ClamAV 1.2.2

ClamAV 1.2.2 is a critical patch release with the following fix:

• CVE-2024-20290:
  Fixed a possible heap overflow read bug in the OLE2 file parser that could
  cause a denial-of-service (DoS) condition.

  Affected versions:

  • 1.0.0 through 1.0.4 (LTS)
  • 1.1 (all patch versions)
  • 1.2.0 and 1.2.1

  Thank you to OSS-Fuzz for identifying this issue.

• CVE-2024-20328:
  Fixed a possible command injection vulnerability in the VirusEvent feature
  of ClamAV's ClamD service.

  To fix this issue, we disabled the '%f' format string parameter.
  ClamD administrators may continue to use the CLAM_VIRUSEVENT_FILENAME
  environment variable, instead of '%f'. But you should do so only from within
  an executable, such as a Python script, and not directly in the clamd.conf
VirusEvent command.

  Affected versions:

  • 0.104 (all patch versions)
  • 0.105 (all patch versions)
  • 1.0.0 through 1.0.4 (LTS)
  • 1.1 (all patch versions)
  • 1.2.0 and 1.2.1

  Thank you to Amit Schendel for identifying this issue.

ClamAV 1.0.5

ClamAV 1.0.5 is a critical patch release with the following fixes:

• CVE-2024-20290:
  Fixed a possible heap overflow read bug in the OLE2 file parser that could
  cause a denial-of-service (DoS) condition.

  Affected versions:

  • 1.0.0 through 1.0.4 (LTS)
  • 1.1 (all patch versions)
  • 1.2.0 and 1.2.1

  Thank you to OSS-Fuzz for identifying this issue.

• CVE-2024-20328:
  Fixed a possible command injection vulnerability in the VirusEvent feature
  of ClamAV's ClamD service.

  To fix this issue, we disabled the '%f' format string parameter.
  ClamD administrators may continue to use the CLAM_VIRUSEVENT_FILENAME
  environment variable, instead of '%f'. But you should do so only from within
  an executable, such as a Python script, and not directly in the clamd.conf
VirusEvent command.

  Affected versions:

  • 0.104 (all patch versions)
  • 0.105 (all patch versions)
  • 1.0.0 through 1.0.4 (LTS)
  • 1.1 (all patch versions)
  • 1.2.0 and 1.2.1

  Thank you to Amit Schendel for identifying this issue.

ClamAV 1.3.0-rc2

ClamAV 1.3.0 includes the following improvements and changes:

Major changes

• Added support for extracting and scanning attachments found in Microsoft
  OneNote section files.
  OneNote parsing will be enabled by default, but may be optionally disabled
  using one of the following options:
  a. The clamscan command line option: --scan-onenote=no,
  b. The clamd.conf config option: ScanOneNote no,
  c. The libclamav scan option options.parse &= ~CL_SCAN_PARSE_ONENOTE;,
  d. A signature change to the daily.cfg dynamic configuration (DCONF).
  • GitHub pull request

Other improvements

• Fixed issue when building ClamAV on the Haiku (BeOS-like) operating system.
  Patch courtesy of Luca D'Amico

  • GitHub pull request

• ClamD: When starting, ClamD will now check if the directory specified by
  TemporaryDirectory in clamd.conf exists. If it doesn't, ClamD
  will print an error message and will exit with exit code 1.
  Patch courtesy of Andrew Kiggins.

  • GitHub pull request

• CMake: If configured to build static libraries, CMake will now also
  install the libclamav_rust, libclammspack, libclamunrar_iface, and
  libclamunrar static libraries required by libclamav.

  Note: These libraries are all linked into the clamscan, clamd, sigtool,
  and freshclam programs, which is why they did not need to be installed
  to function. However, these libraries would be required if you wish to
  build some other program that uses the libclamav static library.

  Patch courtesy of driverxdw.

  • GitHub pull request

• Added file type recognition for compiled Python (.pyc) files.
  The file type appears as a string parameter for these callback functions:

  • clcb_pre_cache
  • clcb_pre_scan
  • clcb_file_inspection
    When scanning a .pyc file, the type parameter will now show
    "CL_TYPE_PYTHON_COMPILED" instead of "CL_TYPE_BINARY_DATA".
  • GitHub pull request

• Improved support for decrypting PDF's with empty passwords.

  • GitHub pull request

• Assorted minor improvements and typo fixes.

Bug fixes

• Fixed a warning when scanning some HTML files.

  • GitHub pull request

• Fixed an issue decrypting some PDF's with an empty password.

  • GitHub pull request

• ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.

  • GitHub pull request

• ClamOnAcc: Fixed an infinite loop when a file has been deleted before a scan.
  Patch courtesy of gsuehiro.

  • GitHub pull request

• Fixed a possible crash when processing VBA files on HP-UX/IA 64bit.
  Patch courtesy of Albert Chin-A-Young.

  • GitHub pull request

• ClamConf: Fixed an issue printing MaxScanSize introduced with the change
  to allow a MaxScanSize greater than 4 GiB.
  Fix courtesy of teoberi.

  • GitHub pull request

• Fixed an issue building a ClamAV RPM in some configurations.
  The issue was caused by faulty CMake logic that intended to create an
  empty database directory during the install.

  • GitHub pull request

Acknowledgments

Special thanks to the following people for code contributions and bug reports:

• Albert Chin-A-Young
• Andrew Kiggins
• driverxdw
• gsuehiro
• Luca D'Amico
• RainRat
• teoberi

ClamAV 1.3.0-rc

ClamAV 1.3.0 release candidate includes the following improvements and changes:

Major changes

• Added support for extracting and scanning attachments found in Microsoft
  OneNote section files.
  OneNote parsing will be enabled by default, but may be optionally disabled
  using one of the following options:
  a. The clamscan command line option: --scan-onenote=no,
  b. The clamd.conf config option: ScanOneNote no,
  c. The libclamav scan option options.parse &= ~CL_SCAN_PARSE_ONENOTE;,
  d. A signature change to the daily.cfg dynamic configuration (DCONF).
  • GitHub pull request

Other improvements

• Fixed issue when building ClamAV on the Haiku (BeOS-like) operating system.
  Patch courtesy of Luca D'Amico

  • GitHub pull request

• ClamD: When starting, ClamD will now check if the directory specified by
  TemporaryDirectory in clamd.conf exists. If it doesn't, ClamD
  will print an error message and will exit with exit code 1.
  Patch courtesy of Andrew Kiggins.

  • GitHub pull request

• CMake: If configured to build static libraries, CMake will now also
  install the libclamav_rust, libclammspack, libclamunrar_iface, and
  libclamunrar static libraries required by libclamav.

  Note: These libraries are all linked into the clamscan, clamd, sigtool,
  and freshclam programs, which is why they did not need to be installed
  to function. However, these libraries would be required if you wish to
  build some other program that uses the libclamav static library.

  Patch courtesy of driverxdw.

  • GitHub pull request

• Added file type recognition for compiled Python (.pyc) files.
  The file type appears as a string parameter for these callback functions:

  • clcb_pre_cache
  • clcb_pre_scan
  • clcb_file_inspection
    When scanning a .pyc file, the type parameter will now show
    "CL_TYPE_PYTHON_COMPILED" instead of "CL_TYPE_BINARY_DATA".
  • GitHub pull request

• Assorted minor improvements and typo fixes.

Bug fixes

• Fixed a warning when scanning some HTML files.

  • GitHub pull request

• Fixed an issue decrypting some PDF's with an empty password.

  • GitHub pull request

• ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.

  • GitHub pull request

• Fixed a possible crash when processing VBA files on HP-UX/IA 64bit.
  Patch courtesy of Albert Chin-A-Young.

  • GitHub pull request

Acknowledgments

Special thanks to the following people for code contributions and bug reports:

• Albert Chin-A-Young
• Andrew Kiggins
• driverxdw
• Luca D'Amico
• RainRat

ClamAV 1.2.1

ClamAV 1.2.1 is a patch release with the following fixes:

• Eliminate security warning about unused "atty" dependency.

  • GitHub pull request: #1033

• Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.12.

  • GitHub pull request: #1056

• Build system: Fix link error with Clang/LLVM/LLD version 17.
  Patch courtesy of Yasuhiro Kimura.

  • GitHub pull request: #1060

• Fix alert-exceeds-max feature for files > 2GB and < max-filesize.

  • GitHub pull request: #1039

Special thanks to the following people for code contributions and bug reports:

• Yasuhiro Kimura

ClamAV 1.1.3

ClamAV 1.1.3 is a patch release with the following fixes:

• Eliminate security warning about unused "atty" dependency.

  • GitHub pull request: #1034

• Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.12.

  • GitHub pull request: #1055

• Windows: libjson-c 0.17 compatibility fix. with ssize_t type definition.

  • GitHub pull request: #1063

• Build system: Fix link error with Clang/LLVM/LLD version 17.
  Patch courtesy of Yasuhiro Kimura.

  • GitHub pull request: #1059

• Fix alert-exceeds-max feature for files > 2GB and < max-filesize.

  • GitHub pull request: #1040

Special thanks to the following people for code contributions and bug reports:

• Yasuhiro Kimura

ClamAV 1.0.4

ClamAV 1.0.4 is a patch release with the following fixes:

• Eliminate security warning about unused "atty" dependency.

  • GitHub pull request: #1035

• Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.12.

  • GitHub pull request: #1054

• Windows: libjson-c 0.17 compatibility fix. with ssize_t type definition.

  • GitHub pull request: #1064

• Freshclam: Removed a verbose warning printed for each Freshclam HTTP request.

  • GitHub pull request: #1042

• Build system: Fix link error with Clang/LLVM/LLD version 17.
  Patch courtesy of Yasuhiro Kimura.

  • GitHub pull request: #1058

• Fix alert-exceeds-max feature for files > 2GB and < max-filesize.

  • GitHub pull request: #1041

Special thanks to the following people for code contributions and bug reports:

• Yasuhiro Kimura

ClamAV 0.103.11

ClamAV 0.103.11 is a patch release with the following fixes:

• Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.12.

  • GitHub pull request: #1053

• Windows: libjson-c 0.17 compatibility fix. with ssize_t type definition.

  • GitHub pull request: #1065

• Windows: Update build system to use OpenSSL 3 and PThreads-Win32 v3.

  • GitHub pull request: #1057

ClamAV 1.2.0

ClamAV 1.2.0 includes the following improvements and changes:

Major changes

• Added support for extracting Universal Disk Format (UDF) partitions.

  Specifically, this version adds support for the Beginning Extended Area
  Descriptor (BEA01) type of UDF files.

  • GitHub pull request: #941

• Added an option to customize the size of ClamAV's clean file cache.

  Increasing the size of the clean file cache may improve scan performance
  but will require more RAM. The cache size value should be a square number
  or will be rounded up to the nearest square number.

  The cache size option for clamd and clamscan is --cache-size.
  Alternatively, you can customize the cache size for ClamD by setting
  CacheSize in clamd.conf.

  Patch courtesy of Craig Andrews.

  • GitHub pull request: #882

• Introduced a SystemD timer for running Freshclam updates, without sending
  Freshclam into the background. This takes the "burden of timing the updates"
  from Freshclam and puts it onto SystemD.
  The timer can be activated, audited, and the logs inspected:

  sudo systemctl enable --now clamav-freshclam-once.timer
  sudo systemctl list-timers
  sudo systemctl status clamav-freshclam-once.timer
  sudo systemctl status clamav-freshclam-once.service
  journalctl -u clamav-freshclam-once.service

  If you want a different update interval you can edit the timer unit file:

  sudo systemctl edit clamav-freshclam-once.timer

  Patch courtesy of Nils Werner.

  • GitHub pull request: #962

• Raised the MaxScanSize limit so the total amount of data scanned when
  scanning a file or archive may exceed 4 gigabytes.

  Introduced the ability to suffix the MaxScanSize and other config file size
  options with a "G" or "g" for the number of gigabytes.
  For example, for ClamD you may now specify MaxScanSize 10G in clamd.conf.
  And for ClamScan, you may now specify --max-scansize=10g.

  The MaxFileSize is still limited internally in ClamAV to 2 gigabytes.
  Any file, or embedded file, larger than 2GB will be skipped.
  You may use clamscan --alert-exceeds-max, or the clamd.conf option
  AlertExceedsMax yes to tell if a scan is not completed because of
  the scan limits.

  Patch courtesy of matthias-fratz-bsz.

  • GitHub pull request: #945

• Added ability for Freshclam to use a client certificate PEM file and a
  private key PEM file for authentication to a private mirror by setting the
  following environment variables:

  • FRESHCLAM_CLIENT_CERT: May be set to the path of a file (PEM) containing
    the client certificate.
  • FRESHCLAM_CLIENT_KEY: May be set to the path of a file (PEM) containing
    the client private key.
  • FRESHCLAM_CLIENT_KEY_PASSWD: May be set to a password for the client key
    PEM file, if it is password protected.

  Patch courtesy of jedrzej.

  • GitHub pull request: #955

Other improvements

• Fix an issue extracting files from ISO9660 partitions where the files are
  listed in the plain ISO tree and there also exists an empty Joliet tree.

  • GitHub pull request: #938

• CMake build system improvement to support compiling with OpenSSL 3.x on
  macOS with the Xcode toolchain.

  The official ClamAV installers and packages are now built with OpenSSL 3.1.1
  or newer.

  • GitHub pull request: #970

• The suggested path for the clamd.pid and clamd.sock file in the sample
  configs have been updated to reflect the recommended locations for these files
  in the Docker images. These are:

  • /run/clamav/clamd.pid
  • /run/clamav/clamd.sock

  For consistency, it now specifies clamd.sock instead of clamd.socket.

  Patch courtesy of computersalat.

  • GitHub pull request: #931

Bug fixes

• Fixed an issue where ClamAV does not abort the signature load process after
  partially loading an invalid signature. The bug would later cause a crash when
  scanning certain files.

  • GitHub pull request: #934

• Fixed a possible buffer over-read bug when unpacking PE files.

  • GitHub pull request: #927

• Removed a warning message showing the HTTP response codes during the
  Freshclam database update process.

  • GitHub pull request: #935

• Added missing command line options to the ClamD and ClamAV-Milter --help
  message and manpages.

  • GitHub pull request: #936

• ClamOnAcc: Fixed error message when using --wait without --ping option.
  Patch courtesy of Răzvan Cojocaru.

  • GitHub pull request: #984

• Fixed an assortment of code quality issues identified by Coverity:

  • GitHub pull requests:
    • #989
    • #998

• Windows: Fixed a build issue with the CMake-Rust integration regarding
  detecting native static libraries that caused builds to fail with Rust
  version 1.70 and newer.

  • GitHub pull request: #992

• Fixed a bounds check issue in the PDF parser that may result in a 1-byte
  buffer over read but does not cause a crash.

  • GitHub pull request: #988

• Upgraded the bundled UnRAR library (libclamunrar) to version 6.2.10.

  • GitHub pull request: #1008

• Fixed a compatibility issue with libjson-c version 0.17.

  • GitHub pull request: #1002

Acknowledgments

Special thanks to the following people for code contributions and bug reports:

• computersalat
• Craig Andrews
• jedrzej
• matthias-fratz-bsz
• Nils Werner
• Răzvan Cojocaru

ClamAV 1.1.2

ClamAV 1.1.2 is a critical patch release with the following fixes:

• Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.10.
  • GitHub pull request: #1011