This bug affects our ability to distribute complex signatures (e.g. logical signatures) with incremental updates.

So far we haven’t released any signatures which exceed this limit.
Before we do we want as many users as possible to upgrade to the latest version of ClamAV.

Starting from 15 April 2010 our CVD will contain a special signature which disables all clamd installations older than 0.95 – that is to say older than 1 year.

This move is needed to push more people to upgrade to 0.95 .
We would like to keep on supporting all old versions of our engine, but unfortunately this is no longer possible without causing a disservice to people running a recent release of ClamAV.
The traffic generated by a full CVD download, as opposed to an incremental update, cannot be sustained by our mirrors.

We plan to start releasing signatures which exceed the 980 bytes limit on May 2010.

We recommend that you always run the latest version of ClamAV to get optimal protection, reliability and performance.

Thanks for your cooperation!

684,777, 828, 832, 954, 1046, 1085, 1092, 1098, 1135, 1137, 1145, 1150 , 1154, 1155, 1157, 1158, 1160, 1162, 1165, 1174, 1179, 1181, 1184, 1185, 1186, 1187, 1189, 1192, 1196, 1197, 1199, 1201, 1203, 1204, 1205, 1210 , 1211, 1212, 1213, 1216, 1217, 1219, 1221

For more details, please refer to Whats New in 0.94.1.

A heap overflow vulnerability was discovered in libclamav which could cause a denial of service or allow the execution of arbitrary code.

The problem is specifically located in the PE file rebuild function used by the UPX unpacker.

Relevant code from libclamav/upx.c:

  memcpy(dst, newbuf, foffset);
  *dsize = foffset;
  free(newbuf);
  cli_dbgmsg("UPX: PE structure rebuilt from compressed file\n");
  return 1;

Due to improper validation it is possible to overflow the above memcpy() beyond the allocated memory block.

The problem has been fixed in 0.88.4.

Freshclam is a command line utility responsible for downloading and installing virus signature updates. One of its features is a HTTP client performing file downloads from web servers. A security vulnerability in the protocol code was discovered independently by Ulf Harnhammar and an anonymous researcher from Germany.

The problem exists due to a lack of proper check for the size of header data received from a web server:

int get_database(const char *dbfile, int socketfd, const char *file, const char *hostname, const char *proxy, const char *user, const char *pass) {
        char cmd [512], buffer [FILEBUFF], * ch;
[...]
   / * read all the http headers * / 
    ch = buffer;
    i = 0;
    while (1) {
        / * recv one byte at a time, until we reach \r\n\r\n * /
        if(recv(socketfd, buffer + i, 1, 0) == -1) {
[...]

The code assumes the size of all headers returned by the web server is smaller than 8 KB. A specially prepared HTTP server could be used by an attacker to exploit freshclam clients connecting to the database mirror. The bug was classified as moderate risk. The ClamAV project uses a big number of database mirrors gathered into round robin records. In most cases the system looks up the GeoIP database to redirect users to the closest pool of mirrors. Remote exploitation (Denial of Service) can be achieved by changing one of the mirrors configurations to run a special web server returning wrong header data or by pointing freshclam to a bogus mirror i.e. by means of DNS poisoning. Remote execution of arbitrary code is not easy due to diversity of client platforms and architectures.