bumped version to 0.56.2

decalage2
1 parent a1f5b281
Showing 9 changed files with 70 additions and 8 deletions
README.md
oletools/README.html
oletools/README.rst
oletools/common/clsid.py
oletools/mraptor.py
oletools/oleid.py
oletools/olevba.py
oletools/rtfobj.py
setup.py
@@ -26,6 +26,18 @@ Note: python-oletools is not related to OLETools published by BeCubed Software.
 News
 ----
+- **2021-05-07 v0.56.2**:
+    - olevba:
+        - updated plugin_biff to v0.0.22 to fix a bug (issues #647, #674)
+    - olevba, mraptor:
+        - added detection of Workbook_BeforeClose (issue #518)
+    - rtfobj:
+        - fixed bug when OLE package class name ends with null characters (issue #507, PR #648)
+    - oleid:
+        - fixed bug in check_excel (issue #584, PR #585)
+    - clsid:
+        - added several CLSIDs related to MS Office click-to-run issue CVE-2021-27058
+        - added checks to ensure that all CLSIDs are uppercase (PR #678) 
 - **2021-04-02 v0.56.1**:
     - olevba:
         - fixed bug when parsing some malformed files (issue #629)
@@ -23,6 +23,30 @@
 <p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
 <h2 id="news">News</h2>
 <ul>
+<li><strong>2021-05-07 v0.56.2</strong>:
+<ul>
+<li>olevba:
+<ul>
+<li>updated plugin_biff to v0.0.22 to fix a bug (issues #647, #674)</li>
+</ul></li>
+<li>olevba, mraptor:
+<ul>
+<li>added detection of Workbook_BeforeClose (issue #518)</li>
+</ul></li>
+<li>rtfobj:
+<ul>
+<li>fixed bug when OLE package class name ends with null characters (issue #507, PR #648)</li>
+</ul></li>
+<li>oleid:
+<ul>
+<li>fixed bug in check_excel (issue #584, PR #585)</li>
+</ul></li>
+<li>clsid:
+<ul>
+<li>added several CLSIDs related to MS Office click-to-run issue CVE-2021-27058</li>
+<li>added checks to ensure that all CLSIDs are uppercase (PR #678)</li>
+</ul></li>
+</ul></li>
 <li><strong>2021-04-02 v0.56.1</strong>:
 <ul>
 <li>olevba:
@@ -106,7 +130,7 @@
 <li><a href="https://github.com/decalage2/oletools/wiki/olemap">olemap</a>: to display a map of all the sectors in an OLE file.</li>
 </ul>
 <h2 id="projects-using-oletools">Projects using oletools:</h2>
-<p>oletools are used by a number of projects and online malware analysis services, including <a href="https://github.com/IntegralDefense/ACE">ACE</a>, <a href="https://sandbox.anlyz.io/">Anlyz.io</a>, <a href="https://www.cse-cst.gc.ca/en/assemblyline">AssemblyLine</a>, <a href="https://github.com/ctxis/CAPE">CAPE</a>, <a href="https://cincan.io">CinCan</a>, <a href="https://github.com/cuckoosandbox/cuckoo">Cuckoo Sandbox</a>, <a href="https://github.com/cryps1s/DARKSURGEON">DARKSURGEON</a>, <a href="https://sandbox.deepviz.com/">Deepviz</a>, <a href="https://diario.elevenpaths.com/">DIARIO</a>, <a href="https://dridex.malwareconfig.com">dridex.malwareconfig.com</a>, <a href="https://github.com/ninoseki/eml_analyzer">EML Analyzer</a>, <a href="https://certsocietegenerale.github.io/fame/">FAME</a>, <a href="https://github.com/fireeye/flare-vm">FLARE-VM</a>, <a href="https://www.hybrid-analysis.com/">Hybrid-analysis.com</a>, <a href="https://github.com/certego/IntelOwl">IntelOwl</a>, <a href="https://www.document-analyzer.net/">Joe Sandbox</a>, <a href="https://github.com/lmco/laikaboss">Laika BOSS</a>, <a href="https://github.com/sbidy/MacroMilter">MacroMilter</a>, <a href="https://mailcow.email/">mailcow</a>, <a href="https://malshare.io">malshare.io</a>, <a href="https://github.com/Tigzy/malware-repo">malware-repo</a>, <a href="https://www.adlice.com/download/mrf/">Malware Repository Framework (MRF)</a>, <a href="https://bazaar.abuse.ch/">MalwareBazaar</a>, <a href="https://github.com/HeinleinSupport/olefy">olefy</a>, <a href="https://github.com/scVENUS/PeekabooAV">PeekabooAV</a>, <a href="https://github.com/bontchev/pcodedmp">pcodedmp</a>, <a href="https://github.com/CIRCL/PyCIRCLean">PyCIRCLean</a>, <a href="https://remnux.org/">REMnux</a>, <a href="https://github.com/countercept/snake">Snake</a>, <a href="https://app.sndbox.com">SNDBOX</a>, <a href="https://github.com/ldbo/SpuriousEmu">SpuriousEmu</a>, <a href="https://github.com/target/strelka">Strelka</a>, <a href="https://stoq.punchcyber.com/">stoQ</a>, <a href="https://github.com/TheHive-Project/Cortex-Analyzers">TheHive/Cortex</a>, <a href="https://tsurugi-linux.org/">TSUGURI Linux</a>, <a href="https://github.com/MalwareCantFly/Vba2Graph">Vba2Graph</a>, <a href="http://viper.li/">Viper</a>, <a href="https://github.com/decalage2/ViperMonkey">ViperMonkey</a>, <a href="https://yomi.yoroi.company">YOMI</a>, and probably <a href="https://www.virustotal.com">VirusTotal</a>. And quite a few <a href="https://github.com/search?q=oletools&amp;type=Repositories">other projects on GitHub</a>. (Please <a href="(http://decalage.info/contact)">contact me</a> if you have or know a project using oletools)</p>
+<p>oletools are used by a number of projects and online malware analysis services, including <a href="https://github.com/IntegralDefense/ACE">ACE</a>, <a href="https://sandbox.anlyz.io/">Anlyz.io</a>, <a href="https://www.cse-cst.gc.ca/en/assemblyline">AssemblyLine</a>, <a href="https://github.com/ctxis/CAPE">CAPE</a>, <a href="https://cincan.io">CinCan</a>, <a href="https://github.com/cuckoosandbox/cuckoo">Cuckoo Sandbox</a>, <a href="https://github.com/cryps1s/DARKSURGEON">DARKSURGEON</a>, <a href="https://sandbox.deepviz.com/">Deepviz</a>, <a href="https://diario.elevenpaths.com/">DIARIO</a>, <a href="https://dridex.malwareconfig.com">dridex.malwareconfig.com</a>, <a href="https://github.com/ninoseki/eml_analyzer">EML Analyzer</a>, <a href="https://certsocietegenerale.github.io/fame/">FAME</a>, <a href="https://github.com/fireeye/flare-vm">FLARE-VM</a>, <a href="https://www.hybrid-analysis.com/">Hybrid-analysis.com</a>, <a href="https://github.com/certego/IntelOwl">IntelOwl</a>, <a href="https://www.document-analyzer.net/">Joe Sandbox</a>, <a href="https://github.com/lmco/laikaboss">Laika BOSS</a>, <a href="https://github.com/sbidy/MacroMilter">MacroMilter</a>, <a href="https://mailcow.email/">mailcow</a>, <a href="https://malshare.io">malshare.io</a>, <a href="https://github.com/Tigzy/malware-repo">malware-repo</a>, <a href="https://www.adlice.com/download/mrf/">Malware Repository Framework (MRF)</a>, <a href="https://bazaar.abuse.ch/">MalwareBazaar</a>, <a href="https://github.com/HeinleinSupport/olefy">olefy</a>, <a href="https://github.com/scVENUS/PeekabooAV">PeekabooAV</a>, <a href="https://github.com/bontchev/pcodedmp">pcodedmp</a>, <a href="https://github.com/CIRCL/PyCIRCLean">PyCIRCLean</a>, <a href="https://remnux.org/">REMnux</a>, <a href="https://github.com/countercept/snake">Snake</a>, <a href="https://app.sndbox.com">SNDBOX</a>, <a href="https://splunkbase.splunk.com/app/5365/">Splunk add-on for MS O365 Email</a>, <a href="https://github.com/ldbo/SpuriousEmu">SpuriousEmu</a>, <a href="https://github.com/target/strelka">Strelka</a>, <a href="https://stoq.punchcyber.com/">stoQ</a>, <a href="https://github.com/TheHive-Project/Cortex-Analyzers">TheHive/Cortex</a>, <a href="https://tsurugi-linux.org/">TSUGURI Linux</a>, <a href="https://github.com/MalwareCantFly/Vba2Graph">Vba2Graph</a>, <a href="http://viper.li/">Viper</a>, <a href="https://github.com/decalage2/ViperMonkey">ViperMonkey</a>, <a href="https://yomi.yoroi.company">YOMI</a>, and probably <a href="https://www.virustotal.com">VirusTotal</a>. And quite a few <a href="https://github.com/search?q=oletools&amp;type=Repositories">other projects on GitHub</a>. (Please <a href="(http://decalage.info/contact)">contact me</a> if you have or know a project using oletools)</p>
 <h2 id="download-and-install">Download and Install:</h2>
 <p>The recommended way to download and install/update the <strong>latest stable release</strong> of oletools is to use <a href="https://pip.pypa.io/en/stable/installing/">pip</a>:</p>
 <ul>
@@ -29,6 +29,31 @@ Software.
 News
 ----
+-  **2021-05-07 v0.56.2**:
+
+   -  olevba:
+
+      -  updated plugin_biff to v0.0.22 to fix a bug (issues #647, #674)
+
+   -  olevba, mraptor:
+
+      -  added detection of Workbook_BeforeClose (issue #518)
+
+   -  rtfobj:
+
+      -  fixed bug when OLE package class name ends with null characters
+         (issue #507, PR #648)
+
+   -  oleid:
+
+      -  fixed bug in check_excel (issue #584, PR #585)
+
+   -  clsid:
+
+      -  added several CLSIDs related to MS Office click-to-run issue
+         CVE-2021-27058
+      -  added checks to ensure that all CLSIDs are uppercase (PR #678)
+
 -  **2021-04-02 v0.56.1**:
    -  olevba:
@@ -182,7 +207,8 @@ Repository Framework (MRF) &lt;https://www.adlice.com/download/mrf/&gt;`__,
 `PyCIRCLean <https://github.com/CIRCL/PyCIRCLean>`__,
 `REMnux <https://remnux.org/>`__,
 `Snake <https://github.com/countercept/snake>`__,
-`SNDBOX <https://app.sndbox.com>`__,
+`SNDBOX <https://app.sndbox.com>`__, `Splunk add-on for MS O365
+Email <https://splunkbase.splunk.com/app/5365/>`__,
 `SpuriousEmu <https://github.com/ldbo/SpuriousEmu>`__,
 `Strelka <https://github.com/target/strelka>`__,
 `stoQ <https://stoq.punchcyber.com/>`__,
@@ -43,7 +43,7 @@ http://www.decalage.info/python/oletools
 # 2018-04-18       PL: - added known-bad CLSIDs from Cuckoo sandbox (issue #290)
 # 2018-05-08       PL: - added more CLSIDs (issues #299, #304), merged and sorted
-__version__ = '0.56'
+__version__ = '0.56.2'
 # REFERENCES:
@@ -63,7 +63,7 @@ http://www.decalage.info/python/oletools
 # 2020-04-20 v0.56 PL: - added keywords RUN and CALL for XLM macros (issue #562)
 # 2021-04-14       PL: - added Workbook_BeforeClose (issue #518)
-__version__ = '0.56.2.dev1'
+__version__ = '0.56.2'
 #------------------------------------------------------------------------------
 # TODO:
@@ -60,7 +60,7 @@ from __future__ import print_function
 #                        improve encryption detection for ppt
 # 2021-05-07 v0.56.2 MN: - fixed bug in check_excel (issue #584, PR #585)
-__version__ = '0.56.2.dev3'
+__version__ = '0.56.2'
 #------------------------------------------------------------------------------
@@ -235,7 +235,7 @@ from __future__ import print_function
 #                        for issue #619)
 # 2021-04-14       PL: - added detection of Workbook_BeforeClose (issue #518)
-__version__ = '0.56.2.dev2'
+__version__ = '0.56.2'
 #------------------------------------------------------------------------------
 # TODO:
@@ -95,7 +95,7 @@ http://www.decalage.info/python/oletools
 # 2021-05-06 v0.56.2 DD: - fixed bug when OLE package class name ends with null
 #                          characters (issue #507, PR #648)
-__version__ = '0.56.2.dev3'
+__version__ = '0.56.2'
 # ------------------------------------------------------------------------------
 # TODO:
@@ -52,7 +52,7 @@ import os, fnmatch
 #--- METADATA -----------------------------------------------------------------
 name         = "oletools"
-version      = '0.56.2.dev3'
+version      = '0.56.2'
 desc         = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR"
 long_desc    = open('oletools/README.rst').read()
 author       = "Philippe Lagadec"