ClamAV

Recent Commits

• metsw24-max (10 Jun 26)

  fix out-of-bounds access in gpt_scan_partitions name loop (#1736) the name byte-swap loop iterates j over the 36-element array but subscripts gpe.name[i], the outer partition counter. name is the last field of struct gpt_partition_entry, so partition indices >= 36 (reachable with the default 50-partition cap) read and wrote past the end of the on-stack entry. subscript with j instead.

• Val S. (08 Jun 26)

  CLAM-3005: Retire stats submission code (#1732) Remove the legacy ClamAV stats submission implementation that sent telemetry to the discontinued clamintel service. Delete the built-in stats data model, host ID helpers, JSON report generation, HTTP submission helper, and matcher code that gathered PE section metadata only for telemetry reporting. Remove the associated libclamav stats callback API, engine fields and settings, dynamic-config STATS entries, and exported symbols. Bump the libclamav ABI version tuple from the 1.5.x 13:0:1 value to 14:0:0 so the generated soname changes for the incompatible exported-symbol and API removals. Keep the sigtool PE hash generation path working by preserving cli_genhash_pe() for --mdb and --imp without the retired stats-output parameter. Update the generated Rust bindings to match the changed C struct layout and add a NEWS entry for the removed API. The command-line and configuration options for stats submission were removed in earlier releases, so this change cleans up the remaining library-side implementation and ABI surface. CLAM-3005

• Val S. (05 Jun 26)

  Update SECURITY.md (#1687)

• Burak Emir (05 Jun 26)

  feat: Add support for scanning Zstandard (zstd) compressed files (#1700) ClamAV did not previously detect or decompress zstd-compressed files. This adds full support in Rust using the ruzstd crate. A few special cases: - Concatenated frames: the decoder is recreated per frame until the input is exhausted (ruzstd's StreamingDecoder decodes a single frame). - Skippable frames: handled via the SkipFrame header error. - Partial output is always scanned: on decode error, scan-limit hit, or even a decoder panic (caught so it cannot unwind across the FFI boundary), whatever was decompressed so far is still scanned, avoiding evasion gaps. - Scan limits are enforced between and within frames. - It is per zstd spec possible that a file starts with a skippable frame

• Val S. (21 May 26)

  Tests: Stabilize freshclam mock mirror startup (#1722) The freshclam tests started a mock HTTP mirror on a fixed port and immediately ran freshclam without waiting for the server to bind. On slower or busier runners, especially macOS, that left a race where the client could connect before the server was ready or collide with stale port state. Start the mock mirror on an ephemeral loopback port and report the bound address to the parent process through a readiness pipe. Prefer IPv4 loopback and fall back to IPv6 loopback, formatting IPv6 addresses for use in URLs. Tighten teardown so stale mock mirror processes are killed if they do not exit promptly.

• Val S. (21 May 26)

  Libclamav: harden XLM drawing group length checks (#1707) The XLM drawing group parser grew a size_t length with BIFF record sizes before reallocating and copying the new chunk. That pattern looked like an integer overflow candidate, but the reported heap overflow is not reachable in practice because every growth step is immediately bounded by cli_max_realloc() and the BIFF record length cap, so the accumulated length cannot approach SIZE_MAX before the allocation limit stops processing. Add explicit pre-addition overflow checks at the two drawing group growth sites anyway. This keeps the existing control flow while making the arithmetic safety guarantee explicit and easier to audit. Credit: rinto CLAM-2935

• Val S. (19 May 26)

  Win32: fix opendir entry bounds handling (#1706) opendir() copied up to PATH_MAX wide characters into DIR::entry and then wrote the terminator one element past the end of the buffer, leaving a fixed out-of-bounds write on success. We do not believe this to be a security issue. Copy at most entry_count - 1 characters, terminate the last valid element, keep the append length check aligned with that bound, and free DIR when uncpath() fails. CLAM-2487

• Val S. (08 May 26)

  Merge pull request #1697 from val-ms/CLAM-2946-egg-parser-issue Fix short writes in scanner temp output paths

• Valerie Snyder (30 Mar 26)

  Fix short writes in scanner temp output paths Fix an EGG comment temp-file bug where the write length used the number of comments instead of the length of the current comment. Also switch raw write paths in scanners.c to cli_writen() so short writes are handled correctly for RAR comments, kept EGG comments, extracted EGG temp files, normalized script output, and UTF-16 HTML temp output. CLAM-2946

• sharkautarch (04 May 26)

  ClamOnAcc: Fix hash bucket list corruption on collision (#1712) When onas_ht_insert() adds an element whose hash maps to an existing bucket, the bucket is already part of the activated-bucket list. The old code appended that same bucket to the list again, resetting bckt->next to NULL and making any following buckets unreachable from ht->head. OnAccessExcludePath walks the activated-bucket list when removing watched paths. If a collision corrupts that list, some active directories can be skipped and remain watched. Track whether onas_ht_insert() allocated a new bucket, and only link the bucket into ht->head/ht->tail when it is new. Colliding elements are still inserted into the existing bucket without changing the bucket list.

• Val S. (01 May 26)

  Merge pull request #1717 from val-ms/CLAM-2976-uninitialized-zstream Clam 2976 additional HFS+ parser improvements

• Valerie Snyder (28 Apr 26)

  Libclamav: harden HFS+ resource bounds checks Malformed HFS+ metadata could overflow arithmetic in several block and resource offset calculations before the code validated those values. That left some bounds checks bypassable and could redirect reads or seeks to the wrong offsets. Add inline overflow guards before offset math, validate cmpf resource headers against the extracted resource fork size, and reject extents or block tables whose computed ranges exceed the available data. CLAM-2976

• Valerie Snyder (27 Apr 26)

  HFS+: harden HFS+ cmpf resource parsing The initial HFS+ cmpf fix stopped calling inflateEnd() on an uninitialized stream, but the surrounding parser still had three brittle spots: initialized zlib streams could bypass cleanup on error paths, cmpf block tables were not bounded against the resource length, and tmpname cleanup could loop if unlink failed. Tighten block-table validation using the cmpf resource length, route cmpf block failures through per-block zlib cleanup, add defensive cleanup to the inline decompression path, and make tmpname unlink failures reportable without recursive cleanup. CLAM-2976

• Valerie Snyder (27 Apr 26)

  HFS+: avoid inflateEnd on uninitialized HFS+ cmpf streams A crafted HFS+ cmpf resource block can take the uncompressed path without initializing a zlib stream, but the block cleanup still calls inflateEnd(). On our repro attempts this produced a parser-local Z_STREAM_ERROR rather than a process crash. Initialize the z_stream defensively, track whether inflateInit2() succeeded, and only call inflateEnd() for initialized streams. Credit: Mizu CLAM-2976

• sharkautarch (30 Apr 26)

  clamonacc: fix OnAccessExcludePath issue fix clamonacc onas_ddd_watch_hierarchy returning errors for recursively excluded paths that are children of an included path (#1710)

• Val S. (27 Apr 26)

  HFS+: Validate compressed attribute record bounds (#1708) The HFS+ compressed-file attribute parser validated the attribute name length as a UTF-16 character count, but later used that same field as a byte offset by multiplying it by two. A crafted attribute record could therefore place the inline attribute record header near the end of the node and trigger an out-of-bounds read when ClamAV copied the record header or payload. Fix this by converting the attribute name length to a checked byte count before using it in offset calculations. Validate that the inline attribute record header fits in the node before reading it, and verify that the claimed attribute payload also fits before copying it. Credit: Sebastián Alba Vives CLAM-2969

• Val S. (27 Apr 26)

  Merge pull request #1715 from val-ms/update-generated-rust-bindings Update generated Rust bindings

• Val S. (15 Apr 26)

  Merge pull request #1686 from val-ms/CLAM-2957-generate-aes-key-optimization Performance improvement generating key to decrypt read-only office docs

• ipnerds (13 Apr 26)

  Update sigtool.c to fix incorrect filename reference (#1702) sigtool --testsigs takes two file references, while the file open code references the correct files, the error in the case of one file not being available was incorrect.

• Valerie Snyder (18 Mar 26)

  cmake: improve Rust sanitizer toolchain support Improve the Rust build configuration used by sanitizer and fuzzing workflows. This change adds three pieces of support: - require a nightly Rust toolchain whenever `-Zsanitizer` is present in `RUSTFLAGS`, since Rust sanitizer support is unstable - fail early when `-Zsanitizer=memory` is requested for an unsupported Rust target instead of surfacing a later Cargo ABI mismatch - rebuild the Rust standard library with `-Zbuild-std` for MemorySanitizer so `core` and the rest of `std` use the same sanitizer ABI as the project crates

• Valerie Snyder (07 Mar 26)

  Performance improvement generating key to decrypt read-only office docs The function `generate_key_aes()` required for creating a key for decrypting velvetsweatshop encrypted files is really slow. The main problem seems to be creating new openssl contexts in a loop rather than reusing an existing context. Specifically, cl_sha1() is expensive per call. Each cl_sha1() goes through cl_hash_data() (crypto.c (line 790)), which allocates/initializes OpenSSL digest state every call (and on OpenSSL 3 also creates/fetches provider context). Doing that 50k+ times is very costly. CLAM-2957

• Val S. (07 Mar 26)

  Bump the copyright year from 2025 to 2026 (#1667)

• Val S. (05 Mar 26)

  Merge pull request #1683 from val-ms/CLAM-2924-win-crash-leave-temps-tempdir Clam 2924 win crash leave temps tempdir

• Val S. (04 Mar 26)

  Fix possible panic when scanning some HTML files (#1682) It is possible that invalid UTF-8 characters may trigger a Rust panic (crash) when parsing CSS style blocks to extract images. The issue is using `split_at()` instead of `split_at_checked()`. I also found a few places where I could use string trim methods rather than doing that logic manually. Thank you to Krishnap7p for reporting this issue. CLAM-2819 CLAM-2828

• Valerie Snyder (04 Mar 26)

  Fix based on code review

• Val S. (13 Nov 25)

  Windows: Fix issue creating new temp subdirectory On Windows, when scanning some files with `--leave-temps` enabled and with `--tempdir` set to something like `C:\temp`, it may fail to create a new subdirectory to store the temp files because the absolute file path is too long for the `mkdir()` function. The `mkdir()` function may fail on Windows if the filepath is longer than the legacy MAX_PATH. Fixing this in C or C++ is rather difficult, requiring either a registry key + application manifest change, or else converting the path to UTF16 and UNC format (i.e. `"\\?\C:\temp"`) to pass to `CreateDirectoryW()`. The solution in this commit is to use the Rust `std` library instead. It is able to handle the longer file paths without issue. CLAM-2924

• Val S. (07 Jan 26)

  Fix error handling when a scan fails to push a new embedded layer to the scan context If pushing a new layer to the recursion stack in the scan context fails, we need to restore the original recursion level, and undo any changes to the convenience `ctx->this_level_...` convenience pointers. This fixes a crash observed when scanning certain files on Windows with `--leave-temps` enabled and also `--tempdir` set to "C:\temp". CLAM-2924

• Val S. (02 Mar 26)

  Merge pull request #1668 from val-ms/CLAM-2942-CLAM-2941-CLAM-2930-cvd-verification-bugs Clam 2942 clam 2941 clam 2930 cvd verification bugs

• Val S. (02 Mar 26)

  Fix pointer alignment issue in OLE2 XLM macro extraction (#1677) Fix issue reading from a pointer which can cause a crash on systems that have strict pointer alignment requirements. Thank you to Hsuan-Ming Chen at Synology PSIRT for identify this issue and proposing this fix.

• Valerie Snyder (05 Feb 26)

  Freshclam: Fix issue with CVDCertsDirectory when load-testing databases Freshclam's feature to load-test a newly downloaded database is not using the CVDCertsDirectory option to determine the certs directory. The environment variable works, however. In addition to the environment variable, you can work around the issue by disabling load testing. To fix this issue, we need to extend the libfreshclam API adding a `fc_test_database_ex()` function that takes the certs directory as a parameter. Resolves: https://github.com/Cisco-Talos/clamav/issues/1630 CLAM-2930