ClamAV 0.90.3 fixes security vulnerabilities
The ClamAV developers have released version 0.9.3 of the open source anti-virus software application. The new version fixes multiple security vulnerabilities which could have been exploited by attackers for remote code execution or to carry out denial of service attacks.
The Freshclam update program could execute arbitrary code which found its way into the processing routine via crafted DNS responses - the application can use such DNS responses to transfer and check version information. When scanning certain archive types (zip, gz, bzip2 and szdd), ClamAV sometimes saved the files in the /tmp folder with read privileges for all users, allowing local users to access confidential information from other users. The routine for processing OLE data streams in documents could be misused to carry out a denial of service attack.
ClamAV also had problems processing crafted archive files such as .rar. Thierry Zoller from n.runs reported to the developers that ClamAV fails to check such files, thereby potentially allowing malware to pass undetected. This and a DoS vulnerability when processing RAR archives have been fixed.
The source code for version 0.90.3 can be downloaded from the ClamAV website. The Linux distributors should be releasing updated packets shortly. To avoid endangering system security, ClamAV users should install the update as soon as possible.