The Zero Day Initiative reports:
This vulnerability allows remote attackers to execute
arbitrary code on vulnerable Clam AntiVirus
installations. Authentication is not required to exploit
this vulnerability.
This specific flaw exists within libclamav/upx.c during
the unpacking of executable files compressed with UPX. Due
to an invalid size calculation during a data copy from the
user-controlled file to heap allocated memory, an
exploitable memory corruption condition is created.