1 files changed, 153 insertions, 0 deletions
diff --git a/recipes-scanners/clamav/files/CVE-2024-20328.patch b/recipes-scanners/clamav/files/CVE-2024-20328.patch
new file mode 100644
index 0000000..2f422cf
--- /dev/null
+++ b/recipes-scanners/clamav/files/CVE-2024-20328.patch
@@ -0,0 +1,153 @@
+From fe7638287bb11419474ea314652404e7e9b314b2 Mon Sep 17 00:00:00 2001
+From: Micah Snyder <micasnyd@cisco.com>
+Date: Wed, 10 Jan 2024 12:09:15 -0500
+Subject: [PATCH] ClamD: Disable VirusEvent '%f' feature, use environment var
+ instead
+The '%f' filename format character has been disabled and will no longer
+be replaced with the file name, due to command injection security concerns.
+Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
+For the same reason, you should NOT use the environment variables in the
+command directly, but should use it carefully from your executed script.
+Upstream-Status: Backport [https://github.com/Cisco-Talos/clamav/commit/fe7638287bb11419474ea314652404e7e9b314b2]
+CVE: CVE-2024-20328
+Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
+---
+ clamd/clamd_others.c                  |  8 +++++---
+ common/optparser.c                    |  2 +-
+ docs/man/clamd.conf.5.in              | 14 ++++++++++----
+ etc/clamd.conf.sample                 | 18 ++++++++++++------
+ win32/conf_examples/clamd.conf.sample | 18 ++++++++++++------
+ 5 files changed, 40 insertions(+), 20 deletions(-)
+diff --git a/clamd/clamd_others.c b/clamd/clamd_others.c
+index 23f3b022c7..32d0701a0d 100644
+--- a/clamd/clamd_others.c
+++ b/clamd/clamd_others.c
+@@ -101,6 +101,8 @@ void virusaction(const char *filename, const char *virname,
+ #define VE_FILENAME "CLAM_VIRUSEVENT_FILENAME"
+ #define VE_VIRUSNAME "CLAM_VIRUSEVENT_VIRUSNAME"
+ 
+#define FILENAME_DISABLED_MESSAGE "The filename format character has been disabled due to security concerns, use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead."
+
+ void virusaction(const char *filename, const char *virname,
+                  const struct optstruct *opts)
+ {
+@@ -145,7 +147,7 @@ void virusaction(const char *filename, const char *virname,
+     }
+     len = strlen(opt->strarg);
+     buffer_cmd =
+-        (char *)calloc(len + v * strlen(virname) + f * strlen(filename) + 1, sizeof(char));
+        (char *)calloc(len + v * strlen(virname) + f * strlen(FILENAME_DISABLED_MESSAGE) + 1, sizeof(char));
+     if (!buffer_cmd) {
+         if (path)
+             xfree(env[0]);
+@@ -160,8 +162,8 @@ void virusaction(const char *filename, const char *virname,
+             j += strlen(virname);
+             i++;
+         } else if (i + 1 < len && opt->strarg[i] == '%' && opt->strarg[i + 1] == 'f') {
+-            strcat(buffer_cmd, filename);
+-            j += strlen(filename);
+            strcat(buffer_cmd, FILENAME_DISABLED_MESSAGE);
+            j += strlen(FILENAME_DISABLED_MESSAGE);
+             i++;
+         } else {
+             buffer_cmd[j++] = opt->strarg[i];
+diff --git a/common/optparser.c b/common/optparser.c
+index a7bdbee064..1be7afe867 100644
+--- a/common/optparser.c
+++ b/common/optparser.c
+@@ -333,7 +333,7 @@ const struct clam_option __clam_options[] = {
+ 
+     {"DisableCache", "disable-cache", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD | OPT_CLAMSCAN, "This option allows you to disable clamd's caching feature.", "no"},
+ 
+-    {"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when a virus is found. In the command string %v will be\nreplaced with the virus name and %f will be replaced with the file name.\nAdditionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME\nand $CLAM_VIRUSEVENT_VIRUSNAME.", "/usr/bin/mailx -s \"ClamAV VIRUS ALERT: %v\" alert < /dev/null"},
+    {"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when virus is found.\nUse the following environment variables to identify the file and virus names:\n- $CLAM_VIRUSEVENT_FILENAME\n- $CLAM_VIRUSEVENT_VIRUSNAME\nIn the command string, '%v' will also be replaced with the virus name.\nNote: The '%f' filename format character has been disabled and will no longer\nbe replaced with the file name, due to command injection security concerns.\nUse the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.\nFor the same reason, you should NOT use the environment variables in the\ncommand directly, but should use it carefully from your executed script.", "/opt/send_virus_alert_sms.sh"},
+ 
+     {"ExitOnOOM", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Stop the daemon when libclamav reports an out of memory condition.", "yes"},
+ 
+diff --git a/docs/man/clamd.conf.5.in b/docs/man/clamd.conf.5.in
+index 2d9748a39e..a9926533b9 100644
+--- a/docs/man/clamd.conf.5.in
+++ b/docs/man/clamd.conf.5.in
+@@ -240,10 +240,16 @@ Enable non-blocking (multi-threaded/concurrent) database reloads. This feature w
+ Default: yes
+ .TP
+ \fBVirusEvent COMMAND\fR
+-Execute a command when a virus is found. In the command string %v will be
+-replaced with the virus name and %f will be replaced with the file name.
+-Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
+-and $CLAM_VIRUSEVENT_VIRUSNAME.
+Execute a command when virus is found.
+Use the following environment variables to identify the file and virus names:
+- $CLAM_VIRUSEVENT_FILENAME
+- $CLAM_VIRUSEVENT_VIRUSNAME
+In the command string, '%v' will also be replaced with the virus name.
+Note: The '%f' filename format character has been disabled and will no longer
+be replaced with the file name, due to command injection security concerns.
+Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
+For the same reason, you should NOT use the environment variables in the
+command directly, but should use it carefully from your executed script.
+ \fR
+ .br
+ Default: disabled
+diff --git a/etc/clamd.conf.sample b/etc/clamd.conf.sample
+index 37fb03bf20..54738128da 100644
+--- a/etc/clamd.conf.sample
+++ b/etc/clamd.conf.sample
+@@ -209,12 +209,18 @@ Example
+ # Default: yes
+ #ConcurrentDatabaseReload no
+ 
+-# Execute a command when virus is found. In the command string %v will
+-# be replaced with the virus name and %f will be replaced with the file name.
+-# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
+-# and $CLAM_VIRUSEVENT_VIRUSNAME.
+-# Default: no
+-#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
+# Execute a command when virus is found.
+# Use the following environment variables to identify the file and virus names:
+# - $CLAM_VIRUSEVENT_FILENAME
+# - $CLAM_VIRUSEVENT_VIRUSNAME
+# In the command string, '%v' will also be replaced with the virus name.
+# Note: The '%f' filename format character has been disabled and will no longer
+# be replaced with the file name, due to command injection security concerns.
+# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
+# For the same reason, you should NOT use the environment variables in the
+# command directly, but should use it carefully from your executed script.
+# Default: no
+#VirusEvent /opt/send_virus_alert_sms.sh
+ 
+ # Run as another user (clamd must be started by root for this option to work)
+ # Default: don't drop privileges
+diff --git a/win32/conf_examples/clamd.conf.sample b/win32/conf_examples/clamd.conf.sample
+index 5a8a9cfeae..a4813f99cb 100644
+--- a/win32/conf_examples/clamd.conf.sample
+++ b/win32/conf_examples/clamd.conf.sample
+@@ -182,12 +182,18 @@ TCPAddr localhost
+ # Default: yes
+ #ConcurrentDatabaseReload no
+ 
+-# Execute a command when virus is found. In the command string %v will
+-# be replaced with the virus name and %f will be replaced with the file name.
+-# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
+-# and $CLAM_VIRUSEVENT_VIRUSNAME.
+-# Default: no
+-#VirusEvent "C:\example\SendEmail.ps1" email@addresscom "VIRUS ALERT: %v in %f"
+# Execute a command when virus is found.
+# Use the following environment variables to identify the file and virus names:
+# - $CLAM_VIRUSEVENT_FILENAME
+# - $CLAM_VIRUSEVENT_VIRUSNAME
+# In the command string, '%v' will also be replaced with the virus name.
+# Note: The '%f' filename format character has been disabled and will no longer
+# be replaced with the file name, due to command injection security concerns.
+# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
+# For the same reason, you should NOT use the environment variables in the
+# command directly, but should use it carefully from your executed script.
+# Default: no
+#VirusEvent "C:\example\SendVirusAlertEmail.ps1"
+ 
+ # Run as another user (clamd must be started by root for this option to work)
+ # Default: don't drop privileges

diff --git a/recipes-scanners/clamav/files/CVE-2024-20328.patch b/recipes-scanners/clamav/files/CVE-2024-20328.patch new file mode 100644 index 0000000..2f422cf --- /dev/null +++ b/recipes-scanners/clamav/files/CVE-2024-20328.patch
@@ -0,0 +1,153 @@
	1	From fe7638287bb11419474ea314652404e7e9b314b2 Mon Sep 17 00:00:00 2001
	2	From: Micah Snyder <micasnyd@cisco.com>
	3	Date: Wed, 10 Jan 2024 12:09:15 -0500
	4	Subject: [PATCH] ClamD: Disable VirusEvent '%f' feature, use environment var
	5	instead
	6
	7	The '%f' filename format character has been disabled and will no longer
	8	be replaced with the file name, due to command injection security concerns.
	9	Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
	10
	11	For the same reason, you should NOT use the environment variables in the
	12	command directly, but should use it carefully from your executed script.
	13
	14	Upstream-Status: Backport [https://github.com/Cisco-Talos/clamav/commit/fe7638287bb11419474ea314652404e7e9b314b2]
	15	CVE: CVE-2024-20328
	16	Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
	17	---
	18	clamd/clamd_others.c \| 8 +++++---
	19	common/optparser.c \| 2 +-
	20	docs/man/clamd.conf.5.in \| 14 ++++++++++----
	21	etc/clamd.conf.sample \| 18 ++++++++++++------
	22	win32/conf_examples/clamd.conf.sample \| 18 ++++++++++++------
	23	5 files changed, 40 insertions(+), 20 deletions(-)
	24
	25	diff --git a/clamd/clamd_others.c b/clamd/clamd_others.c
	26	index 23f3b022c7..32d0701a0d 100644
	27	--- a/clamd/clamd_others.c
	28	+++ b/clamd/clamd_others.c
	29	@@ -101,6 +101,8 @@ void virusaction(const char filename, const char virname,
	30	#define VE_FILENAME "CLAM_VIRUSEVENT_FILENAME"
	31	#define VE_VIRUSNAME "CLAM_VIRUSEVENT_VIRUSNAME"
	32
	33	+#define FILENAME_DISABLED_MESSAGE "The filename format character has been disabled due to security concerns, use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead."
	34	+
	35	void virusaction(const char filename, const char virname,
	36	const struct optstruct *opts)
	37	{
	38	@@ -145,7 +147,7 @@ void virusaction(const char filename, const char virname,
	39	}
	40	len = strlen(opt->strarg);
	41	buffer_cmd =
	42	- (char )calloc(len + v strlen(virname) + f * strlen(filename) + 1, sizeof(char));
	43	+ (char )calloc(len + v strlen(virname) + f * strlen(FILENAME_DISABLED_MESSAGE) + 1, sizeof(char));
	44	if (!buffer_cmd) {
	45	if (path)
	46	xfree(env[0]);
	47	@@ -160,8 +162,8 @@ void virusaction(const char filename, const char virname,
	48	j += strlen(virname);
	49	i++;
	50	} else if (i + 1 < len && opt->strarg[i] == '%' && opt->strarg[i + 1] == 'f') {
	51	- strcat(buffer_cmd, filename);
	52	- j += strlen(filename);
	53	+ strcat(buffer_cmd, FILENAME_DISABLED_MESSAGE);
	54	+ j += strlen(FILENAME_DISABLED_MESSAGE);
	55	i++;
	56	} else {
	57	buffer_cmd[j++] = opt->strarg[i];
	58	diff --git a/common/optparser.c b/common/optparser.c
	59	index a7bdbee064..1be7afe867 100644
	60	--- a/common/optparser.c
	61	+++ b/common/optparser.c
	62	@@ -333,7 +333,7 @@ const struct clam_option __clam_options[] = {
	63
	64	{"DisableCache", "disable-cache", 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD \| OPT_CLAMSCAN, "This option allows you to disable clamd's caching feature.", "no"},
	65
	66	- {"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when a virus is found. In the command string %v will be\nreplaced with the virus name and %f will be replaced with the file name.\nAdditionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME\nand $CLAM_VIRUSEVENT_VIRUSNAME.", "/usr/bin/mailx -s \"ClamAV VIRUS ALERT: %v\" alert < /dev/null"},
	67	+ {"VirusEvent", NULL, 0, CLOPT_TYPE_STRING, NULL, -1, NULL, 0, OPT_CLAMD, "Execute a command when virus is found.\nUse the following environment variables to identify the file and virus names:\n- $CLAM_VIRUSEVENT_FILENAME\n- $CLAM_VIRUSEVENT_VIRUSNAME\nIn the command string, '%v' will also be replaced with the virus name.\nNote: The '%f' filename format character has been disabled and will no longer\nbe replaced with the file name, due to command injection security concerns.\nUse the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.\nFor the same reason, you should NOT use the environment variables in the\ncommand directly, but should use it carefully from your executed script.", "/opt/send_virus_alert_sms.sh"},
	68
	69	{"ExitOnOOM", NULL, 0, CLOPT_TYPE_BOOL, MATCH_BOOL, 0, NULL, 0, OPT_CLAMD, "Stop the daemon when libclamav reports an out of memory condition.", "yes"},
	70
	71	diff --git a/docs/man/clamd.conf.5.in b/docs/man/clamd.conf.5.in
	72	index 2d9748a39e..a9926533b9 100644
	73	--- a/docs/man/clamd.conf.5.in
	74	+++ b/docs/man/clamd.conf.5.in
	75	@@ -240,10 +240,16 @@ Enable non-blocking (multi-threaded/concurrent) database reloads. This feature w
	76	Default: yes
	77	.TP
	78	\fBVirusEvent COMMAND\fR
	79	-Execute a command when a virus is found. In the command string %v will be
	80	-replaced with the virus name and %f will be replaced with the file name.
	81	-Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
	82	-and $CLAM_VIRUSEVENT_VIRUSNAME.
	83	+Execute a command when virus is found.
	84	+Use the following environment variables to identify the file and virus names:
	85	+- $CLAM_VIRUSEVENT_FILENAME
	86	+- $CLAM_VIRUSEVENT_VIRUSNAME
	87	+In the command string, '%v' will also be replaced with the virus name.
	88	+Note: The '%f' filename format character has been disabled and will no longer
	89	+be replaced with the file name, due to command injection security concerns.
	90	+Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
	91	+For the same reason, you should NOT use the environment variables in the
	92	+command directly, but should use it carefully from your executed script.
	93	\fR
	94	.br
	95	Default: disabled
	96	diff --git a/etc/clamd.conf.sample b/etc/clamd.conf.sample
	97	index 37fb03bf20..54738128da 100644
	98	--- a/etc/clamd.conf.sample
	99	+++ b/etc/clamd.conf.sample
	100	@@ -209,12 +209,18 @@ Example
	101	# Default: yes
	102	#ConcurrentDatabaseReload no
	103
	104	-# Execute a command when virus is found. In the command string %v will
	105	-# be replaced with the virus name and %f will be replaced with the file name.
	106	-# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
	107	-# and $CLAM_VIRUSEVENT_VIRUSNAME.
	108	-# Default: no
	109	-#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
	110	+# Execute a command when virus is found.
	111	+# Use the following environment variables to identify the file and virus names:
	112	+# - $CLAM_VIRUSEVENT_FILENAME
	113	+# - $CLAM_VIRUSEVENT_VIRUSNAME
	114	+# In the command string, '%v' will also be replaced with the virus name.
	115	+# Note: The '%f' filename format character has been disabled and will no longer
	116	+# be replaced with the file name, due to command injection security concerns.
	117	+# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
	118	+# For the same reason, you should NOT use the environment variables in the
	119	+# command directly, but should use it carefully from your executed script.
	120	+# Default: no
	121	+#VirusEvent /opt/send_virus_alert_sms.sh
	122
	123	# Run as another user (clamd must be started by root for this option to work)
	124	# Default: don't drop privileges
	125	diff --git a/win32/conf_examples/clamd.conf.sample b/win32/conf_examples/clamd.conf.sample
	126	index 5a8a9cfeae..a4813f99cb 100644
	127	--- a/win32/conf_examples/clamd.conf.sample
	128	+++ b/win32/conf_examples/clamd.conf.sample
	129	@@ -182,12 +182,18 @@ TCPAddr localhost
	130	# Default: yes
	131	#ConcurrentDatabaseReload no
	132
	133	-# Execute a command when virus is found. In the command string %v will
	134	-# be replaced with the virus name and %f will be replaced with the file name.
	135	-# Additionally, two environment variables will be defined: $CLAM_VIRUSEVENT_FILENAME
	136	-# and $CLAM_VIRUSEVENT_VIRUSNAME.
	137	-# Default: no
	138	-#VirusEvent "C:\example\SendEmail.ps1" email@addresscom "VIRUS ALERT: %v in %f"
	139	+# Execute a command when virus is found.
	140	+# Use the following environment variables to identify the file and virus names:
	141	+# - $CLAM_VIRUSEVENT_FILENAME
	142	+# - $CLAM_VIRUSEVENT_VIRUSNAME
	143	+# In the command string, '%v' will also be replaced with the virus name.
	144	+# Note: The '%f' filename format character has been disabled and will no longer
	145	+# be replaced with the file name, due to command injection security concerns.
	146	+# Use the 'CLAM_VIRUSEVENT_FILENAME' environment variable instead.
	147	+# For the same reason, you should NOT use the environment variables in the
	148	+# command directly, but should use it carefully from your executed script.
	149	+# Default: no
	150	+#VirusEvent "C:\example\SendVirusAlertEmail.ps1"
	151
	152	# Run as another user (clamd must be started by root for this option to work)
	153	# Default: don't drop privileges