FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

clamav -- Multiple vulnerabilities

Affected packages
clamav < 1.2.2,1
clamav-lts < 1.0.5,1


VuXML ID 68ae70c5-c5e5-11ee-9768-08002784c58d
Discovery 2024-02-07
Entry 2024-02-07

The ClamAV project reports:

A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources.
Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. To fix this issue, we disabled the '%f' format string parameter. ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment variable, instead of '%f'. But you should do so only from within an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command.


CVE Name CVE-2024-20290
CVE Name CVE-2024-20328