@@ -3,6 +3,77 @@

 Note: This file refers to the source tarball. Things described here may differ

  slightly from the binary packages.

+## 0.101.2

+

+ClamAV 0.101.2 is a patch release to address a handful of security related bugs.

+

+This patch release is being released alongside the 0.100.3 patch so that users

+who are unable to upgrade to 0.101 due to libclamav API changes are protected.

+

+This release includes 3 extra security related bug fixes that do not apply to

+prior versions.  In addition, it includes a number of minor bug fixes and

+improvements.

+

+- Fixes for the following vulnerabilities affecting 0.101.1 and prior:

+  - [CVE-2019-1787](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1787):

+    An out-of-bounds heap read condition may occur when scanning PDF

+    documents. The defect is a failure to correctly keep track of the number

+    of bytes remaining in a buffer when indexing file data.

+  - [CVE-2019-1789](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1789):

+    An out-of-bounds heap read condition may occur when scanning PE files

+    (i.e. Windows EXE and DLL files) that have been packed using Aspack as a

+    result of inadequate bound-checking.

+  - [CVE-2019-1788](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1788):

+    An out-of-bounds heap write condition may occur when scanning OLE2 files

+    such as Microsoft Office 97-2003 documents. The invalid write happens when

+    an invalid pointer is mistakenly used to initialize a 32bit integer to

+    zero. This is likely to crash the application.

+

+- Fixes for the following vulnerabilities affecting 0.101.1 and 0.101.0 only:

+  - [CVE-2019-1786](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1786):

+    An out-of-bounds heap read condition may occur when scanning malformed PDF

+    documents as a result of improper bounds-checking.

+  - [CVE-2019-1785](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1785):

+    A path-traversal write condition may occur as a result of improper input

+    validation when scanning RAR archives. Issue reported by aCaB.

+  - [CVE-2019-1798](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1798):

+    A use-after-free condition may occur as a result of improper error

+    handling when scanning nested RAR archives. Issue reported by David L.

+

+- Fixes for the following assorted bugs:

+  - Added checks to prevent shifts from causing undefined behavior in HTML

+    normalizer, UPX unpacker, ARJ extractor, CPIO extractor, OLE2 parser,

+    LZW decompressor used in the PDF parser, Xz decompressor, and UTF-16 to

+    ASCII transcoder.

+  - Added checks to prevent integer overflow in UPX unpacker.

+  - Fix for minor memory leak in OLE2 parser.

+  - Fix to speed up PDF parser when handling truncated (or malformed) PDFs.

+  - Fix for memory leak in ARJ decoder failure condition.

+  - Fix for potential memory and file descriptor leak in HTML normalization code.

+

+- Removed use of problematic feature that converted file descriptors to

+  file paths. The feature was intended to improve performance when scanning

+  file types, notably RAR archives, for which the API requires a file path.

+  This feature caused issues in environments where the ClamAV engine is run

+  in a low-permissions or sandboxed process. RAR archives are still supported

+  with this change, but performance may suffer slightly if the file path is not

+  provided in calls to `cl_scandesc_callback()`.

+  - Added filename and tempfile names to scandesc calls in clamd.

+  - Added general scan option `CL_SCAN_GENERAL_UNPRIVILEGED` to treat the scan

+    engine as unprivileged, meaning that the scan engine will not have read

+    access to the file. Provided file paths are for logging purposes only.

+  - Added ability to create a temp file when scanning RAR archives when the

+    process does not have read access to the file path provided (i.e.

+    unprivileged is set, or an access check fails).

+

+Thank you to the Google OSS-Fuzz project for identifying and reporting many of

+the bugs patched in this release.

+

+Additional thanks to the following community members for submitting bug reports:

+

+- aCaB

+- David L.

+

 ## 0.101.1

 ClamAV 0.101.1 is an urgent patch release to address an issue in 0.101.0

@@ -99,18 +170,18 @@ we've cooked up over the past 6 months.

     |                                  | `AlertEncryptedArchive`      |

     |                                  | `AlertEncryptedDoc`          |

-    | Old `clamscan` option        | *New* `clamscan` option          |

-    | ---------------------------- | -------------------------------- |

-    | `--algorithmic-detection`    | `--heuristic-alerts`             |

-    | `--detect-broken`            | `--alert-broken`                 |

-    | `--phishing-cloak`           | `--alert-phishing-cloak`         |

-    | `--phishing-ssl`             | `--alert-phishing-ssl`           |

-    | `--partition-intersection`   | `--alert-partition-intersection` |

-    | `--block-max`                | `--alert-exceeds-max`            |

-    | `--block-macros`             | `--alert-macros`                 |

-    | `--block-encrypted`          | `--alert-encrypted`              |

-    |                              | `--alert-encrypted-archive`      |

-    |                              | `--alert-encrypted-doc`          |

+    | Old `clamscan` option      | *New* `clamscan` option          |

+    | -------------------------- | -------------------------------- |

+    | `--algorithmic-detection`  | `--heuristic-alerts`             |

+    | `--detect-broken`          | `--alert-broken`                 |

+    | `--phishing-cloak`         | `--alert-phishing-cloak`         |

+    | `--phishing-ssl`           | `--alert-phishing-ssl`           |

+    | `--partition-intersection` | `--alert-partition-intersection` |

+    | `--block-max`              | `--alert-exceeds-max`            |

+    | `--block-macros`           | `--alert-macros`                 |

+    | `--block-encrypted`        | `--alert-encrypted`              |

+    |                            | `--alert-encrypted-archive`      |

+    |                            | `--alert-encrypted-doc`          |

 ### Some more subtle improvements

@@ -1,6 +1,6 @@

 #! /bin/sh

 # Guess values for system-dependent variables and create Makefiles.

-# Generated by GNU Autoconf 2.69 for ClamAV 0.101.1.

+# Generated by GNU Autoconf 2.69 for ClamAV 0.101.2.

 #

 # Report bugs to <https://bugzilla.clamav.net/>.

 #

@@ -592,8 +592,8 @@ MAKEFLAGS=

 # Identity of this package.

 PACKAGE_NAME='ClamAV'

 PACKAGE_TARNAME='clamav'

-PACKAGE_VERSION='0.101.1'

-PACKAGE_STRING='ClamAV 0.101.1'

+PACKAGE_VERSION='0.101.2'

+PACKAGE_STRING='ClamAV 0.101.2'

 PACKAGE_BUGREPORT='https://bugzilla.clamav.net/'

 PACKAGE_URL='https://www.clamav.net/'

@@ -1558,7 +1558,7 @@ if test "$ac_init_help" = "long"; then

   # Omit some internal or obsolete options to make the list less imposing.

   # This message is too long to be a string in the A/UX 3.1 sh.

   cat <<_ACEOF

-\`configure' configures ClamAV 0.101.1 to adapt to many kinds of systems.

+\`configure' configures ClamAV 0.101.2 to adapt to many kinds of systems.

 Usage: $0 [OPTION]... [VAR=VALUE]...

@@ -1629,7 +1629,7 @@ fi

 if test -n "$ac_init_help"; then

   case $ac_init_help in

-     short | recursive ) echo "Configuration of ClamAV 0.101.1:";;

+     short | recursive ) echo "Configuration of ClamAV 0.101.2:";;

    esac

   cat <<\_ACEOF

@@ -1854,7 +1854,7 @@ fi

 test -n "$ac_init_help" && exit $ac_status

 if $ac_init_version; then

   cat <<\_ACEOF

-ClamAV configure 0.101.1

+ClamAV configure 0.101.2

 generated by GNU Autoconf 2.69

 Copyright (C) 2012 Free Software Foundation, Inc.

@@ -2444,7 +2444,7 @@ cat >config.log <<_ACEOF

 This file contains any messages produced by compilers while

 running configure, to aid debugging if configure makes a mistake.

-It was created by ClamAV $as_me 0.101.1, which was

+It was created by ClamAV $as_me 0.101.2, which was

 generated by GNU Autoconf 2.69.  Invocation command line was

   $ $0 $@

@@ -4201,7 +4201,7 @@ fi

 # Define the identity of the package.

  PACKAGE='clamav'

- VERSION='0.101.1'

+ VERSION='0.101.2'

 # Some tools Automake needs.

@@ -5929,10 +5929,10 @@ $as_echo "$ac_cv_safe_to_define___extensions__" >&6; }

-VERSION="0.101.1"

+VERSION="0.101.2"

 LC_CURRENT=9

-LC_REVISION=1

+LC_REVISION=2

 LC_AGE=0

 LIBCLAMAV_VERSION="$LC_CURRENT":"$LC_REVISION":"$LC_AGE"

@@ -29986,7 +29986,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1

 # report actual input values of CONFIG_FILES etc. instead of their

 # values after options handling.

 ac_log="

-This file was extended by ClamAV $as_me 0.101.1, which was

+This file was extended by ClamAV $as_me 0.101.2, which was

 generated by GNU Autoconf 2.69.  Invocation command line was

   CONFIG_FILES    = $CONFIG_FILES

@@ -30053,7 +30053,7 @@ _ACEOF

 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1

 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"

 ac_cs_version="\\

-ClamAV config.status 0.101.1

+ClamAV config.status 0.101.2

 configured by $0, generated by GNU Autoconf 2.69,

   with options \\"\$ac_cs_config\\"

@@ -32875,7 +32875,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1

 # report actual input values of CONFIG_FILES etc. instead of their

 # values after options handling.

 ac_log="

-This file was extended by ClamAV $as_me 0.101.1, which was

+This file was extended by ClamAV $as_me 0.101.2, which was

 generated by GNU Autoconf 2.69.  Invocation command line was

   CONFIG_FILES    = $CONFIG_FILES

@@ -32942,7 +32942,7 @@ _ACEOF

 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1

 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"

 ac_cs_version="\\

-ClamAV config.status 0.101.1

+ClamAV config.status 0.101.2

 configured by $0, generated by GNU Autoconf 2.69,

   with options \\"\$ac_cs_config\\"

@@ -22,7 +22,7 @@ dnl   MA 02110-1301, USA.

 AC_PREREQ([2.59])

 dnl For a release change [devel] to the real version [0.xy]

 dnl also change VERSION below

-AC_INIT([ClamAV], [0.101.1], [https://bugzilla.clamav.net/], [clamav], [https://www.clamav.net/])

+AC_INIT([ClamAV], [0.101.2], [https://bugzilla.clamav.net/], [clamav], [https://www.clamav.net/])

 dnl enable C++

 AC_PROG_CXX()

@@ -1,4 +1,4 @@

-# Clam AntiVirus 0.101.1 *User Manual*

+# Clam AntiVirus 0.101.2 *User Manual*

 ![image](UserManual/images/demon.png)

@@ -6,9 +6,9 @@ If you wish to build ClamAV from source using Visual Studio 2015, please head ov

 Important: Installing ClamAV using the Installer will require Administrator privileges.

-1. Download: http://www.clamav.net/downloads/production/ClamAV-0.101.1.exe

+1. Download: http://www.clamav.net/downloads/production/ClamAV-0.101.2.exe

 2. Locate the file in your Downloads directory.

-3. Right-click on `ClamAV-0.101.1.exe` and select `Run as administrator`. You may receive a warning message along the lines of "Windows protected your PC".  Select `More info` and then select `Run anyway`.

+3. Right-click on `ClamAV-0.101.2.exe` and select `Run as administrator`. You may receive a warning message along the lines of "Windows protected your PC".  Select `More info` and then select `Run anyway`.

 4. Select `I accept the agreement` and click `Next`.

 5. Click `Next` again. If you've removed a previous installation of ClamAV, you may receive the prompt "The folder ... already exists...". If you do, select `Yes`.

 6. Click `Install`.

@@ -28,9 +28,9 @@ Continue on to "First Time Set-Up" below...

 ## Install using the ClamAV Portable Install Package

-1. Download: https://www.clamav.net/downloads/production/clamav-0.101.1-win-x64-portable.zip

+1. Download: https://www.clamav.net/downloads/production/clamav-0.101.2-win-x64-portable.zip

 2. Unzip it.

-3. Open the `clamav-0.101.1-win-x64-portable` directory.

+3. Open the `clamav-0.101.2-win-x64-portable` directory.

 4. Hold down Shift and then right-click on the background in the current directory (but not on one of the files). Select `"Open PowerShell window here"`. If that option doesn't appear, try again.

 Continue on to "First Time Set-Up"...

@@ -114,9 +114,11 @@ enum FunctionalityLevels {

     FUNC_LEVEL_0100_0    = 91, /* LibClamAV release 0.100.0, 0.100.0-rc */

     FUNC_LEVEL_0100_1    = 92, /**< LibClamAV release 0.100.1 */

     FUNC_LEVEL_0100_2    = 93, /**< LibClamAV release 0.100.2 */

+    FUNC_LEVEL_0100_3    = 94, /**< LibClamAV release 0.100.3 */

     FUNC_LEVEL_0101_0_BETA = 100, /* LibClamAV beta release 0.101.0-beta */

     FUNC_LEVEL_0101_0    = 101, /* LibClamAV release 0.101.0, 0.101.0-rc */

     FUNC_LEVEL_0101_1    = 102, /* LibClamAV release 0.101.1 */

+    FUNC_LEVEL_0101_2    = 103, /* LibClamAV release 0.101.3 */

     FUNC_LEVEL_100       = 255 /* future release candidate */

 };

@@ -1,9 +1,9 @@

 dnl change this on a release

 dnl VERSION="devel-`date +%Y%m%d`"

-VERSION="0.101.1"

+VERSION="0.101.2"

 LC_CURRENT=9

-LC_REVISION=1

+LC_REVISION=2

 LC_AGE=0

 LIBCLAMAV_VERSION="$LC_CURRENT":"$LC_REVISION":"$LC_AGE"

 AC_SUBST([LIBCLAMAV_VERSION])

@@ -8,7 +8,7 @@

 [Setup]

 AppName=ClamAV

-AppVersion=0.101.1

+AppVersion=0.101.2

 DefaultDirName={pf}\ClamAV

 DefaultGroupName=ClamAV

 AppCopyright=2019 Cisco Systems, Inc.

@@ -20,7 +20,7 @@ UninstallDisplayName=ClamAV

 Compression=lzma2

 SolidCompression=yes

 OutputDir=.

-OutputBaseFilename=ClamAV-0.101.1

+OutputBaseFilename=ClamAV-0.101.2

 WizardImageFile=demon.bmp

 WizardSmallImageFile=talos.bmp

@@ -475,7 +475,7 @@

 #define PACKAGE_NAME "ClamAV"

 /* Define to the full name and version of this package. */

-#define PACKAGE_STRING "ClamAV 0.101.1"

+#define PACKAGE_STRING "ClamAV 0.101.2"

 /* Define to the one symbol short name of this package. */

 #define PACKAGE_TARNAME "clamav"

@@ -484,7 +484,7 @@

 #define PACKAGE_URL "https://www.clamav.net/"

 /* Define to the version of this package. */

-#define PACKAGE_VERSION "0.101.1"

+#define PACKAGE_VERSION "0.101.2"

 /* scan buffer size */

 #define SCANBUFF 131072

@@ -520,7 +520,7 @@

 /* #undef USE_SYSLOG */

 /* Version number of package */

-#define VERSION "0.101.1"

+#define VERSION "0.101.2"

 /* Version suffix for package */

 #define VERSION_SUFFIX ""

@@ -6,8 +6,8 @@

 #define REPO_VERSION VERSION

 #endif

-#define RES_VER_Q 0,101,1,0

-#define RES_VER_S "ClamAV 0.101.1"

+#define RES_VER_Q 0,101,2,0

+#define RES_VER_S "ClamAV 0.101.2"

 VS_VERSION_INFO VERSIONINFO

     FILEVERSION RES_VER_Q