...
|
...
|
@@ -7,11 +7,56 @@ Note: This file refers to the source tarball. Things described here may differ
|
7
|
7
|
|
8
|
8
|
ClamAV 0.102.2 is a bug patch release to address the following issues.
|
9
|
9
|
|
10
|
|
--
|
|
10
|
+- [CVE-2020-3123](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3123):
|
|
11
|
+ An Denial-of-Service (DoS) condition may occur when using the optional credit
|
|
12
|
+ card data-loss-prevention (DLP) feature. Improper bounds checking of an
|
|
13
|
+ unsigned variable resulted in an out-of-bounds read which causes a crash.
|
|
14
|
+
|
|
15
|
+- Significantly improved scan speed of PDF files on Windows.
|
|
16
|
+
|
|
17
|
+- Re-applied a fix to alleviate file access issues when scanning RAR files in
|
|
18
|
+ downstream projects that use libclamav where the scanning engine is operating
|
|
19
|
+ in a low-privelege process. This bug was originally fixed in 0.101.2 and the
|
|
20
|
+ fix was mistakenly omitted from 0.102.0.
|
|
21
|
+
|
|
22
|
+- Fixed an issue wherein freshclam failed to update if the database version
|
|
23
|
+ downloaded is 1 version older than advertised. This situation may occur after
|
|
24
|
+ a new database version is published. The issue affected users downloading the
|
|
25
|
+ whole CVD database file.
|
|
26
|
+
|
|
27
|
+- Changed the default freshclam ReceiveTimeout setting to 0 (infinite).
|
|
28
|
+ The ReceiveTimeout had caused needless database update failures for users with
|
|
29
|
+ slower internet connections.
|
|
30
|
+
|
|
31
|
+- Correctly display number of kilobytes (KiB) in progress bar and reduced the
|
|
32
|
+ size of the progress bar to accomodate 80-char width terminals.
|
|
33
|
+
|
|
34
|
+- Fixed an issue where running freshclam manually causes a daemonized freshclam
|
|
35
|
+ process to fail when it updates because the manual instance deletes the
|
|
36
|
+ temporary download directory. Freshclam temporary files will now download to a
|
|
37
|
+ unique directory created at the time of an update instead of using a hardcoded
|
|
38
|
+ directory created/destroyed at the program start/exit.
|
|
39
|
+
|
|
40
|
+- Fix for Freshclam's OnOutdatedExecute config option.
|
|
41
|
+
|
|
42
|
+- Fixes a memory leak in the error condition handling for the email parser.
|
|
43
|
+
|
|
44
|
+- Improved bound checking and error handling in ARJ archive parser.
|
|
45
|
+
|
|
46
|
+- Improved error handling in PDF parser.
|
|
47
|
+
|
|
48
|
+- Fix for memory leak in byte-compare signature handler.
|
|
49
|
+
|
|
50
|
+- Updates to the unit test suite to support libcheck 0.13.
|
|
51
|
+
|
|
52
|
+- Updates to support autoconf 2.69 and automake 1.15.
|
11
|
53
|
|
12
|
54
|
Special thanks to the following for code contributions and bug reports:
|
13
|
55
|
|
14
|
|
--
|
|
56
|
+- Antoine Deschênes
|
|
57
|
+- Eric Lindblad
|
|
58
|
+- Gianluigi Tiesi
|
|
59
|
+- Tuomo Soini
|
15
|
60
|
|
16
|
61
|
## 0.102.1
|
17
|
62
|
|
...
|
...
|
@@ -199,6 +244,92 @@ and for working diligently to ensure knowledge transfer up until his last day
|
199
|
199
|
on the team. Working with you was a pleasure, Joe, and we wish you the best
|
200
|
200
|
of luck in your next adventure!
|
201
|
201
|
|
|
202
|
+## 0.101.5
|
|
203
|
+
|
|
204
|
+ClamAV 0.101.5 is a security patch release that addresses the following issues.
|
|
205
|
+
|
|
206
|
+- Fix for the following vulnerability affecting 0.102.0 and 0.101.4 and prior:
|
|
207
|
+ - [CVE-2019-15961](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15961)
|
|
208
|
+ A Denial-of-Service (DoS) vulnerability may occur when scanning a specially
|
|
209
|
+ crafted email file as a result of excessively long scan times. The issue is
|
|
210
|
+ resolved by implementing several maximums in parsing MIME messages and by
|
|
211
|
+ optimizing use of memory allocation.
|
|
212
|
+
|
|
213
|
+- Added the zip scanning improvements found in v0.102.0 where it scans files
|
|
214
|
+ using zip records from a sorted catalogue which provides deduplication of
|
|
215
|
+ file records resulting in faster extraction and scan time and reducing the
|
|
216
|
+ likelihood of alerting on non-malicious duplicate file entries as overlapping
|
|
217
|
+ files.
|
|
218
|
+
|
|
219
|
+- Signature load time is significantly reduced by changing to a more efficient
|
|
220
|
+ algorithm for loading signature patterns and allocating the AC trie.
|
|
221
|
+ Patch courtesy of Alberto Wu.
|
|
222
|
+
|
|
223
|
+- Introduced a new configure option to statically link libjson-c with libclamav.
|
|
224
|
+ Static linking with libjson is highly recommended to prevent crashes in
|
|
225
|
+ applications that use libclamav alongside another JSON parsing library.
|
|
226
|
+
|
|
227
|
+- Null-dereference fix in email parser when using the `--gen-json` metadata
|
|
228
|
+ option.
|
|
229
|
+
|
|
230
|
+Special thanks to the following for code contributions and bug reports:
|
|
231
|
+
|
|
232
|
+- Alberto Wu
|
|
233
|
+- Joran Dirk Greef
|
|
234
|
+
|
|
235
|
+## 0.101.4
|
|
236
|
+
|
|
237
|
+ClamAV 0.101.4 is a security patch release that addresses the following issues.
|
|
238
|
+
|
|
239
|
+- An out of bounds write was possible within ClamAV's NSIS bzip2 library when
|
|
240
|
+ attempting decompression in cases where the number of selectors exceeded the
|
|
241
|
+ max limit set by the library (CVE-2019-12900). The issue has been resolved
|
|
242
|
+ by respecting that limit.
|
|
243
|
+
|
|
244
|
+ Thanks to Martin Simmons for reporting the issue [here](https://bugzilla.clamav.net/show_bug.cgi?id=12371)
|
|
245
|
+
|
|
246
|
+- The zip bomb vulnerability mitigated in 0.101.3 has been assigned the
|
|
247
|
+ CVE identifier CVE-2019-12625. Unfortunately, a workaround for the zip-bomb
|
|
248
|
+ mitigation was immediately identified. To remediate the zip-bomb scantime
|
|
249
|
+ issue, a scan time limit has been introduced in 0.101.4. This limit now
|
|
250
|
+ resolves ClamAV's vulnerability to CVE-2019-12625.
|
|
251
|
+
|
|
252
|
+ The default scan time limit is 2 minutes (120000 milliseconds).
|
|
253
|
+
|
|
254
|
+ To customize the time limit:
|
|
255
|
+
|
|
256
|
+ - use the `clamscan` `--max-scantime` option
|
|
257
|
+ - use the `clamd` `MaxScanTime` config option
|
|
258
|
+
|
|
259
|
+ Libclamav users may customize the time limit using the `cl_engine_set_num`
|
|
260
|
+ function. For example:
|
|
261
|
+
|
|
262
|
+ ```c
|
|
263
|
+ cl_engine_set_num(engine, CL_ENGINE_MAX_SCANTIME, time_limit_milliseconds)
|
|
264
|
+ ```
|
|
265
|
+
|
|
266
|
+ Thanks to David Fifield for reviewing the zip-bomb mitigation in 0.101.3
|
|
267
|
+ and reporting the issue.
|
|
268
|
+
|
|
269
|
+## 0.101.3
|
|
270
|
+
|
|
271
|
+ClamAV 0.101.3 is a patch release to address a vulnerability to non-recursive
|
|
272
|
+zip bombs.
|
|
273
|
+
|
|
274
|
+A Denial-of-Service (DoS) vulnerability may occur when scanning a zip bomb as a
|
|
275
|
+result of excessively long scan times. The issue is resolved by detecting the
|
|
276
|
+overlapping local file headers which characterize the non-recursive zip bomb
|
|
277
|
+described by David Fifield,
|
|
278
|
+[here](https://www.bamsoftware.com/hacks/zipbomb/).
|
|
279
|
+
|
|
280
|
+Thank you to Hanno Böck for reporting the issue as it relates to ClamAV,
|
|
281
|
+[here](https://bugzilla.clamav.net/show_bug.cgi?id=12356).
|
|
282
|
+
|
|
283
|
+Also included in 0.101.3:
|
|
284
|
+
|
|
285
|
+- Update of bundled the libmspack library from 0.8alpha to 0.10alpha, to
|
|
286
|
+ address a buffer overflow vulnerability in libmspack < 0.9.1α.
|
|
287
|
+
|
202
|
288
|
## 0.101.2
|
203
|
289
|
|
204
|
290
|
ClamAV 0.101.2 is a patch release to address a handful of security related bugs.
|