clamav -- Multiple vulnerabilities

The ClamAV project reports:

CVE-2024-20290

      A vulnerability in the OLE2 file format parser of ClamAV
      could allow an unauthenticated, remote attacker to cause
      a denial of service (DoS) condition on an affected
      device. This vulnerability is due to an incorrect check
      for end-of-string values during scanning, which may
      result in a heap buffer over-read. An attacker could
      exploit this vulnerability by submitting a crafted file
      containing OLE2 content to be scanned by ClamAV on an
      affected device. A successful exploit could allow the
      attacker to cause the ClamAV scanning process to
      terminate, resulting in a DoS condition on the affected
      software and consuming available system resources.

CVE-2024-20328

      Fixed a possible command injection vulnerability in the
      "VirusEvent" feature of ClamAV's ClamD
      service. To fix this issue, we disabled the '%f' format
      string parameter.	 ClamD administrators may continue to
      use the `CLAM_VIRUSEVENT_FILENAME` environment variable,
      instead of '%f'. But you should do so only from within
      an executable, such as a Python script, and not directly
      in the clamd.conf "VirusEvent" command.