[Clamav-devel] ClamAV 0.103.7, 0.104.1 and 0.105.1 patch versions published
Micah Snyder (micasnyd)
micasnyd at cisco.com
Wed Jul 27 18:40:22 UTC 2022
Hi Ged,
The UnRAR CVE was a driver for getting out the bug fixes sooner than later. For 0.105.0 there were a couple other bad bugs we really wanted to fix, notably the ERROR response from files where a fuzzy image hash fails.
That said, I don't believe the UnRAR CVE issue is a serious security issue in Clam. Unless you use clamscan's `--leave-temps` option, (or clamd `LeaveTemporaryFiles yes` config option), then files extracted from RAR archives are assigned randomly generated filenames and so path traversal isn't a concern. If you do have the "leave temps" feature enabled, which you wouldn't for production, the temporary file still gets a random suffix added, so it can't be used to replace a specific file or directory. There may still be some risk there, but significantly mitigated. I left notes from my investigation on this issue if you're interested: https://github.com/Cisco-Talos/clamav/issues/580#issuecomment-1192043905
Regards,
Micah
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-devel <clamav-devel-bounces at lists.clamav.net> on behalf of G.W. Haywood <clamav-devel at jubileegroup.co.uk>
Sent: Wednesday, July 27, 2022 6:31 AM
To: clamav-devel at lists.clamav.net <clamav-devel at lists.clamav.net>
Subject: Re: [Clamav-devel] ClamAV 0.103.7, 0.104.1 and 0.105.1 patch versions published
Hi there,
On Wed, 27 Jul 2022, Micah Snyder wrote:
> Today, we are releasing the following critical patch versions:
I haven't been able to find the details, but presumably this is to fix
CVE-2022-30333 in unrar?
--
73,
Ged.
_______________________________________________
clamav-devel mailing list
clamav-devel at lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-devel
Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
More information about the clamav-devel
mailing list