Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-20792: ClamAV 0.105.0, 0.104.3, 0.103.6 released

A vulnerability in the regex module used by the signature database load module of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an authenticated, local attacker to crash ClamAV at database load time, and possibly gain code execution. The vulnerability is due to improper bounds checking that may result in a multi-byte heap buffer overwflow write. An attacker could exploit this vulnerability by placing a crafted CDB ClamAV signature database file in the ClamAV database directory. An exploit could allow the attacker to run code as the clamav user.

CVE
#vulnerability#web#mac#windows#apple#linux#debian#js#git#java#intel#buffer_overflow#auth#rpm#docker

The ClamAV 0.105.0 feature release is now stable and available for download on ClamAV.net or through Docker Hub.

Today, we’re also publishing the 0.104.3 and 0.103.6 security patch versions, including several CVE fixes. These fixes have also been included in the 0.105 feature release. The source package and installer packages for these versions can be found under the “Previous Stable Releases” section of our Downloads page.

As a reminder, the 0.105 and 0.104 release files now include the following install packages:

  • x86_64 and i686 RPM packages are compatible with RPM-based Linux distributions running glibc version 2.17 or newer.

  • x86_64 and i686 DEB packages are compatible with Debian-based Linux distributions running glibc version 2.23 or newer.

  • An x86_64/ARM64 macOS installer package is compatible with Intel and Apple M1 systems.

  • x64 and win32 Windows packages are compatible with Windows 7 and newer.

Keep reading to find out what is in each version.

0.105.0

ClamAV 0.105.0 includes the following improvements and changes.

New Requirements

  • Starting with ClamAV v0.105, the Rust toolchain is required to compile ClamAV.

    You can install the Rust toolchain for your development environment by following the instructions on the rustup website. Some binary package distributions do provide relatively up-to-date packages of the Rust toolchain, but many do not. Using rustup ensures that you have the most up-to-date Rust compiler at the time of installation. Keep your toolchain updated for new features and bug/security fixes by periodically executing:

  • Building ClamAV requires, at a minimum, Rust compiler version 1.56, as it relies on features introduced in the Rust 2021 Edition.

    ClamAV’s third-party Rust library dependencies are vendored into the release tarball (clamav-<version>.tar.gz) file that we publish on clamav.net/downloads. But, if you build from a Git clone or from an unofficial tarball taken from GitHub.com, you will need the internet to download the Rust libraries during the build.

Major changes

  • Increased the default limits for file and scan size:

    • MaxScanSize: 100M to 400M
    • MaxFileSize: 25M to 100M
    • StreamMaxLength: 25M to 100M
    • PCREMaxFileSize: 25M to 100M
    • MaxEmbeddedPE: 10M to 40M
    • MaxHTMLNormalize: 10M to 40M
    • MaxScriptNormalize: 5M to 20M
    • MaxHTMLNoTags: 2M to 8M
  • Added image fuzzy hash subsignatures for logical signatures.

    Image fuzzy hash subsignatures are a new feature for detecting images known to be used in phishing campaigns or otherwise used when distributing malware.

    Image fuzzy hash subsignatures follow this format:

    fuzzy_img#<hash>
    

    For example:

    logo.png;Engine:150-255,Target:0;0;fuzzy_img#af2ad01ed42993c7

    logo.png-2;Engine:150-255,Target:0;0&1;49484452;fuzzy_img#af2ad01ed42993c7

    This initial implementation does not support matching with a hamming distance, but it may be added in the future.

    ClamAV’s image fuzzy hash is very close to, but not identical to, the fuzzy hash generated by the Python imagehash package’s phash() function. These are only clean-room approximations of the pHash™️ algorithm. ClamAV’s image fuzzy hashes are not expected to match the fuzzy hashes generated using other tools.

    To generate the image fuzzy hash, run this command:

    sigtool --fuzzy-img FILE(S)

    Or, you may generate it through clamscan like:

    clamscan --gen-json --debug /path/to/file

    The hash will appear in the JSON above the “SCAN SUMMARY” under the object named "ImageFuzzyHash".

  • ClamScan and ClamDScan (Windows only):

    • Added a process memory scanning feature from ClamWin’s ClamScan.

      This adds three new options to ClamScan and ClamDScan on Windows:

      • –memory
      • –kill
      • –unload

      Special thanks to:

      • Gianluigi Tiesi for allowing us to integrate the Windows process memory scanning feature from ClamWin into ClamAV.
      • Grace Kang for integrating the ClamScan feature, and for extending it to work with ClamDScan in addition.

Notable changes

  • Updated the LLVM bytecode runtime support so that it can use LLVM versions 8 through 12 and removed support for earlier LLVM versions. Using LLVM JIT for the bytecode runtime may improve scan performance over the built-in bytecode interpreter runtime, which is the default. If you wish to build using LLVM, you must obtain a complete build of the LLVM libraries including the development headers and static libraries.

    There are some known issues in compiling and running the test suite with some LLVM installations. We are working to further stabilize LLVM bytecode runtime support, and document specific edge cases. Your feedback is welcome.

    For details about building ClamAV with the LLVM bytecode runtime, see the install reference documentation.

  • Added a GenerateMetadataJson option to ClamD. The functionality is equivalent to the clamscan --gen-json option. Scan metadata is useful for file analysis and for debugging scan behavior. If Debug is enabled, ClamD will print out the JSON after each scan. If LeaveTemporaryFiles is enabled, ClamD will drop a metadata.json file in the scan-temp directory. You can customize the scan-temp directory path using the TemporaryDirectory option.

  • The libclamunrar.so library’s SO version now matches that of libclamav.so. The upstream UnRAR library does not have an SO version that we should match. This change is to prevent a possible collision when multiple ClamAV versions are installed.

  • CMake: Added support for using an external TomsFastMath library (libtfm).

    To use an external TomsFastMath library, configure the build with the new option -D ENABLE_EXTERNAL_TOMSFASTMATH=ON. The following CMake variables may also be set as needed:

    • -D TomsFastMath_INCLUDE_DIR=<path> - The directory containing tfm.h.
    • -D TomsFastMath_LIBRARY=<path> - The path to the TomsFastMath library.

    Also updated the vendored TomsFastMath code to version 0.13.1.

Other improvements

  • Freshclam:

    • Improve ReceiveTimeout behavior so that will abort a download attempt if the download is not making significant progress. Previously this limit was an absolute time limit for the download and could abort prematurely for those on a slower connection. Special thanks to Simon Arlott for this improvement.
  • Rewrote the ClamAV database archive incremental-update feature (CDIFF) from scratch in Rust. The new implementation was our first module to be rewritten in Rust. It is significantly faster at applying updates that remove large numbers of signatures from a database, such as when migrating signatures from daily.cvd to main.cvd.

  • Freshclam & ClamD:

    • Increased the maximum line-length for freshclam.conf and clamd.conf from 512-characters to 1024-characters. This change was by request to accommodate very long DatabaseMirror options when using access tokens in the URI.
  • Removed the Heuristics.PNG.CVE-2010-1205 detection. This alert had been placed behind the --alert-broken-media (SCAN_HEURISTIC_BROKEN_MEDIA) option in 0.103.3 and 0.104 because of excessive alerts on slightly malformed but non- malicious files. Now it is completely removed.

  • Added support for building ClamDTop using ncursesw if ncurses can not be found. Patch courtesy of Carlos Velasco.

Bug fixes

The CVE’s fixes below are also addressed in versions 0.104.3 and 0.103.6.

  • CVE-2022-20803: Fixed a possible double-free vulnerability in the OLE2 file parser. Issue affects versions 0.104.0 through 0.104.2. Issue identified by OSS-Fuzz.

  • CVE-2022-20770: Fixed a possible infinite loop vulnerability in the CHM file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

  • CVE-2022-20796: Fixed a possible NULL-pointer dereference crash in the scan verdict cache check. Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2. Thank you to Alexander Patrakov and Antoine Gatineau for reporting this issue.

  • CVE-2022-20771: Fixed a possible infinite loop vulnerability in the TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. The issue only occurs if the “–alert-broken-media” ClamScan option is enabled. For ClamD, the affected option is "AlertBrokenMedia yes", and for libclamav it is the “CL_SCAN_HEURISTIC_BROKEN_MEDIA” scan option. Thank you to Michał Dardas for reporting this issue.

  • CVE-2022-20785: Fixed a possible memory leak in the HTML file parser / Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

  • CVE-2022-20792: Fixed a possible multi-byte heap buffer overflow write vulnerability in the signature database load module. The fix was to update the vendored regex library to the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

  • ClamOnAcc: Fixed a number of assorted stability issues and added niceties for debugging ClamOnAcc. Patches courtesy of Frank Fegert.

  • Fixed an issue causing byte-compare subsignatures to cause an alert when they match even if other conditions of the given logical signatures were not met.

  • Fixed an issue causing XLM macro false positives when scanning XLS documents containing images if the --alert-macros (AlertOLE2Macros) option was enabled.

  • Fixed an issue causing signature alerts for images in XLS files to be lost.

  • Fixed an issue preventing multiple matches when scanning in all-match mode.

  • Docker:

    • Fixed an issue exposing the health check port. Patch courtesy of Sammy Chu.
    • Fixed an issue with health check failure false positives during container startup. Patch courtesy of Olliver Schinagl.
    • Set the default time zone to Etc/UTC. The --env parameter can be used to customize the time zone by setting TZ environment variable. Patch courtesy of Olliver Schinagl.
    • Fixed an issue where ClamD would listen only for IPv4 connections in environments where IPv6 is preferred. ClamD will now listen to all addresses available (IPv4 and IPv6). This is the default behavior of ClamD. Patch courtesy of Andre Breiler.
  • Enable support for ncursesw, the wide-character / unicode version of ncurses.

  • Added support for detecting the curses library dependency even when the associated pkg-config file is not present. This resolves a build issue on some BSD distributions. Patch courtesy of Stuart Henderson.

  • Windows: Fix utf8 filepath issues affecting both scanning and log messages.

  • Assorted bug fixes and improvements.

Acknowledgments

Special thanks to the following people for code contributions and bug reports:

  • Ahmon Dancy
  • Alexander Patrakov
  • Alexander Sulfrian
  • Andre Breiler
  • Antoine Gatineau
  • Carlos Velasco
  • Bernd Kuhls
  • David Korczynski
  • Fabrice Fontaine
  • Frank Fegert
  • Gianluigi Tiesi
  • Giovanni Bechis
  • Grace Kang
  • John Humlick
  • Jordan Ernst
  • JunWei Song
  • Michał Dardas
  • mko-x
  • Olliver Schinagl
  • Răzvan Cojocaru
  • Sammy Chu
  • Sergey Valentey
  • Simon Arlott
  • Stuart Henderson
  • Yann E. Morin

0.104.3

ClamAV 0.104.3 is a critical patch release with the following fixes:

  • CVE-2022-20803: Fixed a possible double-free vulnerability in the OLE2 file parser. Issue affects versions 0.104.0 through 0.104.2. Issue identified by OSS-Fuzz.

  • CVE-2022-20770: Fixed a possible infinite loop vulnerability in the CHM file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

  • CVE-2022-20796: Fixed a possible NULL-pointer dereference crash in the scan verdict cache check. Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2. Thank you to Alexander Patrakov and Antoine Gatineau for reporting this issue.

  • CVE-2022-20771: Fixed a possible infinite loop vulnerability in the TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. The issue only occurs if the “–alert-broken-media” ClamScan option is enabled. For ClamD, the affected option is "AlertBrokenMedia yes", and for libclamav it is the “CL_SCAN_HEURISTIC_BROKEN_MEDIA” scan option. Thank you to Michał Dardas for reporting this issue.

  • CVE-2022-20785: Fixed a possible memory leak in the HTML file parser / Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

  • CVE-2022-20792: Fixed a possible multi-byte heap buffer overflow write vulnerability in the signature database load module. The fix was to update the vendored regex library to the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

  • ClamOnAcc: Fixed a number of assorted stability issues and added niceties for debugging ClamOnAcc. Patches courtesy of Frank Fegert.

  • Enable support for ncursesw, the wide-character/Unicode version of ncurses.

  • Added support for detecting the curses library dependency even when the associated pkg-config file is not present. This resolves a build issue on some BSD distributions. Patch courtesy of Stuart Henderson.

  • Docker:

    • Fixed an issue exposing the health check port. Patch courtesy of Sammy Chu.
    • Fixed an issue with health check failure false positives during container startup. Patch courtesy of Olliver Schinagl.
    • Set the default time zone to Etc/UTC. The --env parameter can be used to customize the time zone by setting TZ environment variable. Patch courtesy of Olliver Schinagl.
  • Fixed an issue causing XLM macro false positives when scanning XLS documents containing images if the --alert-macros (AlertOLE2Macros) option was enabled.

  • Fixed an issue causing signature alerts for images in XLS files to be lost.

  • Fixed an issue causing byte-compare subsignatures to cause an alert when they match even if other conditions of the given logical signatures were not met.

  • Assorted bug fixes and improvements.

Special thanks to the following people for code contributions and bug reports:

  • Alexander Patrakov
  • Antoine Gatineau
  • Frank Fegert
  • Michał Dardas
  • Olliver Schinagl
  • Sammy Chu
  • Stuart Henderson

0.103.6

ClamAV 0.103.6 is a critical patch release with the following fixes:

  • CVE-2022-20770: Fixed a possible infinite loop vulnerability in the CHM file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

  • CVE-2022-20796: Fixed a possible NULL-pointer dereference crash in the scan verdict cache check. Issue affects versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2. Thank you to Alexander Patrakov and Antoine Gatineau for reporting this issue.

  • CVE-2022-20771: Fixed a possible infinite loop vulnerability in the TIFF file parser. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. The issue only occurs if the “–alert-broken-media” ClamScan option is enabled. For ClamD, the affected option is "AlertBrokenMedia yes", and for libclamav it is the “CL_SCAN_HEURISTIC_BROKEN_MEDIA” scan option. Thank you to Michał Dardas for reporting this issue.

  • CVE-2022-20785: Fixed a possible memory leak in the HTML file parser / Javascript normalizer. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

  • CVE-2022-20792: Fixed a possible multi-byte heap buffer overflow write vulnerability in the signature database load module. The fix was to update the vendored regex library to the latest version. Issue affects versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions. Thank you to Michał Dardas for reporting this issue.

  • ClamOnAcc: Fixed a number of assorted stability issues and added niceties for debugging ClamOnAcc. Patches courtesy of Frank Fegert.

  • Fixed an issue causing byte-compare subsignatures to cause an alert when they match even if other conditions of the given logical signatures were not met.

  • Fix memleak when using multiple byte-compare subsignatures. This fix was backported from 0.104.0. Thank you to Andrea De Pasquale for contributing the fix.

  • Assorted bug fixes and improvements.

Special thanks to the following people for code contributions and bug reports:

  • Alexander Patrakov
  • Andrea De Pasquale
  • Antoine Gatineau
  • Frank Fegert
  • Michał Dardas

Related news

Gentoo Linux Security Advisory 202310-01

Gentoo Linux Security Advisory 202310-1 - Multiple vulnerabilities have been discovered in ClamAV, the worst of which could result in remote code execution. Versions greater than or equal to 0.103.7 are affected.

Ubuntu Security Notice USN-5423-2

Ubuntu Security Notice 5423-2 - USN-5423-1 fixed several vulnerabilities in ClamAV. This update provides the corresponding update for Ubuntu 14.04 ESM and 16.04 ESM. Michał Dardas discovered that ClamAV incorrectly handled parsing CHM files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service.

Ubuntu Security Notice USN-5423-2

Ubuntu Security Notice 5423-2 - USN-5423-1 fixed several vulnerabilities in ClamAV. This update provides the corresponding update for Ubuntu 14.04 ESM and 16.04 ESM. Michał Dardas discovered that ClamAV incorrectly handled parsing CHM files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service.

Ubuntu Security Notice USN-5423-2

Ubuntu Security Notice 5423-2 - USN-5423-1 fixed several vulnerabilities in ClamAV. This update provides the corresponding update for Ubuntu 14.04 ESM and 16.04 ESM. Michał Dardas discovered that ClamAV incorrectly handled parsing CHM files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service.

Ubuntu Security Notice USN-5423-2

Ubuntu Security Notice 5423-2 - USN-5423-1 fixed several vulnerabilities in ClamAV. This update provides the corresponding update for Ubuntu 14.04 ESM and 16.04 ESM. Michał Dardas discovered that ClamAV incorrectly handled parsing CHM files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service.

Ubuntu Security Notice USN-5423-2

Ubuntu Security Notice 5423-2 - USN-5423-1 fixed several vulnerabilities in ClamAV. This update provides the corresponding update for Ubuntu 14.04 ESM and 16.04 ESM. Michał Dardas discovered that ClamAV incorrectly handled parsing CHM files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service.

Ubuntu Security Notice USN-5423-1

Ubuntu Security Notice 5423-1 - Michał Dardas discovered that ClamAV incorrectly handled parsing CHM files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service. Michał Dardas discovered that ClamAV incorrectly handled parsing TIFF files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service. Michał Dardas discovered that ClamAV incorrectly handled parsing HTML files. A remote attacker could possibly use this issue to cause ClamAV to consume resources, resulting in a denial of service.

Ubuntu Security Notice USN-5423-1

Ubuntu Security Notice 5423-1 - Michał Dardas discovered that ClamAV incorrectly handled parsing CHM files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service. Michał Dardas discovered that ClamAV incorrectly handled parsing TIFF files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service. Michał Dardas discovered that ClamAV incorrectly handled parsing HTML files. A remote attacker could possibly use this issue to cause ClamAV to consume resources, resulting in a denial of service.

Ubuntu Security Notice USN-5423-1

Ubuntu Security Notice 5423-1 - Michał Dardas discovered that ClamAV incorrectly handled parsing CHM files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service. Michał Dardas discovered that ClamAV incorrectly handled parsing TIFF files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service. Michał Dardas discovered that ClamAV incorrectly handled parsing HTML files. A remote attacker could possibly use this issue to cause ClamAV to consume resources, resulting in a denial of service.

Ubuntu Security Notice USN-5423-1

Ubuntu Security Notice 5423-1 - Michał Dardas discovered that ClamAV incorrectly handled parsing CHM files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service. Michał Dardas discovered that ClamAV incorrectly handled parsing TIFF files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service. Michał Dardas discovered that ClamAV incorrectly handled parsing HTML files. A remote attacker could possibly use this issue to cause ClamAV to consume resources, resulting in a denial of service.

Ubuntu Security Notice USN-5423-1

Ubuntu Security Notice 5423-1 - Michał Dardas discovered that ClamAV incorrectly handled parsing CHM files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service. Michał Dardas discovered that ClamAV incorrectly handled parsing TIFF files. A remote attacker could possibly use this issue to cause ClamAV to stop responding, resulting in a denial of service. Michał Dardas discovered that ClamAV incorrectly handled parsing HTML files. A remote attacker could possibly use this issue to cause ClamAV to consume resources, resulting in a denial of service.

CVE-2022-20796: Cisco Security Advisory: ClamAV Truncated File Denial of Service Vulnerability Affecting Cisco Products: May 2022

On May 4, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in Clam AntiVirus (ClamAV) versions 0.103.4, 0.103.5, 0.104.1, and 0.104.2 could allow an authenticated, local attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog.

CVE-2022-20771: Cisco Security Advisory: ClamAV TIFF File Parsing Denial of Service Vulnerability Affecting Cisco Products: May 2022

On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in the TIFF file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.

CVE-2022-20770: Cisco Security Advisory: ClamAV CHM File Parsing Denial of Service Vulnerability Affecting Cisco Products: May 2022

On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in CHM file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.

CVE-2022-20785: Cisco Security Advisory: ClamAV HTML Scanning Memory Leak Vulnerability Affecting Cisco Products: May 2022

On April 20, 2022, the following vulnerability in the ClamAV scanning library versions 0.103.5 and earlier and 0.104.2 and earlier was disclosed: A vulnerability in HTML file parser of Clam AntiVirus (ClamAV) versions 0.104.0 through 0.104.2 and LTS version 0.103.5 and prior versions could allow an unauthenticated, remote attacker to cause a denial of service condition on an affected device. For a description of this vulnerability, see the ClamAV blog. This advisory will be updated as additional information becomes available.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907