clamav: Update to version 1.5.3

Message ID 20260702130315.3455249-1-adolf.belka@ipfire.org
State Staged
Commit 704a0d7874ec5b2370536948d89ed5c08ecfd44b
Headers
Series clamav: Update to version 1.5.3 |

Commit Message

Adolf Belka 2 Jul 2026, 1:03 p.m. UTC
- Update from version 1.5.2 to 1.5.3
- Update of rootfile
- 8 CVE fixes, one of which is related to a rust module plus 2 rust security fixes that
   do not have an assigned CVE
- Changelog
1.5.3
	CVE-2026-20217<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20217>:
	 Fixed a bug in the PESpin unpacker cleanup path that could free pointers into
	 the scanned file buffer and crash the scanner.
	 This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as
	 2005. The fix is included in 1.5.3 and 1.4.5.
	CVE-2026-20213<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20213>:
	 Fixed an integer overflow in PE rebuild size calculations that could be
	 reached through a malformed Aspack-packed PE file and lead to a heap buffer
	 overflow write.
	 This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as
	 2007. The fix is included in 1.5.3 and 1.4.5.
	CVE-2026-20216<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20216>:
	 Fixed an InstallShield archive extraction limit bypass that could write far
	 more temporary data than intended and exhaust temporary storage.
	 This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as
	 2009. The fix is included in 1.5.3 and 1.4.5.
	CVE-2026-20214<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20214>:
	 Fixed an FSG unpacker loop underflow that could write past the section array
	 while scanning a malformed PE file.
	 This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as
	 2004. The fix is included in 1.5.3 and 1.4.5.
	CVE-2026-20243<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20243>:
	 Fixed ALZ parser size handling bugs that could cause malformed ALZ archives
	 to panic, abort the scanner, or skip expected scan-limit handling.
	 This issue affects ClamAV 1.5.0 through 1.5.2 and 1.4.0 through 1.4.4. The
	 fix is included in 1.5.3 and 1.4.5.
	CVE-2026-20215<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20215>:
	 Fixed a 7z parser substream count overflow that could under-allocate parser
	 metadata arrays and write past them while reading a malformed archive.
	 This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions back to 2009.
	 The fix is included in 1.5.3 and 1.4.5.
	CVE-2026-20244<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-20244>:
	 Fixed 32-bit DMG parser size checks that could let a short mish stripe table
	 pass validation and crash 32-bit scanner builds.
	 This issue affects 32-bit ClamAV builds from 0.98.1 through 1.5.2, including
	 1.4.0 through 1.4.4 and 1.5.0 through 1.5.2. It does not affect 64-bit builds.
	 The fix is included in 1.5.3 and 1.4.5.
	Hardened clamscan, clamdscan, and clamonacc quarantine actions against
	 time-of-check/time-of-use races that could redirect copied, moved, or removed
	 files under unsafe quarantine directory configurations.
	Upgraded the Rust tar dependency to resolve the RUSTSEC-2026-0067 and
	 RUSTSEC-2026-0068 advisories, and upgraded the Rust openssl dependency to
	 resolve CVE-2026-41676.
	Raised the minimum required CMake version to 3.17 to fix Linux builds with
	 libcurl v8.21.0 when linking static library dependencies.
	Metadata preclass scans now run before the final scan verdict.
	ClamOnAcc: Fixed errors when recursively excluded paths are children of an
	 included path.
	ClamOnAcc: Fixed hash bucket list corruption when two watched paths collide in
	 the same bucket.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/packages/clamav | 9 ++++++---
 lfs/clamav                       | 6 +++---
 2 files changed, 9 insertions(+), 6 deletions(-)
  

Patch

diff --git a/config/rootfiles/packages/clamav b/config/rootfiles/packages/clamav
index 0fe438477..f17380c98 100644
--- a/config/rootfiles/packages/clamav
+++ b/config/rootfiles/packages/clamav
@@ -149,6 +149,7 @@  usr/sbin/clamd
 #usr/share/doc/ClamAV/html/manual/Signatures/YaraRules.html
 #usr/share/doc/ClamAV/html/manual/Usage
 #usr/share/doc/ClamAV/html/manual/Usage.html
+#usr/share/doc/ClamAV/html/manual/Usage/ClamdProtocol.html
 #usr/share/doc/ClamAV/html/manual/Usage/Configuration.html
 #usr/share/doc/ClamAV/html/manual/Usage/ReportABug.html
 #usr/share/doc/ClamAV/html/manual/Usage/Scanning.html
@@ -156,14 +157,16 @@  usr/sbin/clamd
 #usr/share/doc/ClamAV/html/manual/Usage/SignatureManagement.html
 #usr/share/doc/ClamAV/html/manual/cisco-talos.gpg
 #usr/share/doc/ClamAV/html/mark-09e88c2c.min.js
+#usr/share/doc/ClamAV/html/mermaid-eefea253.min.js
+#usr/share/doc/ClamAV/html/mermaid-init-ccf746f1.js
 #usr/share/doc/ClamAV/html/mode-rust-2c9d5c9a.js
 #usr/share/doc/ClamAV/html/print.html
-#usr/share/doc/ClamAV/html/searcher-c2a407aa.js
-#usr/share/doc/ClamAV/html/searchindex-1b5ba28b.js
+#usr/share/doc/ClamAV/html/searcher-09f2665d.js
+#usr/share/doc/ClamAV/html/searchindex-d348bbbb.js
 #usr/share/doc/ClamAV/html/sitemap.xml
 #usr/share/doc/ClamAV/html/theme-dawn-4493f9c8.js
 #usr/share/doc/ClamAV/html/theme-tomorrow_night-9dbe62a9.js
-#usr/share/doc/ClamAV/html/toc-cbaddea7.js
+#usr/share/doc/ClamAV/html/toc-0c194aa2.js
 #usr/share/doc/ClamAV/html/toc.html
 #usr/share/doc/ClamAV/html/tomorrow-night-4c0ae647.css
 #var/ipfire/clamav
diff --git a/lfs/clamav b/lfs/clamav
index 888803c10..5320f6986 100644
--- a/lfs/clamav
+++ b/lfs/clamav
@@ -26,7 +26,7 @@  include Config
 
 SUMMARY    = Antivirus Toolkit
 
-VER        = 1.5.2
+VER        = 1.5.3
 
 THISAPP    = clamav-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -34,7 +34,7 @@  DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 PROG       = clamav
-PAK_VER    = 83
+PAK_VER    = 84
 
 DEPS       =
 
@@ -50,7 +50,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = e63131ac19160a68c6acd9413263fd5793a6acf67adfe30873f6c56bca3a29286bf4f872e439b9c4b75ab772d20e9b05a0e0b3ac19399ac81033c52d7c2b6d42
+$(DL_FILE)_BLAKE2 = 1b2d42bc8c4fed29b71e10be9823da17f861a11e6a818654ae51b2b1fbd16619494572f9aa5e8712433bd65443c33f3e250baa99bb1fea031aa47c6bf6b81c21
 
 
 install : $(TARGET)