Mailing List Archive

ClamAV 0.103.7, 0.104.1 and 0.105.1 patch versions published
?View this post on https://blog.clamav.net/2022/07/clamav-01037-01041-and-01051-patch.html


ClamAV 0.103.7, 0.104.1 and 0.105.1 patch versions published

Today, we are releasing the following critical patch versions:

* 0.103.7
* 0.104.4
* 0.105.1

As a friendly reminder, 0.104.4 will be the last patch version for the 0.104 feature release per the ClamAV End-of-Life Policy<https://docs.clamav.net/faq/faq-eol.html#version-support-matrix>. The 0.103 Long Term Support release will continue to receive patch versions until September 2023.

The release files are available for download on ClamAV.net<https://www.clamav.net/downloads> or through Docker Hub<https://hub.docker.com/r/clamav/clamav/>.

0.103.7

ClamAV 0.103.7 is a critical patch release with the following fixes:

* Upgrade the vendored UnRAR library to version 6.1.7.

* Fix logical signature "Intermediates" feature.

* Relax constraints on slightly malformed zip archives that contain overlapping file entries.

0.104.4

ClamAV 0.104.4 is a critical patch release with the following fixes:

* Upgrade the vendored UnRAR library to version 6.1.7.

* Fix logical signature "Intermediates" feature.

* Relax constraints on slightly malformed zip archives that contain overlapping file entries.

0.105.1

ClamAV 0.105.1 is a critical patch release with the following fixes:

* Upgrade the vendored UnRAR library to version 6.1.7.

* Fix issue building macOS universal binaries in some configurations.

* Silence error message when the logical signature maximum functionality level is lower than the current functionality level.

* Fix scan error when scanning files containing malformed images that cannot be loaded to calculate an image fuzzy hash.

* Fix logical signature "Intermediates" feature.

* Relax constraints on slightly malformed ZIP archives that contain overlapping file entries.

Posted by Micah Snyder<https://www.blogger.com/profile/07798916006145826441> at 3:45 PM<https://blog.clamav.net/2022/07/clamav-01037-01041-and-01051-patch.html>[https://img1.blogblog.com/img/icon18_email.gif]<https://www.blogger.com/email-post.g?blogID=2366689974368239573&postID=6626300487468780454>


_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: ClamAV 0.103.7, 0.104.1 and 0.105.1 patch versions published [ In reply to ]
Hi there,

On Wed, 27 Jul 2022, Micah Snyder wrote:

> Today, we are releasing the following critical patch versions:

I haven't been able to find the details, but presumably this is to fix
CVE-2022-30333 in unrar?

--

73,
Ged.
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: ClamAV 0.103.7, 0.104.1 and 0.105.1 patch versions published [ In reply to ]
Hi Ged,

The UnRAR CVE was a driver for getting out the bug fixes sooner than later. For 0.105.0 there were a couple other bad bugs we really wanted to fix, notably the ERROR response from files where a fuzzy image hash fails.

That said, I don't believe the UnRAR CVE issue is a serious security issue in Clam. Unless you use clamscan's `--leave-temps` option, (or clamd `LeaveTemporaryFiles yes` config option), then files extracted from RAR archives are assigned randomly generated filenames and so path traversal isn't a concern. If you do have the "leave temps" feature enabled, which you wouldn't for production, the temporary file still gets a random suffix added, so it can't be used to replace a specific file or directory. There may still be some risk there, but significantly mitigated. I left notes from my investigation on this issue if you're interested: https://github.com/Cisco-Talos/clamav/issues/580#issuecomment-1192043905

Regards,
Micah


Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-devel <clamav-devel-bounces@lists.clamav.net> on behalf of G.W. Haywood <clamav-devel@jubileegroup.co.uk>
Sent: Wednesday, July 27, 2022 6:31 AM
To: clamav-devel@lists.clamav.net <clamav-devel@lists.clamav.net>
Subject: Re: [Clamav-devel] ClamAV 0.103.7, 0.104.1 and 0.105.1 patch versions published

Hi there,

On Wed, 27 Jul 2022, Micah Snyder wrote:

> Today, we are releasing the following critical patch versions:

I haven't been able to find the details, but presumably this is to fix
CVE-2022-30333 in unrar?

--

73,
Ged.
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________

clamav-devel mailing list
clamav-devel@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel

Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls

Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml