ClamAV 0.103.8, 0.105.2 and 1.0.1 patch versions published

 Today, we are releasing the following critical patch versions for ClamAV:

• 0.103.8
• 0.105.2
• 1.0.1

ClamAV 0.104 has reached end-of-life according to the ClamAV End of Life (EOL) policy and will not be patched. Anyone using ClamAV 0.104 must switch to a supported version. All users should update as soon as possible to patch for the remote code execution vulnerability and remote information leak vulnerability.

Edit: We are aware that technical details for CVE-2023-20032 and a proof-of-concept sample to demonstrate the buffer overflow are publicly available.

The release files are available for download on ClamAV.net, on the Github Release page, and through Docker Hub.

1.0.1

ClamAV 1.0.1 is a critical patch release with the following fixes:

• CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

• CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

• Fix an allmatch detection issue with the preclass bytecode hook.

  • GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/825

• Update the vendored libmspack library to version 0.11alpha.

  • GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/828

0.105.2

ClamAV 0.105.2 is a critical patch release with the following fixes:

• CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

• CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

• Fixed an issue loading Yara rules containing regex strings with an escaped forward-slash (\/) followed by a colon (:).

  • GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/695

• Moved the ClamAV Docker files for building containers to a new Git repository. The Docker files are now in https://github.com/Cisco-Talos/clamav-docker. This change enables us to fix issues with the images and with the supporting scripts used to publish and update the images without committing changes directly to files in the ClamAV release branches.

  • GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/765

• Update the vendored libmspack library to version 0.11alpha.

  • GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/829

0.103.8

ClamAV 0.103.8 is a critical patch release with the following fixes:

• CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

• CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.

• Update the vendored libmspack library to version 0.11alpha.

  • GitHub pull request: https://github.com/Cisco-Talos/clamav/pull/830

ClamAV 0.105.0, 0.104.3, 0.103.6 released

The ClamAV 0.105.0 feature release is now stable and available for download on ClamAV.net or through Docker Hub.

Today, we're also publishing the 0.104.3 and 0.103.6 security patch versions, including several CVE fixes. These fixes have also been included in the 0.105 feature release. The source package and installer packages for these versions can be found under the "Previous Stable Releases" section of our Downloads page.

As a reminder, the 0.105 and 0.104 release files now include the following install packages:

• x86_64 and i686 RPM packages are compatible with RPM-based Linux distributions running glibc version 2.17 or newer.

• x86_64 and i686 DEB packages are compatible with Debian-based Linux distributions running glibc version 2.23 or newer.

• An x86_64/ARM64 macOS installer package is compatible with Intel and Apple M1 systems.

• x64 and win32 Windows packages are compatible with Windows 7 and newer.

Keep reading to find out what is in each version. 

ClamAV 0.103.3 patch release

ClamAV 0.103.3 is out now. Users can head over to clamav.net/downloads to download the release materials.

ClamAV 0.102.4 security patch released

ClamAV 0.102.4 is out now. Users can head over to clamav.net/downloads to download the release materials.

ClamAV 0.102.4 is a bug patch release to address the following issues:

CVE-2020-3350

Fixed a vulnerability a malicious user could exploit to replace a scan target's directory with a symlink to another path to trick clamscan, clamdscan, or clamonacc into removing or moving a different file (such as a critical system file). The issue would affect users that use the --move or --remove options for clamscan, clamdscan and clamonacc.

For more information about AV quarantine attacks using links, see RACK911 Lab's report.

CVE-2020-3327

Fixed a vulnerability in the ARJ archive-parsing module in ClamAV 0.102.3 that could cause a denial-of-service (DoS) condition. Improper bounds checking resulted in an out-of-bounds read that could cause a crash. The previous fix for this CVE in version 0.102.3 was incomplete. This fix correctly resolves the issue.

CVE-2020-3481

Fixed a vulnerability in the EGG archive module in ClamAV 0.102.0 - 0.102.3 that could cause a denial-of-service (DoS) condition. Improper error handling could cause a crash due to a NULL pointer dereference. This vulnerability is mitigated for those using the official ClamAV signature databases because the file type signatures in daily.cvd will not enable the EGG archive parser in affected versions.

We will be publishing a release candidate for version 0.103.0 in the next couple of weeks. Stay tuned!

ClamAV 0.102.2 security patch released

Today, we're publishing 0.102.2. Navigate to ClamAV's downloads page to download the release materials.

0.102.2

ClamAV 0.102.2 is a security patch release to address the following issues.

• CVE-2020-3123: A denial-of-service (DoS) condition may occur when using the optional credit card data-loss-prevention (DLP) feature. Improper bounds checking of an unsigned variable resulted in an out-of-bounds read, which causes a crash.
• Significantly improved the scan speed of PDF files on Windows.
• Re-applied a fix to alleviate file access issues when scanning RAR files in downstream projects that use libclamav where the scanning engine is operating in a low-privilege process. This bug was originally fixed in 0.101.2 and the fix was mistakenly omitted from 0.102.0.
• Fixed an issue where freshclam failed to update if the database version downloaded is one version older than advertised. This situation may occur after a new database version is published. The issue affected users downloading the whole CVD database file.
• Changed the default freshclam ReceiveTimeout setting to 0 (infinite). The ReceiveTimeout had caused needless database update failures for users with slower internet connections.
• Correctly display the number of kilobytes (KiB) in progress bar and reduced the size of the progress bar to accommodate 80-character width terminals.
• Fixed an issue where running freshclam manually causes a daemonized freshclam process to fail when it updates because the manual instance deletes the temporary download directory. The freshclam temporary files will now download to a unique directory created at the time of an update instead of using a hardcoded directory created/destroyed at the program start/exit.
• Fix for freshclam's OnOutdatedExecute config option.
• Fixes a memory leak in the error condition handling for the email parser.
• Improved bound checking and error handling in ARJ archive parser.
• Improved error handling in PDF parser.
• Fix for memory leak in byte-compare signature handler.
• Updates to the unit test suite to support libcheck 0.13.
• Updates to support autoconf 2.69 and automake 1.15.

Special thanks to the following people for code contributions and bug reports:

•     Antoine Deschênes
•     Eric Lindblad
•     Gianluigi Tiesi
•     Tuomo Soini

Please join us on the ClamAV mailing lists for further discussion. Thanks!