I lied when I said I would write in a day the details of the ClamAV bug published by idefense last week.
ClamAV was acquired by Sourcefire, which is the software company that is responsible for the Snort IDS.
ClamAV code needs a fair amount of refactoring to be maintainable. The current sources are quite disturbing. I’m not suprised there have been a number of bugs posted against in the past 6 months. Mind you, the ClamAV website doesn’t seem to keep on its list of security advisories, all the advisories that have been posted against it.
ClamAV is being developed by Sourcefire, and are obviously working hard to get their acquirement (the source code) up to standards.