Wednesday, September 4, 2024

ClamAV 1.4.1, 1.3.2, 1.0.7, and 0.103.12 security patch versions published

Today, we are publishing the 1.4.1, 1.3.2, 1.0.7, and 0.103.12 security patch versions.

The release files for the patch versions are available for download on the ClamAV downloads page, on the GitHub Release page, and (with exception to 0.103.12) through Docker Hub.

The images on Docker Hub may not be immediately available on release day.

Continue reading to learn what changed in each version.

1.4.1

ClamAV 1.4.1 is a critical patch release with the following fixes:

  • CVE-2024-20506: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to Detlef for identifying this issue.

  • CVE-2024-20505: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service (DoS) condition.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to OSS-Fuzz for identifying this issue.

  • Removed unused Python modules from freshclam tests including deprecated 'cgi' module that is expected to cause test failures in Python 3.13.


1.3.2

ClamAV 1.3.2 is a patch release with the following fixes:

  • CVE-2024-20506: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to Detlef for identifying this issue.

  • CVE-2024-20505: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service condition.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to OSS-Fuzz for identifying this issue.

  • Removed unused Python modules from freshclam tests including deprecated 'cgi' module that is expected to cause test failures in Python 3.13.

  • Fix unit test caused by expiring signing certificate.

  • Fixed a build issue on Windows with newer versions of Rust. Also upgraded GitHub Actions imports to fix CI failures. Fixes courtesy of liushuyu.

  • Fixed an unaligned pointer dereference issue on select architectures. Fix courtesy of Sebastian Andrzej Siewior.

  • Fixes to Jenkins CI pipeline.

For details, see GitHub pull request


1.0.7

ClamAV 1.0.7 is a patch release with the following fixes:

  • CVE-2024-20506: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to Detlef for identifying this issue.

  • CVE-2024-20505: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service (DoS) condition.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to OSS-Fuzz for identifying this issue.

  • Removed unused Python modules from freshclam tests including deprecated 'cgi' module that is expected to cause test failures in Python 3.13.

  • Fix unit test caused by expiring signing certificate.

  • Fixed a build issue on Windows with newer versions of Rust. Also upgraded GitHub Actions imports to fix CI failures. Fixes courtesy of liushuyu.

  • Fixed an unaligned pointer dereference issue on select architectures. Fix courtesy of Sebastian Andrzej Siewior.

  • Fixes to Jenkins CI pipeline.

For details, see GitHub pull request


0.103.12

ClamAV 0.103.12 is a patch release with the following fixes:

  • CVE-2024-20506: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to Detlef for identifying this issue.

  • CVE-2024-20505: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service condition.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to OSS-Fuzz for identifying this issue.

  • ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.

  • Fixed a bug causing CVDs downloaded by the DatabaseCustomURL Freshclam config option to be pruned and then re-downloaded with every update. Also added the new 'valhalla' database name to the list of optional databases in preparation for future work.

  • Fixed an unaligned pointer dereference issue on select architectures. Fix courtesy of Sebastian Andrzej Siewior.