Monday, October 31, 2022

New packages for ClamAV 0.103.7, 0.104.4, 0.105.1 to resolve CVE's

Today we are publishing updated packages for ClamAV 0.103.7, 0.104.4, and 0.105.1.

Why we updated the installer packages

The ClamAV RPM, DEB, PKG, MSI and ZIP installer packages come with all library dependencies bundled. The updated installer packages resolve the following CVE's:

  • CVE-2022-37434 - A critical severity vulnerability in the zlib library.
  • CVE-2022-40303 - A high severity vulnerability in the libxml2 library. Note: As of writing, the details of this CVE are not published. However, you can find additional details on other sites.
  • CVE-2022-40304 - A high severity vulnerability in the libxml2 library. Note: As of writing, the details of this CVE are not published. However, you can find additional details on other sites.

Why we updated the 0.105.1 source package

Starting with ClamAV 0.105.1, some of the ClamAV project is written in Rust and depends on Rust libraries. To make it possible for our users to build ClamAV offline, we bundle in the Rust dependencies.

There are no CVEs present for the Rust libraries bundled in the original 0.105.1 package. However, there are several critical bugs in the JPEG and TIFF image processing libraries in the original 0.105.1 source package. The known issues were resolved in image-tiff version 0.7.4 and jpeg-decoder version 0.3.0. The clamav-0.105.1-2.tar.gz source package includes the updated libraries.

Linux/Unix package maintainers are encouraged to publish new revisions of their own packages for ClamAV 0.105.1 to get these fixes. Anyone who built ClamAV from the original clamav-0.105.1.tar.gz source package is encouraged to reinstall from the newer source package.


Where to find the updated packages

The new packages have a -2 suffix to indicate the package revision. For example, clamav-0.105.1-2.macos.universal.pkg is the updated package replacing clamav-0.105.1.macos.universal.pkg.

As always, you can get the updated packages from the ClamAV.net Downloads page. The original packages have been hidden on the web page and replaced by the updated packages. If you need the originals, the URLs to download them still work.


What about the Docker images

The official ClamAV docker image has been updated to patch the zlib and libxml2 vulnerabilities. The following tags have been updated to point to the new images:

  • clamav/clamav:latest
  • clamav/clamav:latest_base
  • clamav/clamav:stable
  • clamav/clamav:stable_base
  • clamav/clamav:0.105
  • clamav/clamav:0.105_base
  • clamav/clamav:0.105.1
  • clamav/clamav:0.105.1_base

Be sure to use docker pull to get the latest version of the image. For example:

docker pull clamav/clamav:0.105_base