Releases: Cisco-Talos/clamav
ClamAV 1.5.0-rc
ClamAV 1.5.0 includes the following improvements and changes:
Major changes
-
Added checks to determine if an OLE2-based Microsoft Office document is
encrypted. -
Added the ability to record URIs found in HTML if the generate-JSON-metadata
feature is enabled.
Also adds an option to disable this in case you want the JSON metadata
feature but do not want to record HTML URIs.
The ClamScan command-line option is--json-store-html-uris=no.
Theclamd.confconfig option isJsonStoreHTMLURIs no.
The libclamav general scan option isCL_SCAN_GENERAL_STORE_HTML_URIS -
Added the ability to record URIs found in PDFs if the generate-JSON-metadata
feature is enabled.
Also adds an option to disable this in case you want the JSON metadata
feature but do not want to record PDF URIs.
The ClamScan command-line option is--json-store-pdf-uris=no.
Theclamd.confconfig option isJsonStorePDFURIs no.
The libclamav general scan option isCL_SCAN_GENERAL_STORE_PDF_URIS -
Added regex support for the
clamd.confOnAccessExcludePathconfig option.
This change courtesy of GitHub user b1tg. -
Added CVD signing/verification with external
.signfiles.Freshclam will now attempt to download external signature files to accompany
existing.cvddatabases and.cdiffpatch files. Sigtool now has commands
to sign and verify using the external signatures.ClamAV now installs a 'certs' directory in the app config directory
(e.g.,<prefix>/etc/certs). The install path is configurable.
The CMake option to configure the CVD certs directory is
-D CVD_CERTS_DIRECTORY=PATHNew options to set an alternative CVD certs directory:
- The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is
--cvdcertsdir PATH - The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is
CVD_CERTS_DIR - The config option for Freshclam and ClamD is
CVDCertsDirectory PATH
Added two new APIs to the public clamav.h header:
cl_error_t cl_cvdverify_ex( const char *file, const char *certs_directory, uint32_t dboptions); cl_error_t cl_cvdunpack_ex( const char *file, const char *dir, const char *certs_directory, uint32_t dboptions);
The original
cl_cvdverifyandcl_cvdunpackare deprecated.Added a
cl_engine_fieldenum optionCL_ENGINE_CVDCERTSDIR.
You may set this option withcl_engine_set_strand get it with
cl_engine_get_str, to override the compiled in default CVD certs directory.Thank you to Mark Carey at SAP for inspiring work on this feature with an
initial proof of concept for external-signature FIPS compliant CVD signing. - The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is
-
Freshclam, ClamD, ClamScan, and Sigtool: Added an option to enable FIPS-like
limits disabling MD5 and SHA1 from being used for verifying digital signatures
or for being used to trust a file when checking for false positives (FPs).For
freshclam.confandclamd.confset this config option:FIPSCryptoHashLimits yesFor
clamscanandsigtooluse this command-line option:--fips-limitsFor libclamav: Enable FIPS-limits for a ClamAV engine like this:
cl_engine_set_num(engine, CL_ENGINE_FIPS_LIMITS, 1);
ClamAV will also attempt to detect if FIPS-mode is enabled. If so, it will
automatically enable the FIPS-limits feature.This change mitigates safety concerns over the use of MD5 and SHA1 algorithms
to trust files and is required to enable ClamAV to operate legitimately in
FIPS-mode enabled environments.Note: ClamAV may still calculate MD5 or SHA1 hashes as needed for detection
purposes or for informational purposes in FIPS-enabled environments and when
the FIPS-limits option is enabled. -
Upgraded the clean-file scan cache to use SHA2-256 (prior versions use MD5).
The clean-file cache algorithm is not configurable.This change resolves safety concerns over the use of MD5 to trust files and
is required to enable ClamAV to operate legitimately in FIPS-mode enabled
environments. -
ClamD: Added an option to disable select administrative commands including
SHUTDOWN,RELOAD,STATSandVERSION.The new
clamd.confoptions are:EnableShutdownCommand yes EnableReloadCommand yes EnableStatsCommand yes EnableVersionCommand yesThis change courtesy of GitHub user ChaoticByte.
-
libclamav: Added extended hashing functions with a "flags" parameter that
allows the caller to choose if they want to bypass FIPS hash algorithm limits:cl_error_t cl_hash_data_ex( const char *alg, const uint8_t *data, size_t data_len, uint8_t **hash, size_t *hash_len, uint32_t flags); cl_error_t cl_hash_init_ex( const char *alg, uint32_t flags, cl_hash_ctx_t **ctx_out); cl_error_t cl_update_hash_ex( cl_hash_ctx_t *ctx, const uint8_t *data, size_t length); cl_error_t cl_finish_hash_ex( cl_hash_ctx_t *ctx, uint8_t **hash, size_t *hash_len, uint32_t flags); void cl_hash_destroy(void *ctx); cl_error_t cl_hash_file_fd_ex( const char *alg, int fd, size_t offset, size_t length, uint8_t **hash, size_t *hash_len, uint32_t flags);
-
ClamScan: Improved the precision of the bytes-scanned and bytes-read counters.
The ClamScan scan summary will now report exact counts in "GiB", "MiB", "KiB",
or "B" as appropriate. Previously, it always reported "MB". -
ClamScan: Add hash & file-type in/out CLI options:
--hash-hint: The file hash so that libclamav does not need to calculate
it. The type of hash must match the--hash-alg.--log-hash: Print the file hash after each file scanned. The type of hash
printed will match the--hash-alg.--hash-alg: The hashing algorithm used for either--hash-hintor
--log-hash. Supported algorithms are "md5", "sha1", "sha2-256".
If not specified, the default is "sha2-256".--file-type-hint: The file type hint so that libclamav can optimize
scanning (e.g., "pe", "elf", "zip", etc.). You may also use ClamAV type names
such as "CL_TYPE_PE". ClamAV will ignore the hint if it is not familiar with
the specified type.
See also: https://docs.clamav.net/appendix/FileTypes.html#file-types--log-file-type: Print the file type after each file scanned.
We will not be adding this for ClamDScan, as we do not have a mechanism in the
ClamD socket API to receive scan options or a way for ClamD to include scan
metadata in the response. -
libclamav: Added new scan functions that provide additional functionality:
cl_error_t cl_scanfile_ex( const char *filename, cl_verdict_t *verdict_out, const char **last_alert_out, uint64_t *scanned_out, const struct cl_engine *engine, struct cl_scan_options *scanoptions, void *context, const char *hash_hint, char **hash_out, const char *hash_alg, const char *file_type_hint, char **file_type_out); cl_error_t cl_scandesc_ex( int desc, const char *filename, cl_verdict_t *verdict_out, const char **last_alert_out, uint64_t *scanned_out, const struct cl_engine *engine, struct cl_scan_options *scanoptions, void *context, const char *hash_hint, char **hash_out, const char *hash_alg, const char *file_type_hint, char **file_type_out); cl_error_t cl_scanmap_ex( cl_fmap_t *map, const char *filename, cl_verdict_t *verdict_out, const char **last_alert_out, uint64_t *scanned_out, const struct cl_engine *engine, struct cl_scan_options *scanoptions, void *context, const char *hash_hint, char **hash_out, const char *hash_alg, const char *file_type_hint, char **file_type_out);
The older
cl_scan*()functions are now deprecated and may be removed in a
future release. Seeclamav.hfor more details. -
libclamav: Added a new engine option to toggle temp directory recursion.
Temp directory recursion is the idea that each object scanned in ClamAV's
recursive extract/scan process will get a new temp subdirectory, mimicking
the nesting structure ...
ClamAV 1.4.3
ClamAV 1.4.3 is a patch release with the following fixes:
-
CVE-2025-20260:
Fixed a possible buffer overflow write bug in the PDF file parser that could
cause a denial-of-service (DoS) condition or enable remote code execution.This issue only affects configurations where both:
- The max file-size scan limit is set greater than or equal to 1024MB.
- The max scan-size scan limit is set greater than or equal to 1025MB.
The code flaw was present prior to version 1.0.0, but a change in version
1.0.0 that enables larger allocations based on untrusted data made it
possible to trigger this bug.This issue affects all currently supported versions. It will be fixed in:
- 1.4.3
- 1.0.9
Thank you to Greg Walkup at Sandia National Labs for identifying this issue.
-
CVE-2025-20234:
Fixed a possible buffer overflow read bug in the UDF file parser that may
write to a temp file and thus disclose information, or it may crash and
cause a denial-of-service (DoS) condition.This issue was introduced in version 1.2.0. It will be fixed in 1.4.3.
Thank you to volticks (@movx64 on Twitter/X), working with Trend Micro Zero
Day Initiative, for identifying this issue. -
Fixed a possible use-after-free bug in the Xz decompression module in the
bundled lzma-sdk library.This issue was fixed in the lzma-sdk version 18.03. ClamAV bundles a copy
of the lzma-sdk with some performance changes specific to libclamav, plus
select bug fixes like this one in lieu of a full upgrade to newer lzma-sdk.This issue affects all ClamAV versions at least as far back as 0.99.4.
It will be fixed in:- 1.4.3
- 1.0.9
Thank you to OSS-Fuzz for identifying this issue.
-
Windows: Fixed a build install issue when a DLL dependency such as libcrypto
has the exact same name as one provided by the Windows operating system.
ClamAV 1.0.9
ClamAV 1.0.9 is a patch release with the following fixes:
-
CVE-2025-20260:
Fixed a possible buffer overflow write bug in the PDF file parser that could
cause a denial-of-service (DoS) condition or enable remote code execution.This issue only affects configurations where both:
- The max file-size scan limit is set greater than or equal to 1024MB.
- The max scan-size scan limit is set greater than or equal to 1025MB.
The code flaw was present prior to version 1.0.0, but a change in version
1.0.0 that enables larger allocations based on untrusted data made it
possible to trigger this bug.This issue affects all currently supported versions. It will be fixed in:
- 1.4.3
- 1.0.9
Thank you to Greg Walkup at Sandia National Labs for identifying this issue.
-
Fixed a possible use-after-free bug in the Xz decompression module in the
bundled lzma-sdk library.This issue was fixed in the lzma-sdk version 18.03. ClamAV bundles a copy
of the lzma-sdk with some performance changes specific to libclamav, plus
select bug fixes like this one in lieu of a full upgrade to newer lzma-sdk.This issue affects all ClamAV versions at least as far back as 0.99.4.
It will be fixed in:- 1.4.3
- 1.0.9
Thank you to OSS-Fuzz for identifying this issue.
-
Windows: Fixed a build install issue when a DLL dependency such as libcrypto
has the exact same name as one provided by the Windows operating system.
ClamAV 1.5.0-beta
ClamAV 1.5.0 includes the following improvements and changes:
Major changes
-
Added checks to determine if an OLE2-based Microsoft Office document is
encrypted. -
Added the ability to record URLs found in HTML if the generate-JSON-metadata
feature is enabled.
Also adds an option to disable this in case you want the JSON metadata
feature but don't want to record HTML URLs.
The ClamScan command-line option is--json-store-html-urls=no.
Theclamd.confconfig option isJsonStoreHTMLUrls no. -
Added regex support for the
clamd.confOnAccessExcludePathconfig option.
This change courtesy of GitHub user b1tg. -
Added FIPS-compliant CVD signing/verification with external
.signfiles.Freshclam will now attempt to download external signature files to accompany
existing.cvddatabases and.cdiffpatch files. Sigtool now has commands
to sign and verify using the external signatures.ClamAV now installs a 'certs' directory in the app config directory
(e.g.<prefix>/etc/certs). The install path is configurable.
The CMake option to configure the CVD certs directory is:
-D CVD_CERTS_DIRECTORY=PATHNew options to set an alternative CVD certs directory:
- The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is:
--cvdcertsdir PATH - The environment variable for Freshclam, ClamD, ClamScan, and Sigtool is:
CVD_CERTS_DIR - The config option for Freshclam and ClamD is:
CVDCertsDirectory PATH
Added two new APIs to the public clamav.h header:
extern cl_error_t cl_cvdverify_ex(const char *file, const char *certs_directory); extern cl_error_t cl_cvdunpack_ex(const char *file, const char *dir, bool dont_verify, const char *certs_directory);
The original
cl_cvdverifyandcl_cvdunpackare deprecated.Added a
cl_engine_fieldenum optionCL_ENGINE_CVDCERTSDIR.
You may set this option withcl_engine_set_strand get it with
cl_engine_get_str, to override the compiled in default CVD certs directory.Thank you to Mark Carey at SAP for inspiring work on this feature with an
initial proof of concept for external-signature FIPS compliant CVD signing. - The command-line option for Freshclam, ClamD, ClamScan, and Sigtool is:
Other improvements
-
Set a limit on the max-recursion config option. Users will no longer be
able to set max-recursion higher than 100.
This change prevents errors on start up or possible crashes if encountering
a file with that many layers of recursion. -
Build system: CMake improvements to support compiling for the AIX platform.
This change is courtesy of GitHub user KamathForAIX. -
Improve support for extracting malformed zip archives.
This change is courtesy of Frederick Sell. -
Windows: Code quality improvement for the ClamScan and ClamDScan
--move
and--removeoptions.
This change is courtesy of Maxim Suhanov. -
Added file type recognition for some kinds of AI model files.
The file type appears as a string parameter for these callback functions:
clcb_pre_cacheclcb_pre_scanclcb_file_inspection
When scanning these files, the
typeparameter will now show
"CL_TYPE_AI_MODEL" instead of "CL_TYPE_BINARY_DATA".
Bug fixes
-
Technical debt: Reduced email multipart message parser complexity.
-
Fixed possible undefined behavior in inflate64 module.
The inflate64 module is a modified version of the zlib library, taken from
version 1.2.3 with some customization and with some cherry-picked fixes.
This adds one additional fix from zlib 1.2.9.
Thank you to TITAN Team for reporting this issue. -
Fixed a bug in ClamD that broke reporting of memory usage on Linux.
The STATS command can be used to monitor ClamD directly or through ClamDTOP.
The memory stats feature does not work on all platforms (e.g. Windows). -
Windows: Fix a build issue when the same library dependency is found in
two different locations. -
Fix an infinite loop when scanning some email files in debug-mode.
This fix is courtesy of Yoann Lecuyer
Acknowledgments
Special thanks to the following people for code contributions and bug reports:
- b1tg
- Frederick Sell
- KamathForAIX
- Mark Carey at SAP
- Maxim Suhanov
- TITAN Team
- Yoann Lecuyer
ClamAV 1.4.2
ClamAV 1.4.2 is a patch release with the following fixes:
-
CVE-2025-20128:
Fixed a possible buffer overflow read bug in the OLE2 file parser that could
cause a denial-of-service (DoS) condition.This issue was introduced in version 1.0.0 and affects all currently
supported versions. It will be fixed in:- 1.4.2
- 1.0.8
Thank you to OSS-Fuzz for identifying this issue.
ClamAV 1.0.8
ClamAV 1.0.8 is a patch release with the following fixes:
-
CVE-2025-20128:
Fixed a possible buffer overflow read bug in the OLE2 file parser that could
cause a denial-of-service (DoS) condition.This issue was introduced in version 1.0.0 and affects all currently
supported versions. It will be fixed in:- 1.4.2
- 1.0.8
Thank you to OSS-Fuzz for identifying this issue.
-
ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.
This is a backport of a fix from ClamAV 1.3.0.
ClamAV 1.4.1
ClamAV 1.4.1 is a critical patch release with the following fixes:
-
CVE-2024-20506:
Changed the logging module to disable following symlinks on Linux and Unix
systems so as to prevent an attacker with existing access to the 'clamd' or
'freshclam' services from using a symlink to corrupt system files.This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to Detlef for identifying this issue.
-
CVE-2024-20505:
Fixed a possible out-of-bounds read bug in the PDF file parser that could
cause a denial-of-service (DoS) condition.This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to OSS-Fuzz for identifying this issue.
-
Removed unused Python modules from freshclam tests including deprecated
'cgi' module that is expected to cause test failures in Python 3.13.
ClamAV 1.3.2
ClamAV 1.3.2 is a patch release with the following fixes:
-
CVE-2024-20506:
Changed the logging module to disable following symlinks on Linux and Unix
systems so as to prevent an attacker with existing access to the 'clamd' or
'freshclam' services from using a symlink to corrupt system files.This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to Detlef for identifying this issue.
-
CVE-2024-20505:
Fixed a possible out-of-bounds read bug in the PDF file parser that could
cause a denial-of-service (DoS) condition.This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to OSS-Fuzz for identifying this issue.
-
Removed unused Python modules from freshclam tests including deprecated
'cgi' module that is expected to cause test failures in Python 3.13. -
Fix unit test caused by expiring signing certificate.
- Backport of GitHub pull request
-
Fixed a build issue on Windows with newer versions of Rust.
Also upgraded GitHub Actions imports to fix CI failures.
Fixes courtesy of liushuyu.- Backport of GitHub pull request
-
Fixed an unaligned pointer dereference issue on select architectures.
Fix courtesy of Sebastian Andrzej Siewior.- Backport of GitHub pull request
-
Fixes to Jenkins CI pipeline.
For details, see GitHub pull request
ClamAV 1.0.7
ClamAV 1.0.7 is a patch release with the following fixes:
-
CVE-2024-20506:
Changed the logging module to disable following symlinks on Linux and Unix
systems so as to prevent an attacker with existing access to the 'clamd' or
'freshclam' services from using a symlink to corrupt system files.This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to Detlef for identifying this issue.
-
CVE-2024-20505:
Fixed a possible out-of-bounds read bug in the PDF file parser that could
cause a denial-of-service (DoS) condition.This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to OSS-Fuzz for identifying this issue.
-
Removed unused Python modules from freshclam tests including deprecated
'cgi' module that is expected to cause test failures in Python 3.13. -
Fix unit test caused by expiring signing certificate.
- Backport of GitHub pull request
-
Fixed a build issue on Windows with newer versions of Rust.
Also upgraded GitHub Actions imports to fix CI failures.
Fixes courtesy of liushuyu.- Backport of GitHub pull request
-
Fixed an unaligned pointer dereference issue on select architectures.
Fix courtesy of Sebastian Andrzej Siewior.- Backport of GitHub pull request
-
Fixes to Jenkins CI pipeline.
For details, see GitHub pull request
ClamAV 0.103.12
ClamAV 0.103.12 is a patch release with the following fixes:
-
CVE-2024-20506:
Changed the logging module to disable following symlinks on Linux and Unix
systems so as to prevent an attacker with existing access to the 'clamd' or
'freshclam' services from using a symlink to corrupt system files.This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to Detlef for identifying this issue.
-
CVE-2024-20505:
Fixed a possible out-of-bounds read bug in the PDF file parser that could
cause a denial-of-service (DoS) condition.This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to OSS-Fuzz for identifying this issue.
-
ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.
-
Fixed a bug causing CVDs downloaded by the
DatabaseCustomURLFreshclam
config option to be pruned and then re-downloaded with every update.
Also added the new 'valhalla' database name to the list of optional databases
in preparation for future work.- Backport of GitHub pull request
-
Fixed an unaligned pointer dereference issue on select architectures.
Fix courtesy of Sebastian Andrzej Siewior.- Backport of GitHub pull request