2 files changed, 154 insertions, 0 deletions
diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb
index 18e8329..9e6693f 100644
--- a/recipes-scanners/clamav/clamav_0.104.0.bb
+++ b/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -21,6 +21,7 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.104;protocol=http
    file://headers_fixup.patch \
    file://oe_cmake_fixup.patch \
    file://fix_systemd_socket.patch \
+    file://CVE-2024-20328.patch \
 "
 S = "${WORKDIR}/git"
diff --git a/recipes-scanners/clamav/files/CVE-2024-20328.patch b/recipes-scanners/clamav/files/CVE-2024-20328.patch
new file mode 100644
index 0000000..2f422cf
--- /dev/null
+++ b/recipes-scanners/clamav/files/CVE-2024-20328.patch
@@ -0,0 +1,153 @@
+From fe7638287bb11419474ea314652404e7e9b314b2 Mon Sep 17 00:00:00 2001
+From: Micah Snyder <micasnyd@cisco.com>
+Date: Wed, 10 Jan 2024 12:09:15 -0500
+Subject: [PATCH] ClamD: Disable VirusEvent '%f' feature, use environment var
+ instead
+The '%f' filename format character has been disabled and will no longer
+be replaced with the file name, due to command injection security concerns.
+Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
+For the same reason, you should NOT use the environment variables in the
+command directly, but should use it carefully from your executed script.
+Upstream-Status: Backport [https://github.com/Cisco-Talos/clamav/commit/fe7638287bb11419474ea314652404e7e9b314b2]
+CVE: CVE-2024-20328
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ clamd/clamd_others.c                  |  8 +++++---
+ common/optparser.c                    |  2 +-
+ docs/man/clamd.conf.5.in              | 14 ++++++++++----
+ etc/clamd.conf.sample                 | 18 ++++++++++++------
+ win32/conf_examples/clamd.conf.sample | 18 ++++++++++++------
+ 5 files changed, 40 insertions(+), 20 deletions(-)
+diff --git a/clamd/clamd_others.c b/clamd/clamd_others.c
+index 23f3b022c7..32d0701a0d 100644
+--- a/clamd/clamd_others.c
+++ b/clamd/clamd_others.c
+@@ -101,6 +101,8 @@ void virusaction(const char *filename, const char *virname,
+ #define VE_FILENAME "CLAM_VIRUSEVENT_FILENAME"
+ #define VE_VIRUSNAME "CLAM_VIRUSEVENT_VIRUSNAME"
+ 
+#define FILENAME_DISABLED_MESSAGE "The filename format character has been disabled due to security concerns, use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead."
+
+ void virusaction(const char *filename, const char *virname,
+                  const struct optstruct *opts)
+ {
+@@ -145,7 +147,7 @@ void virusaction(const char *filename, const char *virname,
+     }
+     len = strlen(opt->strarg);
+     buffer_cmd =
+-        (char *)calloc(len + v * strlen(virname) + f * strlen(filename) + 1, sizeof(char));
+        (char *)calloc(len + v * strlen(virname) + f * strlen(FILENAME_DISABLED_MESSAGE) + 1, sizeof(char));
+     if (!buffer_cmd) {
+         if (path)
+             xfree(env[0]);
+@@ -160,8 +162,8 @@ void virusaction(const char *filename, const char *virname,
+             j += strlen(virname);
+             i++;
+         } else if (i + 1 < len && opt->strarg[i] == '%' && opt->strarg[i + 1] == 'f') {
+-            strcat(buffer_cmd, filename);
+-            j += strlen(filename);
+            strcat(buffer_cmd, FILENAME_DISABLED_MESSAGE);
+            j += strlen(FILENAME_DISABLED_MESSAGE);
+             i++;
+         } else {
+             buffer_cmd[j++] = opt->strarg[i];
+diff --git a/common/optparser.c b/common/optparser.c
+index a7bdbee064..1be7afe867 100644
+--- a/common/optparser.c
+++ b/common/optparser.c
+@@ -333,7 +333,7 @@ const struct clam_option __clam_options[] = {
+ 
+     {"DisableCache", "disable-cache", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option allows you to disable clamd's caching feature.", "no"},
+ 
+-    {"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when a virus is found. In the command string %v will be\nreplaced with the virus name and %f will be replaced with the file name.\nAdditionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME\nand $CLAM_VIRUSEVENT_VIRUSNAME.", "/usr/bin/mailx -s \"ClamAV VIRUS ALERT: %v\" alert < /dev/null"},
+    {"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when virus is found.\nUse the following environment variables to identify the file and virus names:\n- $CLAM_VIRUSEVENT_FILENAME\n- $CLAM_VIRUSEVENT_VIRUSNAME\nIn the command string, '%v' will also be replaced with the virus name.\nNote: The '%f' filename format character has been disabled and will no longer\nbe replaced with the file name, due to command injection security concerns.\nUse the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.\nFor the same reason, you should NOT use the environment variables in the\ncommand directly, but should use it carefully from your executed script.", "/opt/send_virus_alert_sms.sh"},
+ 
+     {"ExitOnOOM", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Stop the daemon when libclamav reports an out of memory condition.", "yes"},
+ 
+diff --git a/docs/man/clamd.conf.5.in b/docs/man/clamd.conf.5.in
+index 2d9748a39e..a9926533b9 100644
+--- a/docs/man/clamd.conf.5.in
+++ b/docs/man/clamd.conf.5.in
+@@ -240,10 +240,16 @@ Enable non-blocking (multi-threaded/concurrent) database reloads. This feature w
+ Default: yes
+ .TP
+ \fBVirusEvent COMMAND\fR
+-Execute a command when a virus is found. In the command string %v will be
+-replaced with the virus name and %f will be replaced with the file name.
+-Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
+-and $CLAM_VIRUSEVENT_VIRUSNAME.
+Execute a command when virus is found.
+Use the following environment variables to identify the file and virus names:
+- $CLAM_VIRUSEVENT_FILENAME
+- $CLAM_VIRUSEVENT_VIRUSNAME
+In the command string, '%v' will also be replaced with the virus name.
+Note: The '%f' filename format character has been disabled and will no longer
+be replaced with the file name, due to command injection security concerns.
+Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
+For the same reason, you should NOT use the environment variables in the
+command directly, but should use it carefully from your executed script.
+ \fR
+ .br
+ Default: disabled
+diff --git a/etc/clamd.conf.sample b/etc/clamd.conf.sample
+index 37fb03bf20..54738128da 100644
+--- a/etc/clamd.conf.sample
+++ b/etc/clamd.conf.sample
+@@ -209,12 +209,18 @@ Example
+ # Default: yes
+ #ConcurrentDatabaseReload no
+ 
+-# Execute a command when virus is found. In the command string %v will
+-# be replaced with the virus name and %f will be replaced with the file name.
+-# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
+-# and $CLAM_VIRUSEVENT_VIRUSNAME.
+-# Default: no
+-#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
+# Execute a command when virus is found.
+# Use the following environment variables to identify the file and virus names:
+# - $CLAM_VIRUSEVENT_FILENAME
+# - $CLAM_VIRUSEVENT_VIRUSNAME
+# In the command string, '%v' will also be replaced with the virus name.
+# Note: The '%f' filename format character has been disabled and will no longer
+# be replaced with the file name, due to command injection security concerns.
+# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
+# For the same reason, you should NOT use the environment variables in the
+# command directly, but should use it carefully from your executed script.
+# Default: no
+#VirusEvent /opt/send_virus_alert_sms.sh
+ 
+ # Run as another user (clamd must be started by root for this option to work)
+ # Default: don't drop privileges
+diff --git a/win32/conf_examples/clamd.conf.sample b/win32/conf_examples/clamd.conf.sample
+index 5a8a9cfeae..a4813f99cb 100644
+--- a/win32/conf_examples/clamd.conf.sample
+++ b/win32/conf_examples/clamd.conf.sample
+@@ -182,12 +182,18 @@ TCPAddr localhost
+ # Default: yes
+ #ConcurrentDatabaseReload no
+ 
+-# Execute a command when virus is found. In the command string %v will
+-# be replaced with the virus name and %f will be replaced with the file name.
+-# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
+-# and $CLAM_VIRUSEVENT_VIRUSNAME.
+-# Default: no
+-#VirusEvent "C:\example\SendEmail.ps1" email@addresscom "VIRUS ALERT: %v in %f"
+# Execute a command when virus is found.
+# Use the following environment variables to identify the file and virus names:
+# - $CLAM_VIRUSEVENT_FILENAME
+# - $CLAM_VIRUSEVENT_VIRUSNAME
+# In the command string, '%v' will also be replaced with the virus name.
+# Note: The '%f' filename format character has been disabled and will no longer
+# be replaced with the file name, due to command injection security concerns.
+# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
+# For the same reason, you should NOT use the environment variables in the
+# command directly, but should use it carefully from your executed script.
+# Default: no
+#VirusEvent "C:\example\SendVirusAlertEmail.ps1"
+ 
+ # Run as another user (clamd must be started by root for this option to work)
+ # Default: don't drop privileges

diff --git a/recipes-scanners/clamav/clamav_0.104.0.bb b/recipes-scanners/clamav/clamav_0.104.0.bb index 18e8329..9e6693f 100644 --- a/recipes-scanners/clamav/clamav_0.104.0.bb +++ b/recipes-scanners/clamav/clamav_0.104.0.bb
@@ -21,6 +21,7 @@ SRC_URI = "git://github.com/vrtadmin/clamav-devel;branch=rel/0.104;protocol=http
21	file://headers_fixup.patch \	21	file://headers_fixup.patch \
22	file://oe_cmake_fixup.patch \	22	file://oe_cmake_fixup.patch \
23	file://fix_systemd_socket.patch \	23	file://fix_systemd_socket.patch \
		24	file://CVE-2024-20328.patch \
24	"	25	"
25	S = "${WORKDIR}/git"	26	S = "${WORKDIR}/git"
26		27


diff --git a/recipes-scanners/clamav/files/CVE-2024-20328.patch b/recipes-scanners/clamav/files/CVE-2024-20328.patch new file mode 100644 index 0000000..2f422cf --- /dev/null +++ b/recipes-scanners/clamav/files/CVE-2024-20328.patch
@@ -0,0 +1,153 @@
		1	From fe7638287bb11419474ea314652404e7e9b314b2 Mon Sep 17 00:00:00 2001
		2	From: Micah Snyder <micasnyd@cisco.com>
		3	Date: Wed, 10 Jan 2024 12:09:15 -0500
		4	Subject: [PATCH] ClamD: Disable VirusEvent '%f' feature, use environment var
		5	instead
		6
		7	The '%f' filename format character has been disabled and will no longer
		8	be replaced with the file name, due to command injection security concerns.
		9	Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
		10
		11	For the same reason, you should NOT use the environment variables in the
		12	command directly, but should use it carefully from your executed script.
		13
		14	Upstream-Status: Backport [https://github.com/Cisco-Talos/clamav/commit/fe7638287bb11419474ea314652404e7e9b314b2]
		15	CVE: CVE-2024-20328
		16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
		17	---
		18	clamd/clamd_others.c \| 8 +++++---
		19	common/optparser.c \| 2 +-
		20	docs/man/clamd.conf.5.in \| 14 ++++++++++----
		21	etc/clamd.conf.sample \| 18 ++++++++++++------
		22	win32/conf_examples/clamd.conf.sample \| 18 ++++++++++++------
		23	5 files changed, 40 insertions(+), 20 deletions(-)
		24
		25	diff --git a/clamd/clamd_others.c b/clamd/clamd_others.c
		26	index 23f3b022c7..32d0701a0d 100644
		27	--- a/clamd/clamd_others.c
		28	+++ b/clamd/clamd_others.c
		29	@@ -101,6 +101,8 @@ void virusaction(const char filename, const char virname,
		30	#define VE_FILENAME "CLAM_VIRUSEVENT_FILENAME"
		31	#define VE_VIRUSNAME "CLAM_VIRUSEVENT_VIRUSNAME"
		32
		33	+#define FILENAME_DISABLED_MESSAGE "The filename format character has been disabled due to security concerns, use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead."
		34	+
		35	void virusaction(const char filename, const char virname,
		36	const struct optstruct *opts)
		37	{
		38	@@ -145,7 +147,7 @@ void virusaction(const char filename, const char virname,
		39	}
		40	len = strlen(opt->strarg);
		41	buffer_cmd =
		42	- (char )calloc(len + v strlen(virname) + f * strlen(filename) + 1, sizeof(char));
		43	+ (char )calloc(len + v strlen(virname) + f * strlen(FILENAME_DISABLED_MESSAGE) + 1, sizeof(char));
		44	if (!buffer_cmd) {
		45	if (path)
		46	xfree(env[0]);
		47	@@ -160,8 +162,8 @@ void virusaction(const char filename, const char virname,
		48	j += strlen(virname);
		49	i++;
		50	} else if (i + 1 < len && opt->strarg[i] == '%' && opt->strarg[i + 1] == 'f') {
		51	- strcat(buffer_cmd, filename);
		52	- j += strlen(filename);
		53	+ strcat(buffer_cmd, FILENAME_DISABLED_MESSAGE);
		54	+ j += strlen(FILENAME_DISABLED_MESSAGE);
		55	i++;
		56	} else {
		57	buffer_cmd[j++] = opt->strarg[i];
		58	diff --git a/common/optparser.c b/common/optparser.c
		59	index a7bdbee064..1be7afe867 100644
		60	--- a/common/optparser.c
		61	+++ b/common/optparser.c
		62	@@ -333,7 +333,7 @@ const struct clam_option __clam_options[] = {
		63
		64	{"DisableCache", "disable-cache", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD \| OPT_CLAMSCAN, "This option allows you to disable clamd's caching feature.", "no"},
		65
		66	- {"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when a virus is found. In the command string %v will be\nreplaced with the virus name and %f will be replaced with the file name.\nAdditionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME\nand $CLAM_VIRUSEVENT_VIRUSNAME.", "/usr/bin/mailx -s \"ClamAV VIRUS ALERT: %v\" alert < /dev/null"},
		67	+ {"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when virus is found.\nUse the following environment variables to identify the file and virus names:\n- $CLAM_VIRUSEVENT_FILENAME\n- $CLAM_VIRUSEVENT_VIRUSNAME\nIn the command string, '%v' will also be replaced with the virus name.\nNote: The '%f' filename format character has been disabled and will no longer\nbe replaced with the file name, due to command injection security concerns.\nUse the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.\nFor the same reason, you should NOT use the environment variables in the\ncommand directly, but should use it carefully from your executed script.", "/opt/send_virus_alert_sms.sh"},
		68
		69	{"ExitOnOOM", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Stop the daemon when libclamav reports an out of memory condition.", "yes"},
		70
		71	diff --git a/docs/man/clamd.conf.5.in b/docs/man/clamd.conf.5.in
		72	index 2d9748a39e..a9926533b9 100644
		73	--- a/docs/man/clamd.conf.5.in
		74	+++ b/docs/man/clamd.conf.5.in
		75	@@ -240,10 +240,16 @@ Enable non-blocking (multi-threaded/concurrent) database reloads. This feature w
		76	Default: yes
		77	.TP
		78	\fBVirusEvent COMMAND\fR
		79	-Execute a command when a virus is found. In the command string %v will be
		80	-replaced with the virus name and %f will be replaced with the file name.
		81	-Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
		82	-and $CLAM_VIRUSEVENT_VIRUSNAME.
		83	+Execute a command when virus is found.
		84	+Use the following environment variables to identify the file and virus names:
		85	+- $CLAM_VIRUSEVENT_FILENAME
		86	+- $CLAM_VIRUSEVENT_VIRUSNAME
		87	+In the command string, '%v' will also be replaced with the virus name.
		88	+Note: The '%f' filename format character has been disabled and will no longer
		89	+be replaced with the file name, due to command injection security concerns.
		90	+Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
		91	+For the same reason, you should NOT use the environment variables in the
		92	+command directly, but should use it carefully from your executed script.
		93	\fR
		94	.br
		95	Default: disabled
		96	diff --git a/etc/clamd.conf.sample b/etc/clamd.conf.sample
		97	index 37fb03bf20..54738128da 100644
		98	--- a/etc/clamd.conf.sample
		99	+++ b/etc/clamd.conf.sample
		100	@@ -209,12 +209,18 @@ Example
		101	# Default: yes
		102	#ConcurrentDatabaseReload no
		103
		104	-# Execute a command when virus is found. In the command string %v will
		105	-# be replaced with the virus name and %f will be replaced with the file name.
		106	-# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
		107	-# and $CLAM_VIRUSEVENT_VIRUSNAME.
		108	-# Default: no
		109	-#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
		110	+# Execute a command when virus is found.
		111	+# Use the following environment variables to identify the file and virus names:
		112	+# - $CLAM_VIRUSEVENT_FILENAME
		113	+# - $CLAM_VIRUSEVENT_VIRUSNAME
		114	+# In the command string, '%v' will also be replaced with the virus name.
		115	+# Note: The '%f' filename format character has been disabled and will no longer
		116	+# be replaced with the file name, due to command injection security concerns.
		117	+# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
		118	+# For the same reason, you should NOT use the environment variables in the
		119	+# command directly, but should use it carefully from your executed script.
		120	+# Default: no
		121	+#VirusEvent /opt/send_virus_alert_sms.sh
		122
		123	# Run as another user (clamd must be started by root for this option to work)
		124	# Default: don't drop privileges
		125	diff --git a/win32/conf_examples/clamd.conf.sample b/win32/conf_examples/clamd.conf.sample
		126	index 5a8a9cfeae..a4813f99cb 100644
		127	--- a/win32/conf_examples/clamd.conf.sample
		128	+++ b/win32/conf_examples/clamd.conf.sample
		129	@@ -182,12 +182,18 @@ TCPAddr localhost
		130	# Default: yes
		131	#ConcurrentDatabaseReload no
		132
		133	-# Execute a command when virus is found. In the command string %v will
		134	-# be replaced with the virus name and %f will be replaced with the file name.
		135	-# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
		136	-# and $CLAM_VIRUSEVENT_VIRUSNAME.
		137	-# Default: no
		138	-#VirusEvent "C:\example\SendEmail.ps1" email@addresscom "VIRUS ALERT: %v in %f"
		139	+# Execute a command when virus is found.
		140	+# Use the following environment variables to identify the file and virus names:
		141	+# - $CLAM_VIRUSEVENT_FILENAME
		142	+# - $CLAM_VIRUSEVENT_VIRUSNAME
		143	+# In the command string, '%v' will also be replaced with the virus name.
		144	+# Note: The '%f' filename format character has been disabled and will no longer
		145	+# be replaced with the file name, due to command injection security concerns.
		146	+# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
		147	+# For the same reason, you should NOT use the environment variables in the
		148	+# command directly, but should use it carefully from your executed script.
		149	+# Default: no
		150	+#VirusEvent "C:\example\SendVirusAlertEmail.ps1"
		151
		152	# Run as another user (clamd must be started by root for this option to work)
		153	# Default: don't drop privileges