diff options
| -rw-r--r-- | recipes-scanners/clamav/clamav_0.104.0.bb | 1 | ||||
| -rw-r--r-- | recipes-scanners/clamav/files/CVE-2024-20328.patch | 153 |
2 files changed, 154 insertions, 0 deletions
diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb index 0a6b92a..39abda9 100644 --- a/recipes-scanners/clamav/clamav_0.104.0.bb +++ b/recipes-scanners/clamav/clamav_0.104.0.bb | |||
| @@ -21,6 +21,7 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.104;protocol=http | |||
| 21 | file://headers_fixup.patch \ | 21 | file://headers_fixup.patch \ |
| 22 | file://oe_cmake_fixup.patch \ | 22 | file://oe_cmake_fixup.patch \ |
| 23 | file://fix_systemd_socket.patch \ | 23 | file://fix_systemd_socket.patch \ |
| 24 | file://CVE-2024-20328.patch \ | ||
| 24 | file://CVE-2024-20505.patch \ | 25 | file://CVE-2024-20505.patch \ |
| 25 | file://CVE-2024-20506.patch \ | 26 | file://CVE-2024-20506.patch \ |
| 26 | " | 27 | " |
diff --git a/recipes-scanners/clamav/files/CVE-2024-20328.patch b/recipes-scanners/clamav/files/CVE-2024-20328.patch new file mode 100644 index 0000000..2f422cf --- /dev/null +++ b/recipes-scanners/clamav/files/CVE-2024-20328.patch | |||
| @@ -0,0 +1,153 @@ | |||
| 1 | From fe7638287bb11419474ea314652404e7e9b314b2 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Micah Snyder <micasnyd@cisco.com> | ||
| 3 | Date: Wed, 10 Jan 2024 12:09:15 -0500 | ||
| 4 | Subject: [PATCH] ClamD: Disable VirusEvent '%f' feature, use environment var | ||
| 5 | instead | ||
| 6 | |||
| 7 | The '%f' filename format character has been disabled and will no longer | ||
| 8 | be replaced with the file name, due to command injection security concerns. | ||
| 9 | Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead. | ||
| 10 | |||
| 11 | For the same reason, you should NOT use the environment variables in the | ||
| 12 | command directly, but should use it carefully from your executed script. | ||
| 13 | |||
| 14 | Upstream-Status: Backport [https://github.com/Cisco-Talos/clamav/commit/fe7638287bb11419474ea314652404e7e9b314b2] | ||
| 15 | CVE: CVE-2024-20328 | ||
| 16 | Signed-off-by: Vijay Anusuri <vanusuri@mvista.com> | ||
| 17 | --- | ||
| 18 | clamd/clamd_others.c | 8 +++++--- | ||
| 19 | common/optparser.c | 2 +- | ||
| 20 | docs/man/clamd.conf.5.in | 14 ++++++++++---- | ||
| 21 | etc/clamd.conf.sample | 18 ++++++++++++------ | ||
| 22 | win32/conf_examples/clamd.conf.sample | 18 ++++++++++++------ | ||
| 23 | 5 files changed, 40 insertions(+), 20 deletions(-) | ||
| 24 | |||
| 25 | diff --git a/clamd/clamd_others.c b/clamd/clamd_others.c | ||
| 26 | index 23f3b022c7..32d0701a0d 100644 | ||
| 27 | --- a/clamd/clamd_others.c | ||
| 28 | +++ b/clamd/clamd_others.c | ||
| 29 | @@ -101,6 +101,8 @@ void virusaction(const char *filename, const char *virname, | ||
| 30 | #define VE_FILENAME "CLAM_VIRUSEVENT_FILENAME" | ||
| 31 | #define VE_VIRUSNAME "CLAM_VIRUSEVENT_VIRUSNAME" | ||
| 32 | |||
| 33 | +#define FILENAME_DISABLED_MESSAGE "The filename format character has been disabled due to security concerns, use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead." | ||
| 34 | + | ||
| 35 | void virusaction(const char *filename, const char *virname, | ||
| 36 | const struct optstruct *opts) | ||
| 37 | { | ||
| 38 | @@ -145,7 +147,7 @@ void virusaction(const char *filename, const char *virname, | ||
| 39 | } | ||
| 40 | len = strlen(opt->strarg); | ||
| 41 | buffer_cmd = | ||
| 42 | - (char *)calloc(len + v * strlen(virname) + f * strlen(filename) + 1, sizeof(char)); | ||
| 43 | + (char *)calloc(len + v * strlen(virname) + f * strlen(FILENAME_DISABLED_MESSAGE) + 1, sizeof(char)); | ||
| 44 | if (!buffer_cmd) { | ||
| 45 | if (path) | ||
| 46 | xfree(env[0]); | ||
| 47 | @@ -160,8 +162,8 @@ void virusaction(const char *filename, const char *virname, | ||
| 48 | j += strlen(virname); | ||
| 49 | i++; | ||
| 50 | } else if (i + 1 < len && opt->strarg[i] == '%' && opt->strarg[i + 1] == 'f') { | ||
| 51 | - strcat(buffer_cmd, filename); | ||
| 52 | - j += strlen(filename); | ||
| 53 | + strcat(buffer_cmd, FILENAME_DISABLED_MESSAGE); | ||
| 54 | + j += strlen(FILENAME_DISABLED_MESSAGE); | ||
| 55 | i++; | ||
| 56 | } else { | ||
| 57 | buffer_cmd[j++] = opt->strarg[i]; | ||
| 58 | diff --git a/common/optparser.c b/common/optparser.c | ||
| 59 | index a7bdbee064..1be7afe867 100644 | ||
| 60 | --- a/common/optparser.c | ||
| 61 | +++ b/common/optparser.c | ||
| 62 | @@ -333,7 +333,7 @@ const struct clam_option __clam_options[] = { | ||
| 63 | |||
| 64 | {"DisableCache", "disable-cache", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option allows you to disable clamd's caching feature.", "no"}, | ||
| 65 | |||
| 66 | - {"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when a virus is found. In the command string %v will be\nreplaced with the virus name and %f will be replaced with the file name.\nAdditionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME\nand $CLAM_VIRUSEVENT_VIRUSNAME.", "/usr/bin/mailx -s \"ClamAV VIRUS ALERT: %v\" alert < /dev/null"}, | ||
| 67 | + {"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when virus is found.\nUse the following environment variables to identify the file and virus names:\n- $CLAM_VIRUSEVENT_FILENAME\n- $CLAM_VIRUSEVENT_VIRUSNAME\nIn the command string, '%v' will also be replaced with the virus name.\nNote: The '%f' filename format character has been disabled and will no longer\nbe replaced with the file name, due to command injection security concerns.\nUse the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.\nFor the same reason, you should NOT use the environment variables in the\ncommand directly, but should use it carefully from your executed script.", "/opt/send_virus_alert_sms.sh"}, | ||
| 68 | |||
| 69 | {"ExitOnOOM", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Stop the daemon when libclamav reports an out of memory condition.", "yes"}, | ||
| 70 | |||
| 71 | diff --git a/docs/man/clamd.conf.5.in b/docs/man/clamd.conf.5.in | ||
| 72 | index 2d9748a39e..a9926533b9 100644 | ||
| 73 | --- a/docs/man/clamd.conf.5.in | ||
| 74 | +++ b/docs/man/clamd.conf.5.in | ||
| 75 | @@ -240,10 +240,16 @@ Enable non-blocking (multi-threaded/concurrent) database reloads. This feature w | ||
| 76 | Default: yes | ||
| 77 | .TP | ||
| 78 | \fBVirusEvent COMMAND\fR | ||
| 79 | -Execute a command when a virus is found. In the command string %v will be | ||
| 80 | -replaced with the virus name and %f will be replaced with the file name. | ||
| 81 | -Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME | ||
| 82 | -and $CLAM_VIRUSEVENT_VIRUSNAME. | ||
| 83 | +Execute a command when virus is found. | ||
| 84 | +Use the following environment variables to identify the file and virus names: | ||
| 85 | +- $CLAM_VIRUSEVENT_FILENAME | ||
| 86 | +- $CLAM_VIRUSEVENT_VIRUSNAME | ||
| 87 | +In the command string, '%v' will also be replaced with the virus name. | ||
| 88 | +Note: The '%f' filename format character has been disabled and will no longer | ||
| 89 | +be replaced with the file name, due to command injection security concerns. | ||
| 90 | +Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead. | ||
| 91 | +For the same reason, you should NOT use the environment variables in the | ||
| 92 | +command directly, but should use it carefully from your executed script. | ||
| 93 | \fR | ||
| 94 | .br | ||
| 95 | Default: disabled | ||
| 96 | diff --git a/etc/clamd.conf.sample b/etc/clamd.conf.sample | ||
| 97 | index 37fb03bf20..54738128da 100644 | ||
| 98 | --- a/etc/clamd.conf.sample | ||
| 99 | +++ b/etc/clamd.conf.sample | ||
| 100 | @@ -209,12 +209,18 @@ Example | ||
| 101 | # Default: yes | ||
| 102 | #ConcurrentDatabaseReload no | ||
| 103 | |||
| 104 | -# Execute a command when virus is found. In the command string %v will | ||
| 105 | -# be replaced with the virus name and %f will be replaced with the file name. | ||
| 106 | -# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME | ||
| 107 | -# and $CLAM_VIRUSEVENT_VIRUSNAME. | ||
| 108 | -# Default: no | ||
| 109 | -#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f" | ||
| 110 | +# Execute a command when virus is found. | ||
| 111 | +# Use the following environment variables to identify the file and virus names: | ||
| 112 | +# - $CLAM_VIRUSEVENT_FILENAME | ||
| 113 | +# - $CLAM_VIRUSEVENT_VIRUSNAME | ||
| 114 | +# In the command string, '%v' will also be replaced with the virus name. | ||
| 115 | +# Note: The '%f' filename format character has been disabled and will no longer | ||
| 116 | +# be replaced with the file name, due to command injection security concerns. | ||
| 117 | +# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead. | ||
| 118 | +# For the same reason, you should NOT use the environment variables in the | ||
| 119 | +# command directly, but should use it carefully from your executed script. | ||
| 120 | +# Default: no | ||
| 121 | +#VirusEvent /opt/send_virus_alert_sms.sh | ||
| 122 | |||
| 123 | # Run as another user (clamd must be started by root for this option to work) | ||
| 124 | # Default: don't drop privileges | ||
| 125 | diff --git a/win32/conf_examples/clamd.conf.sample b/win32/conf_examples/clamd.conf.sample | ||
| 126 | index 5a8a9cfeae..a4813f99cb 100644 | ||
| 127 | --- a/win32/conf_examples/clamd.conf.sample | ||
| 128 | +++ b/win32/conf_examples/clamd.conf.sample | ||
| 129 | @@ -182,12 +182,18 @@ TCPAddr localhost | ||
| 130 | # Default: yes | ||
| 131 | #ConcurrentDatabaseReload no | ||
| 132 | |||
| 133 | -# Execute a command when virus is found. In the command string %v will | ||
| 134 | -# be replaced with the virus name and %f will be replaced with the file name. | ||
| 135 | -# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME | ||
| 136 | -# and $CLAM_VIRUSEVENT_VIRUSNAME. | ||
| 137 | -# Default: no | ||
| 138 | -#VirusEvent "C:\example\SendEmail.ps1" email@addresscom "VIRUS ALERT: %v in %f" | ||
| 139 | +# Execute a command when virus is found. | ||
| 140 | +# Use the following environment variables to identify the file and virus names: | ||
| 141 | +# - $CLAM_VIRUSEVENT_FILENAME | ||
| 142 | +# - $CLAM_VIRUSEVENT_VIRUSNAME | ||
| 143 | +# In the command string, '%v' will also be replaced with the virus name. | ||
| 144 | +# Note: The '%f' filename format character has been disabled and will no longer | ||
| 145 | +# be replaced with the file name, due to command injection security concerns. | ||
| 146 | +# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead. | ||
| 147 | +# For the same reason, you should NOT use the environment variables in the | ||
| 148 | +# command directly, but should use it carefully from your executed script. | ||
| 149 | +# Default: no | ||
| 150 | +#VirusEvent "C:\example\SendVirusAlertEmail.ps1" | ||
| 151 | |||
| 152 | # Run as another user (clamd must be started by root for this option to work) | ||
| 153 | # Default: don't drop privileges | ||
