Tuesday, May 12, 2020

ClamAV 0.102.3 security patch released

Today, we're publishing ClamAV, version 0.102.3. Navigate to ClamAV's downloads page to download the release materials.

ClamAV 0.102.3

ClamAV 0.102.3 is a bug patch release to address the following issues.
  • CVE-2020-3327: Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.2 that could cause a denial-of-service condition. Improper bounds checking of an unsigned variable results in an out-of-bounds read which causes a crash. Special thanks to Daehui Chang and Fady Othman for helping identify the ARJ parsing vulnerability.
  • CVE-2020-3341: Fixed a vulnerability in the PDF-parsing module in ClamAV 0.101 - 0.102.2 that could cause a denial-of-service condition. Improper size checking of a buffer used to initialize AES decryption routines results in an out-of-bounds read, which may cause a crash. OSS-Fuzz discovered this vulnerability.
  • Fixed "Attempt to allocate 0 bytes" error when parsing some PDF documents.
  • Fixed a couple of minor memory leaks.
  • Updated libclamunrar to UnRAR 5.9.2.
Please join us on the ClamAV mailing lists, on irc.freenode.net in #clamav, or on Discord for further discussion. Thanks!