Change the version suffix from -devel-{TODAY} to -rc
Bump the SO version for libclamav and libfreshclam.
Increasing the current version to 12.0.0 and 3.0.0 respectively.
The reason is that we reintroduced using the version scripts:
- libclamav.map
- libfreshclam.map
- libclamunrar.map
- libclamunrar_iface.map
Note that libclamunrar and libclamunrar_iface use the SO version from
libclamav.
Note that libclammspack does not have a .map file and so is not getting
symbol versioning at this time nor are we bumping the SO version for
that library.
Add a new cl_engine_set_clcb_vba() function to set a cb_vba callback
function and add clcb_generic_data handler prototype to the clamav.h
public API.
The cb_vba callback function will be run whenever VBA is extracted from
office documents. The provided data will be a normalized copy of the
original VBA. This callback is added to support Sigtool so it can use
the same VBA extraction logic as when scanning documents.
Change the Sigtool temp directory creation for any commands that use
temp directories so that you can select a custom temp directory with the
`--tempdir=PATH` option, and can retain the temp files with the
`--leave-temps` option.
Added `--tempdir` and `--leave-temps` to the Sigtool `--help` output.
Added `--tempdir` and `--leave-temps` to the Sigtool manpage.
The MSI installer can find previous ClamAV installs to non-standard
locations such at D:\ClamAV instead of C:\Program Files\ClamAV but only
if upgrading to a new patch version of the same feature version.
E.g. can find an upgrade 1.0.0 to 1.0.1, but cannot automatically find
and upgrade 1.0.1 to 1.1.0.
This change will make it so all minor feature versions will store the
install path to the same key in the registry.
A consequence of this change is that you can no longer install multiple
feature versions of ClamAV using the MSI installer.
If you want multiple ClamAV minor versions installed on Windows you will
need to install using the ZIP package.
This change will not allow the MSI installer to automatically find and
upgrade across different major versions.
E.g. cannot find and upgrade 0.105.2 to 1.1.0 because the former is
major version 0, and the latter is major version 1.
This is intentional because it is more likely that there will be
breaking changes to config files and other user interfaces when we go to
ClamAV 2.0.0.
Use OpenSSL's big number/ multiprecision integer arithmetics
functionality to replace tomfastmath.
This is a first shot at doing just this. Further improvement could be
use more RSA-signature verification from OpenSSL in crtmgr_rsa_verify()
and less self parsing.
_padding_check_PKCS1_type_1() has been borrowed from OpenSSL to make
further replacments easier.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
* Add a new function cl_cvdgetage() to the libclamav API.
This function will retrieve the age of the youngest file in a
database directory, or the age of a single CVD (or CLD) file.
* Add new clamscan option --fail-if-cvd-older-than=days
When passed, causes clamscan to exit with a non-zero return code
if the virus database is older than the specified number of days.
* Add new clamd option --fail-if-cvd-older-than=days
When passed, causes clamd to exit on start-up with a non-zero
return code if the virus database is older than the specified
number of days.
Additionally, we introduce FailIfCvdOlderThan as a clamd.conf
synonym for --fail-if-cvd-older-than.
Fixes#820
RPATH overrides the normal library search path, possibly interfering
with local policy and causing problems for multi-lib, among other issues.
Add an option to avoid setting it with letting it enabled by default.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
libclamav.map: Add missing symbol and correct symbol version.
libclamunrar.map: Use symbol version-script for libclamunrar, too.
Thank you to Sebastian Andrzej Siewior for the help.
Also fix a unittest linker issue...
Adding libclamav.map causes libclamav to no longer export zlib
when zlib is statically linked.
What was weird is that libxml2 depends on zlib and the check_clamav
unit test program was using those symbols from libclamav.
Introducing libclamav.map broke that even though we were explicitly
trying to link check_clamav with ZLIB::ZLIB as well.
For reasons I can't explain, linking check_clamav with the
ClamAV::common library managed to properly link it with ZLIB::ZLIB
and so the undefined references go away.
Also in this commit, I've removed the `.map` files from .gitignore
I'm not sure why they were ignored before.
A user building clamav may now set the RUSTFLAGS CMake variable
if additional options such as `--verbose` are desired.
E.g.
cmake .. -D RUSTFLAGS="--verbose"
See `rustc --help` for more details.
XML entity expansion may be used to load an XML entity from a
(different) local file than the file being scanned if the scanning
process can read the referenced file path.
This may be used to leak information from the local file to the person
who initiated the scan.
The libxml2 option XML_PARSE_NOENT means that no entities should
be left in the document and not that no entities should be resolved.
This commit removes that option.
A few user of VirtualAddress and Size in cli_exe_info::pe_image_data_dir
don't use the endian wrapper while other places do. This leads to
testsuite failures on big endian machines.
Convert the content of struct pe_image_data_dir to native format so that
that the EC32() conversation can be removed.
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
When using the content of the `clamav` tarball in a git repository to version a debian or RedHat package for example.
We should never alter the files from cargo or this result in corrupted signature and thus we cannot install the files.
As the repo provides its own `.gitattributes` we cannot easily overwrite it without manually updating `.git/info/attributes`.
Alternatively we could remove the `.gitattributes` file from the tarball when generating it.
The rust version required is dictated by `jpeg-decoder` requirements which cannot be compiled without version `1.61` or newer.
Rather than adding a new section in `News.md` for `0.105.3` just bump the entry for `0.105`.
This test scans a ZIP containing:
1. An executable signed with a trusted certificate
2. A file that will alert because of a signature match
The goal is to verify that the scan isn't terminated early and that
the entire archive isn't trusted simply because the inner executable is
trusted.
That is, that the "CL_VERIFIED" status does not propagate up out of the
magic_scan of a specific layer.
PDB, WDB, and CDB signatures can use a regex feature to match
domain names. At one time in the process we ran a filter search
to speed up filtering out non-matching static patterns but were
accidentally discarding the result. When tested, it turns out
it wasn't working correctly anyways.
Since then, we've fixed some bugs and upgraded the regex
implementation to the latest version. After re-testing, I have
found that the filter_search() appears to be working correctly
now, both in the unit tests and with the existing CDB signatures.
Patch provides more insight into error conditions which may arise
when adding a directory to the watch hierarchy. If a specific file
caused the issue, the filename is provided to help users with any
troubleshooting needed.
I found that the `url(data:` type does not matter to a browser.
In addition, whitespace may be placed in a few locations and the browser
will ignore it.
This commit accounts for this, and updates the test accordingly.
This commit adds a feature to find, decode, and scan each image found
within HTML <style> tags where the image data is embedded in `url()`
function parameters a base64 blob
In C in the html normalization process we extract style tag contents
to new buffer for processing. We call into a new feature in Rust code to
find and decode each image (if there are multiple).
Once extracted, the images are scanned as contained files of unknown
type, and file type identifcation will determine the actual type.
The verdict is being recorded before the preclass bytecode hook meaning
that the final verdict may come back as "clean" in allmatch mode,
even if the preclass bytecode hook matches something.
This commit moves the verdict check to occur AFTER the preclass bytecode
hook executes.
While searching for the end of the character class ']', there was no
bounds checking to prevent reading past the end of the regular
expression.
This commit fixes the issue by adding length checking to regex_parsing.
Resolves: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47780
On distros with multiple python impls it can be useful to select
a specific version rather than whatever CMake thinks is appopriate.
This patch enables users to instruct CMake to look for a specific
version of python by passing `-DPYTHON_FIND_VER`.
Micah Snyder