From SecurityFocus.com: Clam Anti-Virus ClamAV running on Mac OS X is affected by a command execution vulnerability. Reportedly, when a suspected infected file is handled by the application and it cannot be removed, the application may attempt to copy it to another location using the Mac OS X 'ditto' utility. The 'ditto' utility is called in an insecure manner and the responsible function fails to sanitize the file name allowing an attacker to include arbitrary commands in the file name that will be executed in the context of ClamAV. This can allow an attacker to gain unauthorized access to an affected computer. It should be noted that the exploitation of vulnerability is only possible when a malicious file is copied. ClamAV versions 0.80rc4 to 0.84rc2 to are affected by this issue. -- It says Mac OS X, but it might effect Gentoo as well (the report says something about version 0.81 that doesn't exist in the tree, but also about 0.83 which does exist in the tree). Anyway, a newer version exists also in the tree (0.85), so probably the rest should be removed? Letting you to decide. Reproducible: Always Steps to Reproduce:
This is macosX-only Changes: Fri Apr 29 14:18:18 CEST 2005 ----------------------------- V 0.84 * Fixes backported from CVS: - shared/misc.c: improve isnumb() (thanks to NJH) and move it to misc.c (tk) - freshclam/manager.c: allow warning control via txt record (tk) - shared/misc.c: (Mac OS X only) execute ditto with execl to eliminate potential security problem with --move on OS X - server versions (reported by Tim Morgan <tim*sentinelchicken.org> and Kevin Amorin <kamorin*ccs.neu.edu>) (tk) - libclamav/chmunpack.c: Add extra sanity check (trog) - libclamav/upx.c: add sanity check to pefromupx() (patch by NJH) (tk) - libclamav/readdb.c: improve parsing of broken signatures (bug reported by Arnaud Jacques <arnaud*clamav.net>) (tk) - libclamav/scanners.c: improve error detection in zip code (tk)
