Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clam 2612 Fix DatabaseCustomURL CVD prune bug, and add 'valhalla' optional database (1.3.1) #1238

Merged

Conversation

micahsnyder
Copy link
Contributor

Backport of #1233


  • Freshclam: fix issue DatabaseCustomURL CVD prune issue

    If using DatabaseCustomURL to download a CVD that Freshclam doesn't know about, i.e. one that is not in the hardcoded standard or optional database lists in freshclam.c, Freshclam will prune the database and then re-download it.

    This change makes it so we look for URL's with ".cvd" at the end and then take those into consideration when checking which CVD's (or CLD's) should be pruned.

    Note that I didn't change the interface to fc_prune_database_directory(). That would have been cleaner, but would've changed the public API and I want to backport this fix.

  • Add 'valhalla' to Freshclam's list of optional CVD's

If using DatabaseCustomURL to download a CVD that Freshclam doesn't know
about, i.e. one that is not in the hardcoded standard or optional
database lists in freshclam.c, Freshclam will prune the database and
then re-download it.

This change makes it so we look for URL's with ".cvd" at the end and
then take those into consideration when checking which CVD's (or CLD's)
should be pruned.

Note that I didn't change the interface to
fc_prune_database_directory(). That would have been cleaner, but
would've changed the public API and I want to backport this fix.
@micahsnyder micahsnyder merged commit d36280b into Cisco-Talos:dev/1.3.1 Apr 15, 2024
23 of 24 checks passed
@micahsnyder micahsnyder deleted the CLAM-2612-valhalla-1.3.1 branch September 1, 2024 17:34
mtremer pushed a commit to ipfire/ipfire-2.x that referenced this pull request Sep 3, 2024
- Update from version 1.3.0 to 1.3.1
- Update of rootfile not required
- As we can not upgrade currently to version 1.4.0 due to the rust/ruby issue we need to
   update to 1.3.1 as it has a CVE fix in it.
- There are three rust dependencies that have been updated but all have a rust-1.57
   requirement so have no problem with our current rust-1.67.0 version
- Changelog
    1.3.1
      This is a critical patch release with the following fixes:
	- [CVE-2024-20380](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20380):
	  Fixed a possible crash in the HTML file parser that could cause a
	  denial-of-service (DoS) condition.
	  This issue affects version 1.3.0 only and does not affect prior versions.
	  - [GitHub pull request](Cisco-Talos/clamav#1242)
	- Updated select Rust dependencies to the latest versions.
	  This resolved Cargo audit complaints and included PNG parser bug fixes.
	  - [GitHub pull request](Cisco-Talos/clamav#1227)
	- Fixed a bug causing some text to be truncated when converting from UTF-16.
	  - [GitHub pull request](Cisco-Talos/clamav#1230)
	- Fixed assorted complaints identified by Coverity static analysis.
	  - [GitHub pull request](Cisco-Talos/clamav#1235)
	- Fixed a bug causing CVDs downloaded by the `DatabaseCustomURL` Freshclam
	  config option to be pruned and then re-downloaded with every update.
	  - [GitHub pull request](Cisco-Talos/clamav#1238)
	- Added the new 'valhalla' database name to the list of optional databases in
	  preparation for future work.
	  - [GitHub pull request](Cisco-Talos/clamav#1238)
	- Added symbols to the `libclamav.map` file to enable additional build
	  configurations.
	  - [GitHub pull request](Cisco-Talos/clamav#1244)

Signed-off-by: Adolf Belka <[email protected]>
Signed-off-by: Michael Tremer <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant