Online bounty hunters have discovered a serious security flaw in ClamAV, the widely used open-source anti-virus software for Unix and Linux.
The flaw was disclosed this week through the Zero Day Initiative (ZDI), which pays security researchers for tracking down vulnerabilities. It was the fourth bug to be disclosed under the programme, created by 3Com's TippingPoint division.
TippingPoint notified ClamAV's developers of the bug in mid-December and disclosure was co-ordinated with the release of a patch, available here.
The bug could allow attackers to execute malicious code on a server running ClamAV versions 0.80 to 0.87.1, TippingPoint said in an advisory. It is due to an exploitable memory corruption condition created by an error in the unpacking of executable files compressed with UPX (Ultimate Packer for eXecutables), an open-source compression program. Attackers don't need to be authenticated to exploit the bug.
Secunia, which maintains a database of vulnerabilities, said the flaw was "highly critical". GNU/Linux vendors hurried to update their own implementations of ClamAV, with updates arriving from Mandriva, Gentoo, Suse, Trustix and others.
ZDI is one of a handful of bounty programmes in the security industry. Others are run by iDefense and Microsoft. "By ensuring threat information remains confidential until a patch can be issued, we are helping strengthen security for all technology users and reducing the risk of zero day attacks," said David Endler, director of security research for TippingPoint, in a statement.
ClamAV isn't well known outside of Unix/Linux circles, but is one of the most widely used anti-virus programs on Unix-like operating systems. It is mainly used with mail exchange servers as an email virus scanner. The GPL-licensed program and virus definitions are both distributed free of charge.
The program is designed to work with most POP3, Samba and Web servers and Message Transfer Agents, and supports most compression formats. It's used as the back-end for ClamXav on the Mac OS X platform.