From patchwork Thu Jul 2 13:03:15 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9995 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "YR2" (not verified)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4grcWn0fdTz3wp9 for ; Thu, 02 Jul 2026 13:03:33 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "YE1" (not verified)) by mail01.ipfire.org (Postfix) with ESMTPS id 4grcWm1d2zz5fW for ; Thu, 02 Jul 2026 13:03:32 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4grcWh0Jf9z34Ks for ; Thu, 02 Jul 2026 13:03:28 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1 raw public key) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "YR2" (not verified)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4grcWd3VT3z2xLl for ; Thu, 02 Jul 2026 13:03:25 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4grcWV3wSQz1v3; Thu, 02 Jul 2026 13:03:18 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1782997399; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=hjTEOr+B//kU4VSzu5VG9bKFS/urqfeT2K4Ub8kuguo=; b=NCcW7EF0krpn5FnjfugbyzeTyMVDO4UZDvYz4TO53n7fLAzVVWjELs8Eth34J8ycUhKEHR 0fk5a07t1opOOrCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1782997399; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=hjTEOr+B//kU4VSzu5VG9bKFS/urqfeT2K4Ub8kuguo=; b=s+OwilFa0Fqjt1W+3CAZX+6B1TRkY96bAuZS2ePACz+Xcbjr87+lgAPgNGI2VUsRnrRSgk V+JJIO2VzVrd6QPNfVmQt5TQsjUVDlH3jYrENbGRIpNOMgJKFb74+RhdpDhSz5qBzAyXtv aQXTCcq8Tv+Sa56dFgw/xEFmwLl/ZBfb7MslgpY409i5NQ7DpX7ZylS4eQXVksOTWS/nVf QO2CGHmZOJrAzCQdp+QT7C3ZCqehGK8k3SnPrqN+gYK+6k1QxfY5fHR6byKpHmhMphP3uF uhxe0eDEDMarFFcL146qvYP/9LkrIUkABAZzTqGN6G0+dK6QjknQbmAIkfYp2g== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH] clamav: Update to version 1.5.3 Date: Thu, 2 Jul 2026 15:03:15 +0200 Message-ID: <20260702130315.3455249-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Update from version 1.5.2 to 1.5.3 - Update of rootfile - 8 CVE fixes, one of which is related to a rust module plus 2 rust security fixes that do not have an assigned CVE - Changelog 1.5.3 CVE-2026-20217: Fixed a bug in the PESpin unpacker cleanup path that could free pointers into the scanned file buffer and crash the scanner. This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 2005. The fix is included in 1.5.3 and 1.4.5. CVE-2026-20213: Fixed an integer overflow in PE rebuild size calculations that could be reached through a malformed Aspack-packed PE file and lead to a heap buffer overflow write. This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 2007. The fix is included in 1.5.3 and 1.4.5. CVE-2026-20216: Fixed an InstallShield archive extraction limit bypass that could write far more temporary data than intended and exhaust temporary storage. This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 2009. The fix is included in 1.5.3 and 1.4.5. CVE-2026-20214: Fixed an FSG unpacker loop underflow that could write past the section array while scanning a malformed PE file. This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions as far back as 2004. The fix is included in 1.5.3 and 1.4.5. CVE-2026-20243: Fixed ALZ parser size handling bugs that could cause malformed ALZ archives to panic, abort the scanner, or skip expected scan-limit handling. This issue affects ClamAV 1.5.0 through 1.5.2 and 1.4.0 through 1.4.4. The fix is included in 1.5.3 and 1.4.5. CVE-2026-20215: Fixed a 7z parser substream count overflow that could under-allocate parser metadata arrays and write past them while reading a malformed archive. This issue affects ClamAV 1.5.2, 1.4.4, and all prior versions back to 2009. The fix is included in 1.5.3 and 1.4.5. CVE-2026-20244: Fixed 32-bit DMG parser size checks that could let a short mish stripe table pass validation and crash 32-bit scanner builds. This issue affects 32-bit ClamAV builds from 0.98.1 through 1.5.2, including 1.4.0 through 1.4.4 and 1.5.0 through 1.5.2. It does not affect 64-bit builds. The fix is included in 1.5.3 and 1.4.5. Hardened clamscan, clamdscan, and clamonacc quarantine actions against time-of-check/time-of-use races that could redirect copied, moved, or removed files under unsafe quarantine directory configurations. Upgraded the Rust tar dependency to resolve the RUSTSEC-2026-0067 and RUSTSEC-2026-0068 advisories, and upgraded the Rust openssl dependency to resolve CVE-2026-41676. Raised the minimum required CMake version to 3.17 to fix Linux builds with libcurl v8.21.0 when linking static library dependencies. Metadata preclass scans now run before the final scan verdict. ClamOnAcc: Fixed errors when recursively excluded paths are children of an included path. ClamOnAcc: Fixed hash bucket list corruption when two watched paths collide in the same bucket. Signed-off-by: Adolf Belka --- config/rootfiles/packages/clamav | 9 ++++++--- lfs/clamav | 6 +++--- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/config/rootfiles/packages/clamav b/config/rootfiles/packages/clamav index 0fe438477..f17380c98 100644 --- a/config/rootfiles/packages/clamav +++ b/config/rootfiles/packages/clamav @@ -149,6 +149,7 @@ usr/sbin/clamd #usr/share/doc/ClamAV/html/manual/Signatures/YaraRules.html #usr/share/doc/ClamAV/html/manual/Usage #usr/share/doc/ClamAV/html/manual/Usage.html +#usr/share/doc/ClamAV/html/manual/Usage/ClamdProtocol.html #usr/share/doc/ClamAV/html/manual/Usage/Configuration.html #usr/share/doc/ClamAV/html/manual/Usage/ReportABug.html #usr/share/doc/ClamAV/html/manual/Usage/Scanning.html @@ -156,14 +157,16 @@ usr/sbin/clamd #usr/share/doc/ClamAV/html/manual/Usage/SignatureManagement.html #usr/share/doc/ClamAV/html/manual/cisco-talos.gpg #usr/share/doc/ClamAV/html/mark-09e88c2c.min.js +#usr/share/doc/ClamAV/html/mermaid-eefea253.min.js +#usr/share/doc/ClamAV/html/mermaid-init-ccf746f1.js #usr/share/doc/ClamAV/html/mode-rust-2c9d5c9a.js #usr/share/doc/ClamAV/html/print.html -#usr/share/doc/ClamAV/html/searcher-c2a407aa.js -#usr/share/doc/ClamAV/html/searchindex-1b5ba28b.js +#usr/share/doc/ClamAV/html/searcher-09f2665d.js +#usr/share/doc/ClamAV/html/searchindex-d348bbbb.js #usr/share/doc/ClamAV/html/sitemap.xml #usr/share/doc/ClamAV/html/theme-dawn-4493f9c8.js #usr/share/doc/ClamAV/html/theme-tomorrow_night-9dbe62a9.js -#usr/share/doc/ClamAV/html/toc-cbaddea7.js +#usr/share/doc/ClamAV/html/toc-0c194aa2.js #usr/share/doc/ClamAV/html/toc.html #usr/share/doc/ClamAV/html/tomorrow-night-4c0ae647.css #var/ipfire/clamav diff --git a/lfs/clamav b/lfs/clamav index 888803c10..5320f6986 100644 --- a/lfs/clamav +++ b/lfs/clamav @@ -26,7 +26,7 @@ include Config SUMMARY = Antivirus Toolkit -VER = 1.5.2 +VER = 1.5.3 THISAPP = clamav-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = clamav -PAK_VER = 83 +PAK_VER = 84 DEPS = @@ -50,7 +50,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = e63131ac19160a68c6acd9413263fd5793a6acf67adfe30873f6c56bca3a29286bf4f872e439b9c4b75ab772d20e9b05a0e0b3ac19399ac81033c52d7c2b6d42 +$(DL_FILE)_BLAKE2 = 1b2d42bc8c4fed29b71e10be9823da17f861a11e6a818654ae51b2b1fbd16619494572f9aa5e8712433bd65443c33f3e250baa99bb1fea031aa47c6bf6b81c21 install : $(TARGET)