Discovered by: Nikolaos Rangos
This vulnerability was a remote command injection in the recipient e-mail address of an e-mail message examined by the ClamAV open-source AntiVirus scanner. In a nod to 1993, ClamAV called sendmail with popen(), placing the recipient e-mail address right there in the command. With open source anti-virus products, Linus’ Law clearly does hold: “Given enough eyeballs, all bugs are shallow”, even the ones that we knew about fifteen years ago.