ClamAV 1.0.2 is a critical patch release with the following fixes:
-
CVE-2023-20197
Fixed a possible denial of service vulnerability in the HFS+ file parser.
This issue affects versions 1.1.0, 1.0.1 through 1.0.0, 0.105.2 through 0.105.0,
0.104.4 through 0.104.0, and 0.103.8 through 0.103.0.
Thank you to Steve Smith for reporting this issue. -
CVE-2023-20212
Fixed a possible denial of service vulnerability in the AutoIt file parser.
This issue affects versions 1.0.1 and 1.0.0.
This issue does not affect version 1.1.0. -
Fixed a build issue when using the Rust nightly toolchain, which was
affecting the oss-fuzz build environment used for regression tests.- GitHub pull request: #996
-
Fixed a build issue on Windows when using Rust version 1.70 or newer.
- GitHub pull request: #993
-
CMake build system improvement to support compiling with OpenSSL 3.x on
macOS with the Xcode toolchain.The official ClamAV installers and packages are now built with OpenSSL 3.1.1
or newer.- GitHub pull request: #973
-
Fixed an issue where ClamAV does not abort the signature load process after
partially loading an invalid signature.
The bug would later cause a crash when scanning certain files.- GitHub pull request: #952
-
Fixed an issue so that ClamAV correctly removes temporary files generated
by the VBA and XLM extraction modules so that the files are not leaked in
patched versions of ClamAV where temporary files are written directly to the
temp-directory instead of writing to a unique subdirectory.- GitHub pull request: #900
-
Set Git attributes to prevent Git from altering line endings for bundled Rust
libraries. Third-party Rust libraries are bundled in the ClamAV release
tarball. We do not commit them to our own Git repository, but community
package maintainers may now store the tarball contents in Git.
The Rust build system verifies the library manifest, and this change
ensures that the hashes are correct.
Improvement courtesy of Nicolas R.- GitHub pull request: #856
-
Fixed two bugs that would cause Freshclam to fail update when applying a
CDIFF database patch if that patch adds a file to the database archive
or removes a file from the database archive.
This bug also caused Sigtool to fail to create such a patch.- GitHub pull request: #901
Special thanks to the following people for code contributions and bug reports:
- Nicolas R.
- Steve Smith