[Clamav-announce] ClamAV® blog: ClamAV 0.101.2 and 0.100.3 patches have been released!

Joel Esler (jesler) jesler at cisco.com
Fri Mar 29 10:11:01 EDT 2019 

> 
> https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html <https://blog.clamav.net/2019/03/clamav-01012-and-01003-patches-have.html>
> 
> ClamAV 0.101.2 and 0.100.3 patches have been released!
> 
> ClamAV 0.101.2
> 
> ClamAV 0.101.2 is a patch release to address a handful of security related bugs.
> 
> This patch release is being released alongside the 0.100.3 patch so that users
> who are unable to upgrade to 0.101 due to libclamav API changes are protected.
> 
> This release includes 3 extra security related bug fixes that do not apply to
> prior versions.  In addition, it includes a number of minor bug fixes and
> improvements.
> 
> - Fixes for the following vulnerabilities affecting 0.101.1 and prior:
>   - CVE-2019-1787 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1787>:
>     An out-of-bounds heap read condition may occur when scanning PDF
>     documents. The defect is a failure to correctly keep track of the number
>     of bytes remaining in a buffer when indexing file data.
>   - CVE-2019-1789 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1789>:
>     An out-of-bounds heap read condition may occur when scanning PE files
>     (i.e. Windows EXE and DLL files) that have been packed using Aspack as a
>     result of inadequate bound-checking.
>   - CVE-2019-1788 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1788>:
>     An out-of-bounds heap write condition may occur when scanning OLE2 files
>     such as Microsoft Office 97-2003 documents. The invalid write happens when
>     an invalid pointer is mistakenly used to initialize a 32bit integer to
>     zero. This is likely to crash the application.
> 
> - Fixes for the following vulnerabilities affecting 0.101.1 and 0.101.0 only:
>   - CVE-2019-1786 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1786>:
>     An out-of-bounds heap read condition may occur when scanning malformed PDF
>     documents as a result of improper bounds-checking.
>   - CVE-2019-1785 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1785>:
>     A path-traversal write condition may occur as a result of improper input
>     validation when scanning RAR archives. Issue reported by aCaB.
>   - CVE-2019-1798 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1798>:
>     A use-after-free condition may occur as a result of improper error
>     handling when scanning nested RAR archives. Issue reported by David L.
> 
> - Fixes for the following assorted bugs:
>   - Added checks to prevent shifts from causing undefined behavior in HTML
>     normalizer, UPX unpacker, ARJ extractor, CPIO extractor, OLE2 parser,
>     LZW decompressor used in the PDF parser, Xz decompressor, and UTF-16 to
>     ASCII transcoder.
>   - Added checks to prevent integer overflow in UPX unpacker.
>   - Fix for minor memory leak in OLE2 parser.
>   - Fix to speed up PDF parser when handling truncated (or malformed) PDFs.
>   - Fix for memory leak in ARJ decoder failure condition.
>   - Fix for potential memory and file descriptor leak in HTML normalization code.
> 
> - Removed use of problematic feature that converted file descriptors to
>   file paths. The feature was intended to improve performance when scanning
>   file types, notably RAR archives, for which the API requires a file path.
>   This feature caused issues in environments where the ClamAV engine is run
>   in a low-permissions or sandboxed process. RAR archives are still supported
>   with this change, but performance may suffer slightly if the file path is not
>   provided in calls to `cl_scandesc_callback()`.
>   - Added filename and tempfile names to scandesc calls in clamd.
>   - Added general scan option `CL_SCAN_GENERAL_UNPRIVILEGED` to treat the scan
>     engine as unprivileged, meaning that the scan engine will not have read
>     access to the file. Provided file paths are for logging purposes only.
>   - Added ability to create a temp file when scanning RAR archives when the
>     process does not have read access to the file path provided (i.e.
>     unprivileged is set, or an access check fails).
> 
> Thank you to the Google OSS-Fuzz project for identifying and reporting many of
> the bugs patched in this release.
> 
> Additional thanks to the following community members for submitting bug reports:
> 
> - aCaB
> - David L.
> 
> ClamAV 0.100.3
> 
> ClamAV 0.100.3 is a patch release to address a few security related bugs.
> 
> This patch release is being released alongside the 0.101.2 patch so that users
> who are unable to upgrade to 0.101 due to libclamav API changes are protected.
> 
> The bug fixes in this release are limited to security-related bugs only.
> Users are encouraged to upgrade to 0.101.2 for additional improvements.
> 
> - Fixes for the following vulnerabilities:
>   - CVE-2019-1787 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1787>:
>     An out-of-bounds heap read condition may occur when scanning PDF
>     documents. The defect is a failure to correctly keep track of the number
>     of bytes remaining in a buffer when indexing file data.
>   - CVE-2019-1789 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1789>:
>     An out-of-bounds heap read condition may occur when scanning PE files
>     (i.e. Windows EXE and DLL files) that have been packed using Aspack as a
>     result of inadequate bound-checking.
>   - CVE-2019-1788 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1788>:
>     An out-of-bounds heap write condition may occur when scanning OLE2 files
>     such as Microsoft Office 97-2003 documents. The invalid write happens when
>     an invalid pointer is mistakenly used to initialize a 32bit integer to
>     zero. This is likely to crash the application.
> 
> Thank you to the Google OSS-Fuzz project for identifying and reporting the bugs
> patched in this release.
> 
> Both of these can be found on ClamAV's downloads site <http://www.clamav.net/downloads>, with 0.101.2 as the main release and 0.100.3 under "Previous Stable Releases"  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-announce/attachments/20190329/993ac66b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3010 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-announce/attachments/20190329/993ac66b/attachment.bin>

More information about the clamav-announce mailing list