Merge pull request #18 from cisco-sbg/CLAM-2696-ole2-decrypt-overread…

…-1.0 Fix bounds check in OLE2 decryption (1.0.8)
Cisco-Talos · Jan 17, 2025 · 9a2c642 · 9a2c642
2 parents 8b02662 + 1ea9993
commit 9a2c642
Show file tree

Hide file tree

Showing 7 changed files with 26 additions and 6 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -22,7 +22,7 @@ string(TIMESTAMP TODAY "%Y%m%d")
 set(VERSION_SUFFIX "")
 
 project( ClamAV
-         VERSION "1.0.7"
+         VERSION "1.0.8"
          DESCRIPTION "ClamAV open source email, web, and end-point anti-virus toolkit." )
 
 set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH})

diff --git a/Jenkinsfile b/Jenkinsfile
@@ -10,7 +10,7 @@ properties(
         parameters(
             [
                 string(name: 'VERSION',
-                       defaultValue: '1.0.7',
+                       defaultValue: '1.0.8',
                        description: 'ClamAV version string'),
                 string(name: 'FRAMEWORK_BRANCH',
                        defaultValue: '1.0',

diff --git a/NEWS.md b/NEWS.md
@@ -3,6 +3,25 @@
 Note: This file refers to the official packages. Things described here may
 differ slightly from third-party binary packages.
 
+## 1.0.8
+
+ClamAV 1.0.8 is a patch release with the following fixes:
+
+- [CVE-2025-20128](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20128):
+  Fixed a possible buffer overflow read bug in the OLE2 file parser that could
+  cause a denial-of-service (DoS) condition.
+
+  This issue was introduced in version 1.0.0 and affects all currently
+  supported versions. It will be fixed in:
+  - 1.4.2
+  - 1.0.8
+
+  Thank you to OSS-Fuzz for identifying this issue.
+
+- ClamOnAcc: Fixed an infinite loop when a watched directory does not exist.
+  This is a backport of a fix from ClamAV 1.3.0.
+  - [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1426)
+
 ## 1.0.7
 
 ClamAV 1.0.7 is a patch release with the following fixes:

diff --git a/libclamav/bytecode_api.h b/libclamav/bytecode_api.h
@@ -171,6 +171,7 @@ enum FunctionalityLevels {
     FUNC_LEVEL_1_0_5 = 165, /**< LibClamAV release 1.0.5 */
     FUNC_LEVEL_1_0_6 = 166, /**< LibClamAV release 1.0.6 */
     FUNC_LEVEL_1_0_7 = 167, /**< LibClamAV release 1.0.7 */
+    FUNC_LEVEL_1_0_8 = 168, /**< LibClamAV release 1.0.8 */
 };
 
 /**

diff --git a/libclamav/ole2_extract.c b/libclamav/ole2_extract.c
@@ -1835,7 +1835,7 @@ static cl_error_t handler_otf_encrypted(ole2_header_t *hdr, property_t *prop, co
             }
             bytesRead += blockSize;
 
-            for (; writeIdx <= (leftover + bytesToWrite) - 16; writeIdx += 16, decryptDstIdx += 16) {
+            for (; writeIdx + 16 <= leftover + bytesToWrite; writeIdx += 16, decryptDstIdx += 16) {
                 rijndaelDecrypt(rk, nrounds, &(buff[writeIdx]), &(decryptDst[decryptDstIdx]));
             }
 

diff --git a/libclamav/others.h b/libclamav/others.h
@@ -73,7 +73,7 @@
  * in re-enabling affected modules.
  */
 
-#define CL_FLEVEL 167
+#define CL_FLEVEL 168
 #define CL_FLEVEL_DCONF CL_FLEVEL
 #define CL_FLEVEL_SIGTOOL CL_FLEVEL
 

diff --git a/win32/res/common.rc b/win32/res/common.rc
@@ -6,8 +6,8 @@
 #define REPO_VERSION VERSION
 #endif
 
-#define RES_VER_Q 1,0,7,0
-#define RES_VER_S "ClamAV 1.0.7"
+#define RES_VER_Q 1,0,8,0
+#define RES_VER_S "ClamAV 1.0.8"
 
 VS_VERSION_INFO VERSIONINFO
     FILEVERSION RES_VER_Q