Skip to content

ClamAV 1.0.2

Compare
Choose a tag to compare
@micahsnyder micahsnyder released this 16 Aug 16:11
· 346 commits to main since this release

ClamAV 1.0.2 is a critical patch release with the following fixes:

  • CVE-2023-20197
    Fixed a possible denial of service vulnerability in the HFS+ file parser.
    This issue affects versions 1.1.0, 1.0.1 through 1.0.0, 0.105.2 through 0.105.0,
    0.104.4 through 0.104.0, and 0.103.8 through 0.103.0.
    Thank you to Steve Smith for reporting this issue.

  • CVE-2023-20212
    Fixed a possible denial of service vulnerability in the AutoIt file parser.
    This issue affects versions 1.0.1 and 1.0.0.
    This issue does not affect version 1.1.0.

  • Fixed a build issue when using the Rust nightly toolchain, which was
    affecting the oss-fuzz build environment used for regression tests.

    • GitHub pull request: #996
  • Fixed a build issue on Windows when using Rust version 1.70 or newer.

    • GitHub pull request: #993
  • CMake build system improvement to support compiling with OpenSSL 3.x on
    macOS with the Xcode toolchain.

    The official ClamAV installers and packages are now built with OpenSSL 3.1.1
    or newer.

    • GitHub pull request: #973
  • Fixed an issue where ClamAV does not abort the signature load process after
    partially loading an invalid signature.
    The bug would later cause a crash when scanning certain files.

    • GitHub pull request: #952
  • Fixed an issue so that ClamAV correctly removes temporary files generated
    by the VBA and XLM extraction modules so that the files are not leaked in
    patched versions of ClamAV where temporary files are written directly to the
    temp-directory instead of writing to a unique subdirectory.

    • GitHub pull request: #900
  • Set Git attributes to prevent Git from altering line endings for bundled Rust
    libraries. Third-party Rust libraries are bundled in the ClamAV release
    tarball. We do not commit them to our own Git repository, but community
    package maintainers may now store the tarball contents in Git.
    The Rust build system verifies the library manifest, and this change
    ensures that the hashes are correct.
    Improvement courtesy of Nicolas R.

    • GitHub pull request: #856
  • Fixed two bugs that would cause Freshclam to fail update when applying a
    CDIFF database patch if that patch adds a file to the database archive
    or removes a file from the database archive.
    This bug also caused Sigtool to fail to create such a patch.

    • GitHub pull request: #901

Special thanks to the following people for code contributions and bug reports:

  • Nicolas R.
  • Steve Smith