Cisco-Talos/clamav clamav-1.2.2

ClamAV 1.2.2

on GitHub

ClamAV 1.2.2 is a critical patch release with the following fix:

• CVE-2024-20290:
  Fixed a possible heap overflow read bug in the OLE2 file parser that could
  cause a denial-of-service (DoS) condition.

  Affected versions:

  • 1.0.0 through 1.0.4 (LTS)
  • 1.1 (all patch versions)
  • 1.2.0 and 1.2.1

  Thank you to OSS-Fuzz for identifying this issue.

• CVE-2024-20328:
  Fixed a possible command injection vulnerability in the VirusEvent feature
  of ClamAV's ClamD service.

  To fix this issue, we disabled the '%f' format string parameter.
  ClamD administrators may continue to use the CLAM_VIRUSEVENT_FILENAME
  environment variable, instead of '%f'. But you should do so only from within
  an executable, such as a Python script, and not directly in the clamd.conf
VirusEvent command.

  Affected versions:

  • 0.104 (all patch versions)
  • 0.105 (all patch versions)
  • 1.0.0 through 1.0.4 (LTS)
  • 1.1 (all patch versions)
  • 1.2.0 and 1.2.1

  Thank you to Amit Schendel for identifying this issue.