Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ZCS-13605 : Upgrade ClamAV to 1.0.1 #190

Merged
merged 3 commits into from
Jul 27, 2023
Merged

ZCS-13605 : Upgrade ClamAV to 1.0.1 #190

merged 3 commits into from
Jul 27, 2023

Conversation

umagmrit
Copy link
Contributor

This PR has been created on the top of OpenSSL-3.0.9 Upgrade PR (#189) because Clamav needs to compile with OpenSSL-3.0.9.

  • Upgrade ClamAV to 1.0.1
  • Updated clamav-db for ClamAV-1.0.1

@umagmrit umagmrit changed the base branch from ZBUG-3355 to develop July 27, 2023 03:16
@umagmrit umagmrit changed the base branch from develop to ZBUG-3355 July 27, 2023 03:19
@umagmrit umagmrit changed the base branch from ZBUG-3355 to develop July 27, 2023 03:20
@umagmrit umagmrit merged commit 2d5eaef into develop Jul 27, 2023
@umagmrit umagmrit deleted the ZCS-13605 branch July 27, 2023 03:20
@stondino00
Copy link

Please upgrade clamav to 1.0.3 ASAP. 1.0.2 and 1.0.3 fix critical vulnerabilities.

1.0.3
ClamAV 1.0.3 is a critical patch release with the following fixes:

Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.10.
GitHub pull request: Cisco-Talos/clamav#1010

1.0.2
ClamAV 1.0.2 is a critical patch release with the following fixes:

CVE-2023-20197 Fixed a possible denial of service vulnerability in the HFS+ file parser. This issue affects versions 1.1.0, 1.0.1 through 1.0.0, 0.105.2 through 0.105.0, 0.104.4 through 0.104.0, and 0.103.8 through 0.103.0. Thank you to Steve Smith for reporting this issue.
CVE-2023-20212 Fixed a possible denial of service vulnerability in the AutoIt file parser. This issue affects versions 1.0.1 and 1.0.0. This issue does not affect version 1.1.0.
Fixed a build issue when using the Rust nightly toolchain, which was affecting the oss-fuzz build environment used for regression tests.
GitHub pull request: Cisco-Talos/clamav#996
Fixed a build issue on Windows when using Rust version 1.70 or newer.
GitHub pull request: Cisco-Talos/clamav#993
CMake build system improvement to support compiling with OpenSSL 3.x on macOS with the Xcode toolchain. The official ClamAV installers and packages are now built with OpenSSL 3.1.1 or newer.
GitHub pull request: Cisco-Talos/clamav#973
Fixed an issue where ClamAV does not abort the signature load process after partially loading an invalid signature. The bug would later cause a crash when scanning certain files.
GitHub pull request: Cisco-Talos/clamav#952
Fixed an issue so that ClamAV correctly removes temporary files generated by the VBA and XLM extraction modules so that the files are not leaked in patched versions of ClamAV where temporary files are written directly to the temp-directory instead of writing to a unique subdirectory.
GitHub pull request: Cisco-Talos/clamav#900
Set Git attributes to prevent Git from altering line endings for bundled Rust libraries. Third-party Rust libraries are bundled in the ClamAV release tarball. We do not commit them to our own Git repository, but community package maintainers may now store the tarball contents in Git. The Rust build system verifies the library manifest, and this change ensures that the hashes are correct. Improvement courtesy of Nicolas R.
GitHub pull request: Cisco-Talos/clamav#856
Fixed two bugs that would cause Freshclam to fail update when applying a CDIFF database patch if that patch adds a file to the database archive or removes a file from the database archive. This bug also caused Sigtool to fail to create such a patch.
GitHub pull request: Cisco-Talos/clamav#901

@secure-code-warrior-for-github
Copy link

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "denial of service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try a challenge in Secure Code Warrior

@stondino00
Copy link

Please look at upgrading bundled clamav. Security fixes below.

ClamAV 1.2.2 and ClamAV 1.0.5 are critical patch versions with the following fixes:

CVE-2024-20290: Fixed a possible heap overflow read bug in the OLE2 file parser that could cause a denial-of-service (DoS) condition.

Thank you to OSS-Fuzz for identifying this issue.

Affected versions:
1.0.0 through 1.0.4 (LTS)
1.1 (all patch versions)
1.2.0 and 1.2.1
CVE-2024-20328: Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service.

To fix this issue, we disabled the '%f' format string parameter. ClamD administrators may continue to use the CLAM_VIRUSEVENT_FILENAME environment variable, instead of '%f'. But you should do so only from within an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command.

Thank you to Amit Schendel for identifying this issue.

Affected versions:
0.104 (all patch versions)
0.105 (all patch versions)
1.0.0 through 1.0.4 (LTS)
1.1 (all patch versions)
1.2.0 and 1.2.1

@stondino00
Copy link

Clamav has been updated to fix vulnerabilities.

ClamAV 1.3.1, 1.2.3, 1.0.6 patch versions published
Today, we are publishing the 1.3.1, 1.2.3, and 1.0.6 security patch versions.

The release files for the patch versions are available for download on the ClamAV downloads page, on the GitHub Release page, and through Docker Hub.

The images on Docker Hub may not be immediately available on release day.

Continue reading to learn what changed in each version.

1.3.1
ClamAV 1.3.1 is a critical patch release with the following fixes:

CVE-2024-20380: Fixed a possible crash in the HTML file parser that could cause a denial-of-service (DoS) condition.

This issue affects version 1.3.0 only and does not affect prior versions.

Thank you to Błażej Pawłowski for identifying this issue.

GitHub pull request
Updated select Rust dependencies to the latest versions. This resolved Cargo audit complaints and included PNG parser bug fixes.

GitHub pull request
Fixed a bug causing some text to be truncated when converting from UTF-16.

GitHub pull request
Fixed assorted complaints identified by Coverity static analysis.

GitHub pull request
Fixed a bug causing CVDs downloaded by the DatabaseCustomURL Freshclam config option to be pruned and then re-downloaded with every update.

GitHub pull request
Added the new 'valhalla' database name to the list of optional databases in preparation for future work.

GitHub pull request
Added symbols to the libclamav.map file to enable additional build configurations.

Patch courtesy of Neil Wilson.

GitHub pull request

1.2.3
ClamAV 1.2.3 is a critical patch release with the following fixes:

Updated select Rust dependencies to the latest versions. This resolved Cargo audit complaints and included PNG parser bug fixes.

GitHub pull request
Fixed a bug causing some text to be truncated when converting from UTF-16.

GitHub pull request
Fixed assorted complaints identified by Coverity static analysis.

GitHub pull request
Fixed a bug causing CVDs downloaded by the DatabaseCustomURL Freshclam config option to be pruned and then re-downloaded with every update.

GitHub pull request
Added the new 'valhalla' database name to the list of optional databases in preparation for future work.

GitHub pull request
Silenced a warning "Unexpected early end-of-file" that occured when scanning some PNG files.

GitHub pull request

1.0.6
ClamAV 1.0.6 is a critical patch release with the following fixes:

Updated select Rust dependencies to the latest versions. This resolved Cargo audit complaints and included PNG parser bug fixes.

GitHub pull request
Fixed a bug causing some text to be truncated when converting from UTF-16.

GitHub pull request
Fixed assorted complaints identified by Coverity static analysis.

GitHub pull request
Fixed a bug causing CVDs downloaded by the DatabaseCustomURL Freshclam config option to be pruned and then re-downloaded with every update.

GitHub pull request
Added the new 'valhalla' database name to the list of optional databases in preparation for future work.

GitHub pull request
Silenced a warning "Unexpected early end-of-file" that occured when scanning some PNG files.

GitHub pull request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@silentsakky silentsakky silentsakky approved these changes

@dasiyogesh dasiyogesh dasiyogesh approved these changes

@uttamtakalkar uttamtakalkar Awaiting requested review from uttamtakalkar

@gautamdg gautamdg Awaiting requested review from gautamdg

@zimsuchitgupta zimsuchitgupta Awaiting requested review from zimsuchitgupta

@vishnukantjangid vishnukantjangid Awaiting requested review from vishnukantjangid

@ronstra-synacor ronstra-synacor Awaiting requested review from ronstra-synacor

@preshitaagrawal preshitaagrawal Awaiting requested review from preshitaagrawal

@rcyarrapothu rcyarrapothu Awaiting requested review from rcyarrapothu

@shrutig0510 shrutig0510 Awaiting requested review from shrutig0510

@GaneshAnarse GaneshAnarse Awaiting requested review from GaneshAnarse

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@umagmrit @stondino00 @silentsakky @dasiyogesh