After six months of development, Cisco has published the release of the free antivirus suite ClamAV 1.3.0. The project passed into the hands of Cisco in 2013 after purchasing Sourcefire, the company developing ClamAV and Snort. The project code is distributed under the GPLv2 license. The 1.3.0 branch is classified as regular (not LTS), updates to which are published at least 4 months after the first release of the next branch. The ability to download the signature database for non-LTS branches is also provided for at least another 4 months after the release of the next branch.
Key improvements in ClamAV 1.3:
- Added support for extracting and checking attachments used in Microsoft OneNote files. OneNote parsing is enabled by default, but can be disabled if desired by setting "ScanOneNote no" in clamd.conf, specifying the command line option "--scan-onenote=no" when running the clamscan utility, or adding the CL_SCAN_PARSE_ONENOTE flag to the options.parse parameter when using libclamav.
- Assembly of ClamAV in the BeOS-like operating system Haiku has been established.
- Added check to clamd for the existence of the directory for temporary files specified in the clamd.conf file via the TemporaryDirectory directive. If this directory is missing, the process now exits with an error.
- When setting up the build of static libraries in CMake, the installation of the static libraries libclamav_rust, libclammspack, libclamunrar_iface and libclamunrar, used in libclamav, is ensured.
- Implemented file type detection for compiled Python scripts (.pyc). The file type is passed in the form of the string parameter CL_TYPE_PYTHON_COMPILED, supported in the clcb_pre_cache, clcb_pre_scan and clcb_file_inspection functions.
- Improved support for decrypting PDF documents with a blank password.
At the same time, ClamAV 1.2.2 and 1.0.5 updates were generated, which fixed two vulnerabilities affecting branches 0.104, 0.105, 1.0, 1.1 and 1.2:
- CVE-2024-20328 - Possibility of command substitution during file scanning in clamd due to an error in the implementation of the "VirusEvent" directive, used to run an arbitrary command if a virus is detected. Details of the exploitation of the vulnerability have not yet been disclosed; all that is known is that the problem was fixed by disabling support for the VirusEvent string formatting parameter '%f', which was replaced with the name of the infected file.
Apparently, the attack boils down to transmitting a specially designed name of an infected file containing special characters that cannot be escaped when running the command specified in VirusEvent. It is noteworthy that a similar vulnerability was already fixed in 2004 and also by removing support for the '%f' substitution, which was then returned in the release of ClamAV 0.104 and led to the revival of the old vulnerability. In the old vulnerability, to execute your command during a virus scan, you only had to create a file named β; mkdir owned" and write the virus test signature into it.
- CVE-2024-20290 is a buffer overflow in the OLE2 file parsing code, which could be used by a remote unauthenticated attacker to cause a denial of service (crash of the scanning process). The issue is caused by incorrect end-of-line checking during content scanning, resulting in reading from an area outside the buffer boundary.
Source: opennet.ru