Commit graph

22 commits

Author SHA1 Message Date
Val S.
973c92438d
Update Rust dependencies; Fix image fuzzy hash values
Large range testing identified some files where image fuzzy hashing
produces different hashes with ClamAV 1.5 vs 1.4.

With my investigation, I found the issue is with changes in Rust library
dependencies, though it actually wasn't any change with the 'image' or
'jpeg-decoder' crates. After running a simple `cargo update` to update
all non-pinned versions.
I confirmed that this does not affect the minimum supported Rust version
(MSRV).

CLAM-2899
2025-10-14 14:04:26 -04:00
Valerie Snyder
e223ddb66a
Example program: demonstrate more features and support scripted inputs
Scripted inputs may be used for automated tests.

Added automated tests for the example program to verify correct behavior
using different callback return codes and also using the new scan layer and
fmap API's.

Fixed a bug in ClamAV's evidence module (recording strong, PUA, and
weak indicators for each layer). Rust HashMaps are unordered so the
feature to get the last alert would return a random alert and not
specifically the last one. Switching to IndexMap resolves this, and
allows us to maintain insertion-order for iterating keys even when
removing a key.
2025-08-14 22:40:45 -04:00
Valerie Snyder
544fb9fef2
Codesign: fix test files & upgrade clamav-signature-util for related fix
The .sign test files have the min flevel set to 220.
It should be 230.

Also upgrade clamav-signature-util to v1.2.4 for fix so new .sign
files will have the correct min flevel.
2025-05-05 16:54:07 -04:00
Valerie Snyder
b32b85f6ac
Update Rust dependencies in Cargo.lock file to latest versions
Notably: resolve atty and openssl security warnings.
2025-05-01 13:58:48 -04:00
Val Snyder
6490dde572
Update Rust dependencies in Cargo.lock file to latest versions 2025-03-29 21:05:38 -04:00
Val Snyder
8d485b9bfd
FIPS-compliant CVD signing and verification
Add X509 certificate chain based signing with PKCS7-PEM external
signatures distributed alongside CVD's in a custom .cvd.sign format.
This new signing and verification mechanism is primarily in support
of FIPS compliance.

Fixes: https://github.com/Cisco-Talos/clamav/issues/564

Add a Rust implementation for parsing, verifying, and unpacking CVD
files.

Now installs a 'certs' directory in the app config directory
(e.g. <prefix>/etc/certs). The install location is configurable.
The CMake option to configure the CVD certs directory is:
  `-D CVD_CERTS_DIRECTORY=PATH`

New options to set an alternative CVD certs directory:
- Commandline for freshclam, clamd, clamscan, and sigtool is:
  `--cvdcertsdir PATH`
- Env variable for freshclam, clamd, clamscan, and sigtool is:
  `CVD_CERTS_DIR`
- Config option for freshclam and clamd is:
  `CVDCertsDirectory PATH`

Sigtool:
- Add sign/verify commands.
- Also verify CDIFF external digital signatures when applying CDIFFs.
- Place commonly used commands at the top of --help string.
- Fix up manpage.

Freshclam:
- Will try to download .sign files to verify CVDs and CDIFFs.
- Fix an issue where making a CLD would only include the CFG file for
daily and not if patching any other database.

libclamav.so:
- Bump version to 13:0:1 (aka 12.1.0).
- Also remove libclamav.map versioning.
  Resolves: https://github.com/Cisco-Talos/clamav/issues/1304
- Add two new API's to the public clamav.h header:
  ```c
  extern cl_error_t cl_cvdverify_ex(const char *file,
                                    const char *certs_directory);

  extern cl_error_t cl_cvdunpack_ex(const char *file,
                                    const char *dir,
                                    bool dont_verify,
                                    const char *certs_directory);
  ```
  The original `cl_cvdverify` and `cl_cvdunpack` are deprecated.
- Add `cl_engine_field` enum option `CL_ENGINE_CVDCERTSDIR`.
  You may set this option with `cl_engine_set_str` and get it
  with `cl_engine_get_str`, to override the compiled in default
  CVD certs directory.

libfreshclam.so: Bump version to 4:0:0 (aka 4.0.0).

Add sigtool sign/verify tests and test certs.

Make it so downloadFile doesn't throw a warning if the server
doesn't have the .sign file.

Replace use of md5-based FP signatures in the unit tests with
sha256-based FP signatures because the md5 implementation used
by Python may be disabled in FIPS mode.
Fixes: https://github.com/Cisco-Talos/clamav/issues/1411

CMake: Add logic to enable the Rust openssl-sys / openssl-rs crates
to build against the same OpenSSL library as is used for the C build.
The Rust unit test application must also link directly with libcrypto
and libssl.

Fix some log messages with missing new lines.

Fix missing environment variable notes in --help messages and manpages.

Deconflict CONFDIR/DATADIR/CERTSDIR variable names that are defined in
clamav-config.h.in for libclamav from variable that had the same name
for use in clamav applications that use the optparser.

The 'clamav-test' certs for the unit tests will live for 10 years.
The 'clamav-beta.crt' public cert will only live for 120 days and will
be replaced before the stable release with a production 'clamav.crt'.
2025-03-26 19:33:25 -04:00
Benjamin A. Beasley
2ae13ae3c5
Update Cargo.lock for image-0.25 2025-01-12 16:46:44 -05:00
znley
8aa8524661
Bump rust libc from 0.2.154 to 0.2.155
rust libc 0.2.154 has been yanked.
https://crates.io/crates/libc/0.2.154
2024-07-25 12:53:41 -04:00
Micah Snyder
14320ec243 Rust: Update pinned dependency versions in Cargo.lock file 2024-05-06 14:26:32 -07:00
Micah Snyder
9aeaf8166e Rust: Update pinned dependency versions in Cargo.lock file 2024-05-06 14:26:32 -07:00
Andy Ragusa
79f2a5f2f6 Add parser for ALZ archives 2024-04-15 10:03:02 -07:00
Micah Snyder
3ae9c1e434 Add LHA/LZH archive support
File type magic signatures chosen based on the extensions supported
by Rust delharc crate.

See: https://docs.rs/delharc/latest/delharc/
2024-04-09 10:35:22 -04:00
dependabot[bot]
4eaa410fcf Bump shlex from 1.2.0 to 1.3.0
Bumps [shlex](https://github.com/comex/rust-shlex) from 1.2.0 to 1.3.0.
- [Changelog](https://github.com/comex/rust-shlex/blob/master/CHANGELOG.md)
- [Commits](https://github.com/comex/rust-shlex/commits)

---
updated-dependencies:
- dependency-name: shlex
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-01-22 18:16:04 -05:00
Micah Snyder
bbbf5438cf Rust: Update pinned dependency versions in Cargo.lock file 2023-12-14 15:40:38 -05:00
Micah Snyder
3b2f8c044a Support for extracting attachments from OneNote section files
Includes rudimentary support for getting slices from FMap's and for
interacting with libclamav's context structure.

For now will use a Cisco-Talos org fork of the onenote_parser
until the feature to read open a onenote section from a slice (instead
of from a filepath) is added to the upstream.
2023-12-11 15:18:41 -05:00
Micah Snyder
3f7671928d Cargo: Eliminate security warning about unused atty dependency
atty is unmaintained but is still used by clap.
Disabling the default features for cbindgen removes the clap
dependency and thus removes atty.

Resolves: https://github.com/Cisco-Talos/clamav/security/dependabot/2
2023-09-28 16:34:52 -07:00
Micah Snyder
93c769778f Update Rust dependencies in Cargo.lock file to latest versions 2023-07-18 09:54:38 -07:00
Micah Snyder
6cdce8e4a9 Build system: Bump bindgen to latest version
I'm unsure why, but building with cmke -D MAINTAINER_MODE=ON is failing
right now. Updating to a newer version of bindgen appears to resolve the
issue.

I was able to update it by changing the version specified in
libclamav_rust/Cargo.toml, and then running `cargo update -p bindgen`

Not that I expect anyone else to be running maintainer-mode, but I did
also confirm using `cargo-msrv` that the minimum supported version of
rust did not change as a result of this commit.
2023-05-04 10:42:21 -07:00
Micah Snyder
2a21451e1f Fix possible crash in HTML CSS image extraction
When processing UTF-8 HTML code, the image extraction logic may panic if
the string contains a multi-byte grapheme that includes a '(', ')',
whitespace, or one of the other characters used to split the text when
searching for the base64 image content.

The panic is because the `split_at()` method will panic if you try to
split in the middle of a unicode grapheme.

This commit fixes the issue by processing the HTML string one grapheme
at a time instead of one character (byte) at a time.
The `grapheme_indices()` method is used to get the correct position of
the start of each grapheme for splitting the string.
2023-04-28 13:16:05 -07:00
Micah Snyder
eac0c77267 Update Rust library dependencies
Update the Cargo.lock file to get latest dependencies ahead of 1.1.0
release.
2023-04-21 14:29:48 -07:00
dependabot[bot]
940c612dbe Bump spin from 0.9.7 to 0.9.8
Bumps [spin](https://github.com/mvdnes/spin-rs) from 0.9.7 to 0.9.8.
- [Release notes](https://github.com/mvdnes/spin-rs/releases)
- [Changelog](https://github.com/mvdnes/spin-rs/blob/master/CHANGELOG.md)
- [Commits](https://github.com/mvdnes/spin-rs/commits)

---
updated-dependencies:
- dependency-name: spin
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-04-04 10:39:29 -07:00
Micah Snyder
886e3ae07f Lock Rust library dependency versions for 1.1 release
Add Cargo.lock file so that we do not accidentally increase Rust
compiler version requirement via changes to library dependencies.
2023-03-30 12:03:57 -07:00