From 5f934c16b47591157a7082b71e751c45f095e2c8 Mon Sep 17 00:00:00 2001 From: Micah Snyder Date: Thu, 1 Feb 2024 17:30:25 -0500 Subject: [PATCH] Update bytecode api functionality levels and add news from recent patch versions --- NEWS.md | 68 ++++++++++++++++++++++++++++++++++++++++ libclamav/bytecode_api.h | 9 ++++++ 2 files changed, 77 insertions(+) diff --git a/NEWS.md b/NEWS.md index ec3ca55f83..15eb18c465 100644 --- a/NEWS.md +++ b/NEWS.md @@ -97,6 +97,40 @@ Special thanks to the following people for code contributions and bug reports: - RainRat - teoberi +## 1.2.2 + +ClamAV 1.2.2 is a critical patch release with the following fix: + +- [CVE-2024-20290](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20290): + Fixed a possible heap overflow read bug in the OLE2 file parser that could + cause a denial-of-service (DoS) condition. + + Affected versions: + - 1.0.0 through 1.0.4 (LTS) + - 1.1 (all patch versions) + - 1.2.0 and 1.2.1 + + Thank you to OSS-Fuzz for identifying this issue. + +- [CVE-2024-20328](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20328): + Fixed a possible command injection vulnerability in the `VirusEvent` feature + of ClamAV's ClamD service. + + To fix this issue, we disabled the '%f' format string parameter. + ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` + environment variable, instead of '%f'. But you should do so only from within + an executable, such as a Python script, and not directly in the `clamd.conf` + `VirusEvent` command. + + Affected versions: + - 0.104 (all patch versions) + - 0.105 (all patch versions) + - 1.0.0 through 1.0.4 (LTS) + - 1.1 (all patch versions) + - 1.2.0 and 1.2.1 + + Thank you to Amit Schendel for identifying this issue. + ## 1.2.1 ClamAV 1.2.1 is a patch release with the following fixes: @@ -501,6 +535,40 @@ Special thanks to the following people for code contributions and bug reports: - Sebastian Andrzej Siewior - The OSS-Fuzz project +## 1.0.5 + +ClamAV 1.0.5 is a critical patch release with the following fixes: + +- [CVE-2024-20290](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20290): + Fixed a possible heap overflow read bug in the OLE2 file parser that could + cause a denial-of-service (DoS) condition. + + Affected versions: + - 1.0.0 through 1.0.4 (LTS) + - 1.1 (all patch versions) + - 1.2.0 and 1.2.1 + + Thank you to OSS-Fuzz for identifying this issue. + +- [CVE-2024-20328](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20328): + Fixed a possible command injection vulnerability in the `VirusEvent` feature + of ClamAV's ClamD service. + + To fix this issue, we disabled the '%f' format string parameter. + ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` + environment variable, instead of '%f'. But you should do so only from within + an executable, such as a Python script, and not directly in the `clamd.conf` + `VirusEvent` command. + + Affected versions: + - 0.104 (all patch versions) + - 0.105 (all patch versions) + - 1.0.0 through 1.0.4 (LTS) + - 1.1 (all patch versions) + - 1.2.0 and 1.2.1 + + Thank you to Amit Schendel for identifying this issue. + ## 1.0.4 ClamAV 1.0.4 is a patch release with the following fixes: diff --git a/libclamav/bytecode_api.h b/libclamav/bytecode_api.h index 500aae3454..7c0bb9919f 100644 --- a/libclamav/bytecode_api.h +++ b/libclamav/bytecode_api.h @@ -167,10 +167,19 @@ enum FunctionalityLevels { FUNC_LEVEL_1_0 = 160, /**< LibClamAV release 1.0.0 */ FUNC_LEVEL_1_0_1 = 161, /**< LibClamAV release 1.0.1 */ + FUNC_LEVEL_1_0_2 = 162, /**< LibClamAV release 1.0.2 */ + FUNC_LEVEL_1_0_3 = 163, /**< LibClamAV release 1.0.3 */ + FUNC_LEVEL_1_0_4 = 164, /**< LibClamAV release 1.0.4 */ + FUNC_LEVEL_1_0_5 = 165, /**< LibClamAV release 1.0.5 */ FUNC_LEVEL_1_1 = 180, /**< LibClamAV release 1.1.0 */ + FUNC_LEVEL_1_1_1 = 181, /**< LibClamAV release 1.1.1 */ + FUNC_LEVEL_1_1_2 = 182, /**< LibClamAV release 1.1.2 */ + FUNC_LEVEL_1_1_3 = 183, /**< LibClamAV release 1.1.3 */ FUNC_LEVEL_1_2 = 190, /**< LibClamAV release 1.2.0 */ + FUNC_LEVEL_1_2_1 = 191, /**< LibClamAV release 1.2.1 */ + FUNC_LEVEL_1_2_2 = 192, /**< LibClamAV release 1.2.2 */ FUNC_LEVEL_1_3 = 200, /**< LibClamAV release 1.3.0 */ };