Closed dsotirho-ucsc closed 6 months ago
@dsotirho-ucsc An issue like this would generally be considered a security issue which we ask to be reported privately (see: https://github.com/Cisco-Talos/clamav/security/policy). If you come across something like this again, please follow those procedures for reporting.
But, I have good news. This one was fixed in 1.3.1.
I tested with both 1.3.0, and 1.3.1:
❯ ~/clams/1.3.0/bin/clamscan -d ~/clamav.hdb ~/Downloads/hg.mo/hg.mo
Loading: 0s, ETA: 0s [========================>] 1/1 sigs
Compiling: 0s, ETA: 0s [========================>] 10/10 tasks
fish: '~/clams/1.3.0/bin/clamscan -d ~…' terminated by signal SIGSEGV (Address boundary error)
❯ ~/clams/1.3.1/bin/clamscan -d ~/clamav.hdb ~/Downloads/hg.mo/hg.mo
Loading: 0s, ETA: 0s [========================>] 1/1 sigs
Compiling: 0s, ETA: 0s [========================>] 10/10 tasks
/mnt/c/Users/micasnyd/Downloads/hg.mo/hg.mo: OK
----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 1.3.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 3.91 MB
Data read: 1.14 MB (ratio 3.42:1)
Time: 0.056 sec (0 m 0 s)
Start Date: 2024:05:01 18:40:40
End Date: 2024:05:01 18:40:40
I popped open a debugger with the 1.3.0 version and found the crash occurs here:
Stack trace:
So it appears you found test file for CVE-2024-20380, fixed in ClamAV 1.3.1
Describe the bug
ClamAV scan crashes with a
Segmentation fault
scanning a particular file:python3/dist-packages/mercurial/locale/ja/LC_MESSAGES/hg.mo
This crash occurs with ClamAV v1.3.0-41 but not a previous version v1.2.1-27.
How to reproduce the problem
Successful scan with v1.2.1-27:
Failed scan with v1.3.0-41:
clamconf:
Attachments
Zip file containing
hg.mo
: hg.mo.zip