-1.0.12.crate
scoped_threadpool-0.1.9.crate
scopeguard-1.1.0.crate
serde-1.0.152.crate
serde_derive-1.0.152.crate
serde_json-1.0.93.crate
sha2-0.10.6.crate
shlex-1.3.0.crate
simd-adler32-0.3.4.crate
smallvec-1.10.0.crate
spin-0.9.8.crate
strength_reduce-0.2.4.crate
syn-1.0.107.crate
syn-2.0.15.crate
tempfile-3.4.0.crate
thiserror-1.0.38.crate
thiserror-impl-1.0.38.crate
threadpool-1.8.1.crate
tiff-0.8.1.crate
toml-0.5.11.crate
transpose-0.2.3.crate
typenum-1.16.0.crate
unicode-ident-1.0.6.crate
unicode-segmentation-1.10.1.crate
version_check-0.9.4.crate
wasi-0.11.0+wasi-snapshot-preview1.crate
wasm-bindgen-0.2.84.crate
wasm-bindgen-backend-0.2.84.crate
wasm-bindgen-macro-0.2.84.crate
wasm-bindgen-macro-support-0.2.84.crate
wasm-bindgen-shared-0.2.84.crate
weezl-0.1.7.crate
which-4.4.0.crate
winapi-0.3.9.crate
winapi-i686-pc-windows-gnu-0.4.0.crate
winapi-x86_64-pc-windows-gnu-0.4.0.crate
windows-sys-0.42.0.crate
windows-sys-0.45.0.crate
windows-sys-0.48.0.crate
windows-targets-0.42.2.crate
windows-targets-0.48.5.crate
windows_aarch64_gnullvm-0.42.2.crate
windows_aarch64_gnullvm-0.48.5.crate
windows_aarch64_msvc-0.42.2.crate
windows_aarch64_msvc-0.48.5.crate
windows_i686_gnu-0.42.2.crate
windows_i686_gnu-0.48.5.crate
windows_i686_msvc-0.42.2.crate
windows_i686_msvc-0.48.5.crate
windows_x86_64_gnu-0.42.2.crate
windows_x86_64_gnu-0.48.5.crate
windows_x86_64_gnullvm-0.42.2.crate
windows_x86_64_gnullvm-0.48.5.crate
windows_x86_64_msvc-0.42.2.crate
windows_x86_64_msvc-0.48.5.crate
zune-inflate-0.2.42.crate

While the crates from the upstream 1.0.9 cargo.lock file,

For version 1.0.9:
adler-1.0.2.crate
autocfg-1.1.0.crate
bindgen-0.65.1.crate
bit_field-0.10.1.crate
bitflags-1.3.2.crate
block-buffer-0.10.3.crate
bumpalo-3.12.0.crate
bytemuck-1.13.0.crate
byteorder-1.4.3.crate
cbindgen-0.20.0.crate
cc-1.0.83.crate
cexpr-0.6.0.crate
cfg-if-1.0.0.crate
clamav_rust-0.0.1.crate
clang-sys-1.4.0.crate
color_quant-1.1.0.crate
cpufeatures-0.2.5.crate
crc32fast-1.3.2.crate
crossbeam-channel-0.5.8.crate
crossbeam-deque-0.8.2.crate
crossbeam-epoch-0.9.13.crate
crossbeam-utils-0.8.14.crate
crunchy-0.2.2.crate
crypto-common-0.1.6.crate
digest-0.10.6.crate
either-1.8.1.crate
errno-0.3.3.crate
errno-dragonfly-0.1.2.crate
exr-1.5.3.crate
fastrand-1.8.0.crate
fdeflate-0.3.4.crate
flate2-1.0.25.crate
flume-0.10.14.crate
futures-core-0.3.26.crate
futures-sink-0.3.26.crate
generic-array-0.14.6.crate
getrandom-0.2.8.crate
gif-0.11.4.crate
glob-0.3.1.crate
half-2.2.1.crate
hashbrown-0.12.3.crate
heck-0.3.3.crate
hermit-abi-0.2.6.crate
hermit-abi-0.3.3.crate
hex-0.4.3.crate
image-0.24.5.crate
indexmap-1.9.2.crate
instant-0.1.12.crate
io-lifetimes-1.0.11.crate
itoa-1.0.5.crate
jpeg-decoder-0.3.0.crate
js-sys-0.3.61.crate
lazy_static-1.4.0.crate
lazycell-1.3.0.crate
lebe-0.5.2.crate
libc-0.2.139.crate
libloading-0.7.4.crate
linux-raw-sys-0.1.4.crate
lock_api-0.4.9.crate
log-0.4.17.crate
memchr-2.5.0.crate
memoffset-0.7.1.crate
minimal-lexical-0.2.1.crate
miniz_oxide-0.6.2.crate
miniz_oxide-0.7.2.crate
nanorand-0.7.0.crate
nom-7.1.3.crate
num-complex-0.4.3.crate
num-integer-0.1.45.crate
num-rational-0.4.1.crate
num-traits-0.2.15.crate
num_cpus-1.15.0.crate
once_cell-1.17.0.crate
peeking_take_while-0.1.2.crate
pin-project-1.0.12.crate
pin-project-internal-1.0.12.crate
png-0.17.13.crate
prettyplease-0.2.4.crate
primal-check-0.3.3.crate
proc-macro2-1.0.66.crate
quote-1.0.26.crate
rayon-1.6.1.crate
rayon-core-1.10.2.crate
redox_syscall-0.2.16.crate
regex-1.7.1.crate
regex-syntax-0.6.28.crate
rustc-hash-1.1.0.crate
rustdct-0.7.1.crate
rustfft-6.1.0.crate
rustix-0.36.15.crate
ryu-1.0.12.crate
scoped_threadpool-0.1.9.crate
scopeguard-1.1.0.crate
serde-1.0.152.crate
serde_derive-1.0.152.crate
serde_json-1.0.93.crate
sha2-0.10.6.crate
shlex-1.3.0.crate
simd-adler32-0.3.4.crate
smallvec-1.10.0.crate
spin-0.9.8.crate
strength_reduce-0.2.4.crate
syn-1.0.107.crate
syn-2.0.15.crate
tempfile-3.4.0.crate
thiserror-1.0.38.crate
thiserror-impl-1.0.38.crate
threadpool-1.8.1.crate
tiff-0.8.1.crate
toml-0.5.11.crate
transpose-0.2.3.crate
typenum-1.16.0.crate
unicode-ident-1.0.6.crate
unicode-segmentation-1.10.1.crate
version_check-0.9.4.crate
wasi-0.11.0+wasi-snapshot-preview1.crate
wasm-bindgen-0.2.84.crate
wasm-bindgen-backend-0.2.84.crate
wasm-bindgen-macro-0.2.84.crate
wasm-bindgen-macro-support-0.2.84.crate
wasm-bindgen-shared-0.2.84.crate
weezl-0.1.7.crate
which-4.4.0.crate
winapi-0.3.9.crate
winapi-i686-pc-windows-gnu-0.4.0.crate
winapi-x86_64-pc-windows-gnu-0.4.0.crate
windows-sys-0.42.0.crate
windows-sys-0.45.0.crate
windows-sys-0.48.0.crate
windows-targets-0.42.2.crate
windows-targets-0.48.5.crate
windows_aarch64_gnullvm-0.42.2.crate
windows_aarch64_gnullvm-0.48.5.crate
windows_aarch64_msvc-0.42.2.crate
windows_aarch64_msvc-0.48.5.crate
windows_i686_gnu-0.42.2.crate
windows_i686_gnu-0.48.5.crate
windows_i686_msvc-0.42.2.crate
windows_i686_msvc-0.48.5.crate
windows_x86_64_gnu-0.42.2.crate
windows_x86_64_gnu-0.48.5.crate
windows_x86_64_gnullvm-0.42.2.crate
windows_x86_64_gnullvm-0.48.5.crate
windows_x86_64_msvc-0.42.2.crate
windows_x86_64_msvc-0.48.5.crate
zune-inflate-0.2.42.crate

All the names and versions are same except a new dependency clamav_rust, if it was a true requirement, the compilation should have failed. Let me know if you still want next version number for cargo.tar.gz.

aaruag
aaruag requested changes Jun 25, 2025
View reviewed changes
SPECS/clamav/clamav.spec Outdated
@@ -11,7 +11,7 @@ Source0: https://github.com/Cisco-Talos/clamav/archive/refs/tags/%{name}-
# Note: the %%{name}-%%{name}-%%{version}-cargo.tar.gz file contains a cache created by capturing the contents downloaded into $CARGO_HOME.
# To update the cache run:
# [repo_root]/toolkit/scripts/build_cargo_cache.sh %%{name}-%%{version}.tar.gz %%{name}-%%{name}-%%{version}
Source1: %{name}-%{version}-cargo.tar.gz
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As a part of the upgrade, a new tar ball should be created for the closest version and updated. This would reduce nuances in the future. Also, the new version has an additional entry "clamav_rust-0.0.1.crate".

@kgodara912
Copy link
Contributor Author

Buddy build after version upgrade of vendor tarball.

@kgodara912 kgodara912 requested a review from aaruag June 26, 2025 12:54
sameluch
sameluch approved these changes Jun 26, 2025
View reviewed changes
Copy link
Contributor

@sameluch sameluch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks Good!

@jslobodzian jslobodzian merged commit f523c2a into fasttrack/2.0 Jun 26, 2025
27 checks passed
@jslobodzian jslobodzian deleted the kgodara/fasttrace/2.0/clamav/CVE-2025-20260 branch June 26, 2025 18:36
CBL-Mariner-Bot pushed a commit that referenced this pull request Jun 26, 2025
@kgodara912 @jslobodzian @CBL-Mariner-Bot
Upgrade clamav to 1.0.9 to address CVE-2025-20260 [CRITICAL] (#14089)
4770207 
Co-authored-by: Kshitiz Godara <kgodara@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>
(cherry picked from commit f523c2a)
@CBL-Mariner-Bot CBL-Mariner-Bot mentioned this pull request Jun 26, 2025
Merged
@CBL-Mariner-Bot
Copy link
Collaborator

Auto cherry-pick results:

Auto cherry-pick pipeline run -> https://dev.azure.com/mariner-org/mariner/_build/results?buildId=849763&view=results

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jslobodzian jslobodzian jslobodzian approved these changes

@Kanishk-Bansal Kanishk-Bansal Kanishk-Bansal approved these changes

@sameluch sameluch sameluch approved these changes

@aaruag aaruag aaruag approved these changes

Assignees
No one assigned
Labels
CVEFixReadyForMaintainerReview When a CVE fix has been reviewed by release manager and is ready for stable maintainer review fasttrack/2.0 PRs Destined for Azure Linux 2.0 Packaging security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@kgodara912 @CBL-Mariner-Bot @jslobodzian @Kanishk-Bansal @sameluch @aaruag