CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
clamav (Ubuntu) |
Fix Released
|
Undecided
|
David Fernandez Gonzalez | ||
Bionic |
Fix Released
|
Undecided
|
David Fernandez Gonzalez | ||
Focal |
Fix Released
|
Undecided
|
David Fernandez Gonzalez | ||
Jammy |
Fix Released
|
Undecided
|
David Fernandez Gonzalez | ||
Kinetic |
Fix Released
|
Undecided
|
David Fernandez Gonzalez | ||
Lunar |
Fix Released
|
Undecided
|
David Fernandez Gonzalez |
Bug Description
CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.
https:/
--
Read this online at https:/
-----------------
Today, we are releasing the following critical patch versions for ClamAV:
0.103.8
0.105.2
1.0.1
ClamAV 0.104 has reached end-of-life according to the ClamAV End of Life (EOL) policy and will not be patched. Anyone using ClamAV 0.104 must switch to a supported version. All users should update as soon as possible to patch for two remote code execution vulnerabilities that we recently discovered and patched.
The release files are available for download on ClamAV.net, on the Github Release page, and through Docker Hub.
1.0.1
ClamAV 1.0.1 is a critical patch release with the following fixes:
CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.
CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.
Fix an allmatch detection issue with the preclass bytecode hook.
GitHub pull request: https:/
Update the vendored libmspack library to version 0.11alpha.
GitHub pull request: https:/
0.105.2
ClamAV 0.105.2 is a critical patch release with the following fixes:
CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.
CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.
Fixed an issue loading Yara rules containing regex strings with an escaped forward-slash (\/) followed by a colon (:).
GitHub pull request: https:/
Moved the ClamAV Docker files for building containers to a new Git repository. The Docker files are now in https:/
GitHub pull request: https:/
Update the vendored libmspack library to version 0.11alpha.
GitHub pull request: https:/
0.103.8
ClamAV 0.103.8 is a critical patch release with the following fixes:
CVE-2023-20032: Fixed a possible remote code execution vulnerability in the HFS+ file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.
CVE-2023-20052: Fixed a possible remote information leak vulnerability in the DMG file parser. The issue affects versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier. Thank you to Simon Scannell for reporting this issue.
Update the vendored libmspack library to version 0.11alpha.
GitHub pull request: https:/
Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
_______
clamav-announce mailing list
<email address hidden>
https:/
CVE References
Changed in clamav (Ubuntu): | |
assignee: | nobody → David Fernandez Gonzalez (litios) |
information type: | Private Security → Public Security |
Changed in clamav (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in clamav (Ubuntu Focal): | |
status: | New → In Progress |
Changed in clamav (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in clamav (Ubuntu Kinetic): | |
status: | New → In Progress |
Changed in clamav (Ubuntu Lunar): | |
status: | New → In Progress |
Changed in clamav (Ubuntu Kinetic): | |
assignee: | nobody → David Fernandez Gonzalez (litios) |
Changed in clamav (Ubuntu Jammy): | |
assignee: | nobody → David Fernandez Gonzalez (litios) |
Changed in clamav (Ubuntu Focal): | |
assignee: | nobody → David Fernandez Gonzalez (litios) |
Changed in clamav (Ubuntu Bionic): | |
assignee: | nobody → David Fernandez Gonzalez (litios) |
Is there anything that I, and/or others, can do to help resolve this CVE? As its a critical (9.8 CVE) RCE, I'm quite concerned about running ClamAV right now with any exposure to the internet, and have begun looking into compiling a drop-in replacement of ClamAV for this existing package.
If there's anything I can do to help test or compile the upstream code with different options, please let me know. I'm happy to help, as I want to see this resolved as quickly as possible.