...
|
...
|
@@ -3,6 +3,52 @@
|
3
|
3
|
Note: This file refers to the source tarball. Things described here may differ
|
4
|
4
|
slightly from the binary packages.
|
5
|
5
|
|
|
6
|
+## 0.100.2
|
|
7
|
+
|
|
8
|
+ClamAV 0.100.2 is a patch release to address a set of vulnerabilities.
|
|
9
|
+
|
|
10
|
+- Fixes for the following ClamAV vulnerabilities:
|
|
11
|
+ - [CVE-2018-15378](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15378):
|
|
12
|
+ Vulnerability in ClamAV's MEW unpacking feature that could allow an
|
|
13
|
+ unauthenticated, remote attacker to cause a denial of service (DoS)
|
|
14
|
+ condition on an affected device.
|
|
15
|
+ Reported by Secunia Research at Flexera.
|
|
16
|
+ - Fix for a 2-byte buffer over-read bug in ClamAV's PDF parsing code.
|
|
17
|
+ Reported by Alex Gaynor.
|
|
18
|
+- Fixes for the following vulnerabilities in bundled third-party libraries:
|
|
19
|
+ - [CVE-2018-14680](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14680):
|
|
20
|
+ An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It
|
|
21
|
+ does not reject blank CHM filenames.
|
|
22
|
+ - [CVE-2018-14681](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14681):
|
|
23
|
+ An issue was discovered in kwajd_read_headers in mspack/kwajd.c in
|
|
24
|
+ libmspack before 0.7alpha. Bad KWAJ file header extensions could cause
|
|
25
|
+ a one or two byte overwrite.
|
|
26
|
+ - [CVE-2018-14682](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14682):
|
|
27
|
+ An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha.
|
|
28
|
+ There is an off-by-one error in the TOLOWER() macro for CHM decompression.
|
|
29
|
+ - Additionally, 0.100.2 reverted 0.100.1's patch for CVE-2018-14679, and applied
|
|
30
|
+ libmspack's version of the fix in its place.
|
|
31
|
+- Other changes:
|
|
32
|
+ - Some users have reported freshclam signature update failures as a result of
|
|
33
|
+ a delay between the time the new signature database content is announced and
|
|
34
|
+ the time that the content-delivery-network has the content available for
|
|
35
|
+ download. To mitigate these errors, this patch release includes some
|
|
36
|
+ modifications to freshclam to make it more lenient, and to reduce the time
|
|
37
|
+ that freshclam will ignore a mirror when it detects an issue.
|
|
38
|
+ - On-Access "Extra Scanning", an opt-in minor feature of OnAccess scanning on
|
|
39
|
+ Linux systems, has been disabled due to a known issue with resource cleanup.
|
|
40
|
+ OnAccessExtraScanning will be re-enabled in a future release when the issue
|
|
41
|
+ is resolved. In the mean-time, users who enabled the feature in clamd.conf
|
|
42
|
+ will see a warning informing them that the feature is not active.
|
|
43
|
+ For details, see: https://bugzilla.clamav.net/show_bug.cgi?id=12048
|
|
44
|
+
|
|
45
|
+Thank you to the following ClamAV community members for your code submissions
|
|
46
|
+and bug reports!
|
|
47
|
+
|
|
48
|
+- Alex Gaynor
|
|
49
|
+- Hiroya Ito
|
|
50
|
+- Laurent Delosieres, Secunia Research at Flexera
|
|
51
|
+
|
6
|
52
|
## 0.100.1
|
7
|
53
|
|
8
|
54
|
ClamAV 0.100.1 is a hotfix release to patch a set of vulnerabilities.
|
...
|
...
|
@@ -20,6 +66,7 @@ ClamAV 0.100.1 is a hotfix release to patch a set of vulnerabilities.
|
20
|
20
|
- Buffer over-read in unRAR code due to missing max value checks in table
|
21
|
21
|
initialization. Reported by Rui Reis.
|
22
|
22
|
- Libmspack heap buffer over-read in CHM parser. Reported by Hanno Böck.
|
|
23
|
+ CVE ID: [CVE-2018-14679](https://nvd.nist.gov/vuln/detail/CVE-2018-14679)
|
23
|
24
|
- PDF parser bugs reported by Alex Gaynor.
|
24
|
25
|
- Buffer length checks when reading integers from non-NULL terminated strings.
|
25
|
26
|
- Buffer length tracking when reading strings from dictionary objects.
|