freshclam in (1) Clam Antivirus (ClamAV) 0.88 and (2) ClamXav 1.0.3h and earlier does not drop privileges before processing the config-file command line option, which allows local users to read portions of arbitrary files when an error message displays the first line of the target file. This issue should also affect the clamav package in FE4
Not a bug; 1. 'freshclam' is not shipped with SUID, nor is a 'sudo' setup enabled in the FE package 2. the whole issue is bogus: a) when administrator enables a 'sudo' setup he has to make sure that only trustworthy cmdline params are possible. A '--config' option is definitively not such a trustworthy cmdline option; e.g. user could configure | DatabaseOwner root | UpdateLogFile /etc/nologin there. b) the username which shall be used for the effective operations of 'freshclam' will be read from the configuration file. I do not see how 'freshclam' can setuid(2) to somebody before it reads the configuration file which tells the uid.