Wednesday, September 4, 2024

ClamAV 1.4.1, 1.3.2, 1.0.7, and 0.103.12 security patch versions published

Today, we are publishing the 1.4.1, 1.3.2, 1.0.7, and 0.103.12 security patch versions.

The release files for the patch versions are available for download on the ClamAV downloads page, on the GitHub Release page, and (with exception to 0.103.12) through Docker Hub.

The images on Docker Hub may not be immediately available on release day.

Continue reading to learn what changed in each version.

1.4.1

ClamAV 1.4.1 is a critical patch release with the following fixes:

  • CVE-2024-20506: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to Detlef for identifying this issue.

  • CVE-2024-20505: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service (DoS) condition.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to OSS-Fuzz for identifying this issue.

  • Removed unused Python modules from freshclam tests including deprecated 'cgi' module that is expected to cause test failures in Python 3.13.


1.3.2

ClamAV 1.3.2 is a patch release with the following fixes:

  • CVE-2024-20506: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to Detlef for identifying this issue.

  • CVE-2024-20505: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service condition.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to OSS-Fuzz for identifying this issue.

  • Removed unused Python modules from freshclam tests including deprecated 'cgi' module that is expected to cause test failures in Python 3.13.

  • Fix unit test caused by expiring signing certificate.

  • Fixed a build issue on Windows with newer versions of Rust. Also upgraded GitHub Actions imports to fix CI failures. Fixes courtesy of liushuyu.

  • Fixed an unaligned pointer dereference issue on select architectures. Fix courtesy of Sebastian Andrzej Siewior.

  • Fixes to Jenkins CI pipeline.

For details, see GitHub pull request


1.0.7

ClamAV 1.0.7 is a patch release with the following fixes:

  • CVE-2024-20506: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to Detlef for identifying this issue.

  • CVE-2024-20505: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service (DoS) condition.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to OSS-Fuzz for identifying this issue.

  • Removed unused Python modules from freshclam tests including deprecated 'cgi' module that is expected to cause test failures in Python 3.13.

  • Fix unit test caused by expiring signing certificate.

  • Fixed a build issue on Windows with newer versions of Rust. Also upgraded GitHub Actions imports to fix CI failures. Fixes courtesy of liushuyu.

  • Fixed an unaligned pointer dereference issue on select architectures. Fix courtesy of Sebastian Andrzej Siewior.

  • Fixes to Jenkins CI pipeline.

For details, see GitHub pull request


0.103.12

ClamAV 0.103.12 is a patch release with the following fixes:

  • CVE-2024-20506: Changed the logging module to disable following symlinks on Linux and Unix systems so as to prevent an attacker with existing access to the 'clamd' or 'freshclam' services from using a symlink to corrupt system files.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to Detlef for identifying this issue.

  • CVE-2024-20505: Fixed a possible out-of-bounds read bug in the PDF file parser that could cause a denial-of-service condition.

    This issue affects all currently supported versions. It will be fixed in:

    • 1.4.1
    • 1.3.2
    • 1.0.7
    • 0.103.12

    Thank you to OSS-Fuzz for identifying this issue.

  • ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.

  • Fixed a bug causing CVDs downloaded by the DatabaseCustomURL Freshclam config option to be pruned and then re-downloaded with every update. Also added the new 'valhalla' database name to the list of optional databases in preparation for future work.

  • Fixed an unaligned pointer dereference issue on select architectures. Fix courtesy of Sebastian Andrzej Siewior.


Thursday, August 15, 2024

ClamAV 1.4.0 feature release and ClamAV bytecode compiler 1.4.0 release

The ClamAV 1.4.0 feature release is now stable. We encourage everyone to download the latest version now from the ClamAV downloads page, on the GitHub Release page, and through Docker Hub*:

*The Docker images are built on release day and will be made available when they are ready.

We are also publishing ClamAV bytecode compiler version 1.4.0.

The ClamAV bytecode compiler release files are available for download on the GitHub Release page and through Docker Hub.

ClamAV platform support changes

We will no longer provide Linux 32-bit packages. With RHEL 7 reaching end-of-life, we had to upgrade our build hosts and selected Alma Linux 8. Alma Linux does not provide 32-bit images. ClamAV users on 32-bit platforms can still build from source.

We now provide ARM64 packages for Windows. We are not able to provide ARM64/aarch64
Linux packages for this release.

Regarding future versions

An expired signing certificate used to create one of the test files is causing feature test failures in previous versions (1.3.1, 1.0.6 LTS). This is only a test issue and does not impact ClamAV functionality or detection. We are preparing patch versions for the 1.3 and 1.0 feature releases to address the test issue.

The next LTS release will be announced later this year. It will likely be the feature release after 1.4.

The 0.103 LTS release will soon reach end-of-life for security fixes. Check out our recent blog post for full details


Continue reading to learn what changed in these versions.

ClamAV 1.4.0

ClamAV 1.4.0 includes the following improvements and changes:

Major changes

  • Added support for extracting ALZ archives. The new ClamAV file type for ALZ archives is CL_TYPE_ALZ. Added a DCONF option to enable or disable ALZ archive support.

    Tip: DCONF (Dynamic CONFiguration) is a feature that allows for some configuration changes to be made via ClamAV .cfg "signatures".

  • Added support for extracting LHA/LZH archives. The new ClamAV file type for LHA/LZH archives is CL_TYPE_LHA_LZH. Added a DCONF option to enable or disable LHA/LZH archive support.

  • Added the ability to disable image fuzzy hashing, if needed. For context, image fuzzy hashing is a detection mechanism useful for identifying malware by matching images included with the malware or phishing email/document.

    New ClamScan options:

    --scan-image[=yes(*)/no]
    --scan-image-fuzzy-hash[=yes(*)/no]
    

    New ClamD config options:

    ScanImage yes(*)/no
    ScanImageFuzzyHash yes(*)/no
    

    New libclamav scan options:

    options.parse &= ~CL_SCAN_PARSE_IMAGE;
    options.parse &= ~CL_SCAN_PARSE_IMAGE_FUZZY_HASH;
    

    Added a DCONF option to enable or disable image fuzzy hashing support.

Other improvements

  • Added cross-compiling instructions for targeting ARM64/aarch64 processors for Windows and Linux.

  • Improved the Freshclam warning messages when being blocked or rate limited to include the Cloudflare Ray ID, which helps with issue triage.

  • Removed unnecessary memory allocation checks when the size to be allocated is fixed or comes from a trusted source. We also renamed internal memory allocation functions and macros, so it is more obvious what each function does.

  • Improved the Freshclam documentation to make it clear that the --datadir option must be an absolute path to a directory that already exists, is writable by Freshclam, and is readable by ClamScan and ClamD.

  • Added an optimization to avoid calculating the file hash if the clean file cache has been disabled. The file hash may still be calculated as needed to perform hash-based signature matching if any hash-based signatures exist that target a file of the same size, or if any hash-based signatures exist that target "any" file size.

  • Added an improvement to the SystemD service file for ClamOnAcc so that the service will shut down faster on some systems.

  • Added a CMake build dependency on the version map files so that the build will re-run if changes are made to the version map files. Work courtesy of Sebastian Andrzej Siewior.

  • Added an improvement to the CMake build so that the RUSTFLAGS settings are inherited from the environment. Work courtesy of liushuyu.

Bug fixes

  • Silenced confusing warning message when scanning some HTML files.

  • Fixed minor compiler warnings.

  • Since the build system changed from Autotools to CMake, ClamAV no longer supports building with configurations where bzip2, libxml2, libz, libjson-c, or libpcre2 are not available. Libpcre is no longer supported in favor of libpcre2. In this release, we removed all the dead code associated with those unsupported build configurations.

  • Fixed assorted typos. Patch courtesy of RainRat.

  • Added missing documentation for the ClamScan --force-to-disk option.

  • Fixed an issue where ClamAV unit tests would prefer an older libclamunrar_iface library from the install path, if present, rather than the recently compiled library in the build path.

  • Fixed a build issue on Windows with newer versions of Rust. Also upgraded GitHub Actions imports to fix CI failures. Fixes courtesy of liushuyu.

  • Fixed an unaligned pointer dereference issue on select architectures. Fix courtesy of Sebastian Andrzej Siewior.

  • Fixed a bug that prevented loading plaintext (non-CVD) signature files when using the --fail-if-cvd-older-than=DAYS / FailIfCvdOlderThan option. Fix courtesy of Bark.

Acknowledgments

Special thanks to the following people for code contributions and bug reports:

  • Bark
  • liushuyu
  • Sebastian Andrzej Siewior
  • RainRat

ClamAV Bytecode Compiler 1.4.0

➕ Upgrade bytecode compiler project to LLVM 16.

🌌 New Requirements:

  • LLVM 16
  • Clang 16

Wednesday, August 7, 2024

ClamAV 0.103 LTS End of Life Announcement

The ClamAV 0.103 LTS release is nearing end-of-life (EOL) with regards to security vulnerability fix support from our team. This end of life date will be Sept. 14, 2024.

ClamAV 0.103 users will be able to update signatures from the official database mirror for an additional one year after the EOL date.

After Sept. 14, 2025, we may block ClamAV 0.103 from downloading signature updates.

We recommend that users update to the newest LTS release, ClamAV 1.0.6.


For users that want to upgrade to the newest non-LTS release, use ClamAV 1.3.1.

The most recent version of ClamAV can be found here:
https://www.clamav.net/downloads

The following is a list of major changes available to users in the newest versions of ClamAV.

Since ClamAV 0.103, ClamAV 1.0 LTS adds:

·                     A new detection capability based on comparing image fuzzy hashes.

·                     [Windows] A feature to start clamd and freshclam as Windows services.

·                     [Windows] A feature to scan process memory with either clamscan or clamdscan.

·                     Signature database load progress bars for clamscan.

·                     Support for extracting images from OLE2-based Excel documents.

·                     The ability to use *.cat files with CRB signature rules to trust signed Windows executables.

·                     Support for decrypting read-only OLE2-based XLS files that are encrypted with the default password.

·                     Significant reliability improvements to the All-Match scanning mode.

·                     Multiple libclamav API improvements.

·                     And more!

Since ClamAV 1.0 LTS, ClamAV 1.3.1 adds:

·                     Support for extracting Universal Disk Format (UDF) partitions.

·                     Support for extracting ALZ archives.

·                     Support for extracting LHA/LZH archives.

·                     Support for extracting images embedded in HTML CSS<style> blocks.

·                     Support for extracting attachments found in Microsoft OneNote files.

·                     An option to customize the size of ClamAV's clean file cache.

·                     Effective removal of the MaxScanSize limit so the total amount of data scanned when scanning a file or archive may exceed 4 gigabytes. Note: This does not allow individual file size to exceed the 2  limit.

·                     The ability for Freshclam to use a client certificate PEM file and a private key PEM file for authentication to a private mirror.

·                     A new ClamScan and ClamD option to fail to load if the provided signature database is older than a given number of days.

·                     Multiple libclamav API improvements.



Users updating to the newest version of ClamAV can find helpful resource below and if you find you have a specific question, please join our Discord.

An assortment of installer packages for Mac (universal PKG installer), windows (MSI and ZIP installers), and Linux (DEB and RPM installers). These are available from:
https://www.clamav.net/downloads

https://github.com/Cisco-Talos/clamav/releases/


Alpine and Debian based Docker containers. These are published here:
https://hub.docker.com/u/clamav


Helpful documentation for compiling ClamAV:

- Linux: https://docs.clamav.net/manual/Installing/Installing-from-source-Unix.html

- Windows: https://docs.clamav.net/manual/Installing/Installing-from-source-Windows.html

- Reference documentation for compile options: https://github.com/Cisco-Talos/clamav/blob/main/INSTALL.md

- Instructions for cross-compiling from Linux x86_64 to Linux aarch64: https://github.com/Cisco-Talos/clamav/blob/main/INSTALL-cross-linux-arm64.md

- Instructions for cross-compiling from Windows x86_64 to Windows ARM64: https://github.com/Cisco-Talos/clamav/blob/main/INSTALL-cross-windows-arm64.md


For users of installer packages instructions can be found here:
https://docs.clamav.net/manual/Installing.html#installing-with-an-installer



Further information about ClamAV EOL policy can be found here:
https://docs.clamav.net/faq/faq-eol.html