FreeBSD: VID-68ae70c5-c5e5-11ee-9768-08002784c58d (CVE-2024-20290): clamav -- Multiple vulnerabilities

The ClamAV project reports: CVE-2024-20290 A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an incorrect check for end-of-string values during scanning, which may result in a heap buffer over-read. An attacker could exploit this vulnerability by submitting a crafted file containing OLE2 content to be scanned by ClamAV on an affected device. A successful exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software and consuming available system resources. CVE-2024-20328 Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. To fix this issue, we disabled the '%f' format string parameter. ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment variable, instead of '%f'. But you should do so only from within an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command.