@@ -22,7 +22,7 @@ string(TIMESTAMP TODAY "%Y%m%d")

 set(VERSION_SUFFIX "")

 project( ClamAV

-         VERSION "1.0.7"

+         VERSION "1.0.8"

          DESCRIPTION "ClamAV open source email, web, and end-point anti-virus toolkit." )

 set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH})

@@ -10,7 +10,7 @@ properties(

         parameters(

             [

                 string(name: 'VERSION',

-                       defaultValue: '1.0.7',

+                       defaultValue: '1.0.8',

                        description: 'ClamAV version string'),

                 string(name: 'FRAMEWORK_BRANCH',

                        defaultValue: '1.0',

@@ -3,6 +3,25 @@

 Note: This file refers to the official packages. Things described here may

 differ slightly from third-party binary packages.

+## 1.0.8

+

+ClamAV 1.0.8 is a patch release with the following fixes:

+

+- [CVE-2025-20128](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20128):

+  Fixed a possible buffer overflow read bug in the OLE2 file parser that could

+  cause a denial-of-service (DoS) condition.

+

+  This issue was introduced in version 1.0.0 and affects all currently

+  supported versions. It will be fixed in:

+  - 1.4.2

+  - 1.0.8

+

+  Thank you to OSS-Fuzz for identifying this issue.

+

+- ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.

+  This is a backport of a fix from ClamAV 1.3.0.

+  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1426)

+

 ## 1.0.7

 ClamAV 1.0.7 is a patch release with the following fixes:

@@ -171,6 +171,7 @@ enum FunctionalityLevels {

     FUNC_LEVEL_1_0_5 = 165, /**< LibClamAV release 1.0.5 */

     FUNC_LEVEL_1_0_6 = 166, /**< LibClamAV release 1.0.6 */

     FUNC_LEVEL_1_0_7 = 167, /**< LibClamAV release 1.0.7 */

+    FUNC_LEVEL_1_0_8 = 168, /**< LibClamAV release 1.0.8 */

 };

 /**

@@ -1835,7 +1835,7 @@ static cl_error_t handler_otf_encrypted(ole2_header_t *hdr, property_t *prop, co

             }

             bytesRead += blockSize;

-            for (; writeIdx <= (leftover + bytesToWrite) - 16; writeIdx += 16, decryptDstIdx += 16) {

+            for (; writeIdx + 16 <= leftover + bytesToWrite; writeIdx += 16, decryptDstIdx += 16) {

                 rijndaelDecrypt(rk, nrounds, &(buff[writeIdx]), &(decryptDst[decryptDstIdx]));

             }

@@ -73,7 +73,7 @@

  * in re-enabling affected modules.

  */

-#define CL_FLEVEL 167

+#define CL_FLEVEL 168

 #define CL_FLEVEL_DCONF CL_FLEVEL

 #define CL_FLEVEL_SIGTOOL CL_FLEVEL

@@ -6,8 +6,8 @@

 #define REPO_VERSION VERSION

 #endif

-#define RES_VER_Q 1,0,7,0

-#define RES_VER_S "ClamAV 1.0.7"

+#define RES_VER_Q 1,0,8,0

+#define RES_VER_S "ClamAV 1.0.8"

 VS_VERSION_INFO VERSIONINFO

     FILEVERSION RES_VER_Q