Debian Bug report logs -
#415362
Security fix included in GNU file 4.20
Reported by: "era eriksson" <era@iki.fi>
Date: Sun, 18 Mar 2007 19:51:02 UTC
Severity: grave
Tags: etch, patch, sarge, security
Merged with 416678
Found in versions 4.12-1, 4.17-5, file/4.19-1
Fixed in versions file/4.20-1, file/4.17-5etch4, file/4.12-1sarge1
Done: Daniel Baumann <daniel@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, era+debian@iki.fi, Michael Piefel <piefel@debian.org>:
Bug#415362; Package file.
(full text, mbox, link).
Acknowledgement sent to "era eriksson" <era@iki.fi>:
New Bug report received and forwarded. Copy sent to era+debian@iki.fi, Michael Piefel <piefel@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: file
Version: 4.19-1
Severity: grave
Tags: security
X-Debbugs-Cc: era+debian@iki.fi
According to the changelog included in the GNU file 4.20 tarball at
<ftp://ftp.gw.com/mirrors/pub/unix/file/>, this version includes a
security fix:
2007-02-08 17:30 Christos Zoulas <christos@zoulas.com>
* fix integer underflow in file_printf which can lead to
to exploitable heap overflow (Jean-Sebastien Guay-Lero)
I have not seen this receive any publicity. A quick Google seems to
confirm this.
The release announcement with pertinent ChangeLog is also at
<http://mx.gw.com/pipermail/file/2007/000161.html> if you don't want to
grab the full tarball.
Sorry if I have assigned an inflated severity; I suppose it's better at
this point to exaggerate than to downplay. The instructions at
<http://www.debian.org/Bugs/Developer#severities> suggest "grave" for a
bug which "introduces a security hole allowing access to the accounts of
users who use the package". I'm not sure about "introduces" (it likely
existed before?) and without an isolated patch, it's hard to assess the
exact scope of the vulnerability, even for someone more skilled than
myself.
</piglet panics>
/* era */
--
If this were a real .signature, it would suck less. Well, maybe not.
Reply sent to Michael Piefel <piefel@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "era eriksson" <era@iki.fi>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 415362-close@bugs.debian.org (full text, mbox, reply):
Source: file
Source-Version: 4.20-1
We believe that the bug you reported is fixed in the latest version of
file, which is due to be installed in the Debian FTP archive:
file_4.20-1.diff.gz
to pool/main/f/file/file_4.20-1.diff.gz
file_4.20-1.dsc
to pool/main/f/file/file_4.20-1.dsc
file_4.20-1_i386.deb
to pool/main/f/file/file_4.20-1_i386.deb
file_4.20.orig.tar.gz
to pool/main/f/file/file_4.20.orig.tar.gz
libmagic-dev_4.20-1_i386.deb
to pool/main/f/file/libmagic-dev_4.20-1_i386.deb
libmagic1_4.20-1_i386.deb
to pool/main/f/file/libmagic1_4.20-1_i386.deb
python-magic_4.20-1_i386.deb
to pool/main/f/file/python-magic_4.20-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 415362@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Piefel <piefel@debian.org> (supplier of updated file package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 19 Mar 2007 14:55:46 +0100
Source: file
Binary: libmagic1 file libmagic-dev python-magic
Architecture: source i386
Version: 4.20-1
Distribution: unstable
Urgency: high
Maintainer: Michael Piefel <piefel@debian.org>
Changed-By: Michael Piefel <piefel@debian.org>
Description:
file - Determines file type using "magic" numbers
libmagic-dev - File type determination library (development)
libmagic1 - File type determination library using "magic" numbers
python-magic - Python binding for the magic library
Closes: 308394 324889 339618 345834 366986 392009 393775 394514 394523 401839 402058 402062 409895 415362
Changes:
file (4.20-1) unstable; urgency=high
.
* New upstream version
- Fixes supposed vulnerability in the file_fprintf in funcs.c
(closes: #415362 and justifies urgency)
- MPEG ADTS signedness fixed (closes: #392009)
- Better TeX/LaTeX magic (closes: #402062)
- Better XML mimetype magic (closes: #345834)
- More linespacing in manpage (closes: #402058)
* Revert URL in copyright file (see #406820), as the old one is supposed to
be correct, even if it disappeared temporarily.
* Fixed typo in manpage (closes: #394514)
* Make Perl script entries consistent (closes: #394523)
* Disable second MS Installer entry (closes: #409895)
* Disable one-byte magic for COM (closes: #393775, #339618)
* audio/midi mimetype (closes: #401839)
* Enable gzip mimetype magic (closes: #324889)
* Disabled some QuickTime entries (ASCII words, closes: #366986, #308394)
Files:
17a102e193d7cd5bc6c29bd17ae86244 683 utils standard file_4.20-1.dsc
402bdb26356791bd5d277099adacc006 548393 utils standard file_4.20.orig.tar.gz
f771950fc68189af186ff75359dabd9b 24033 utils standard file_4.20-1.diff.gz
701521811d46f3235a402c1de57c0e51 34688 utils standard file_4.20-1_i386.deb
422ee52caabefc1f89e7e3643f281adf 319604 libs standard libmagic1_4.20-1_i386.deb
128c90a0c5b818f5d813e39a432c7b96 61288 libdevel optional libmagic-dev_4.20-1_i386.deb
344671b12e05c1f2b9c4408029b32ef8 25012 python extra python-magic_4.20-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFF/pn15GwONXmN2VwRAviwAJ9j4bQ+7E+Ec3oSud2FikjOd3dacgCdHp9E
5WiQFQ/99qi2+YmMyvc9bDY=
=K3D2
-----END PGP SIGNATURE-----
Forcibly Merged 415362 416678.
Request was from Daniel Baumann <daniel@debian.org>
to control@bugs.debian.org.
(Thu, 29 Mar 2007 18:18:04 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Daniel Baumann <daniel@debian.org>:
Bug#415362; Package file.
(full text, mbox, link).
Acknowledgement sent to daniel@debian.org:
Extra info received and forwarded to list. Copy sent to Daniel Baumann <daniel@debian.org>.
(full text, mbox, link).
Message #17 received at 415362@bugs.debian.org (full text, mbox, reply):
tags 416678 +pending
thanks
I've uploaded fixed packages for sarge and etch yesterday, DSA from
security team will follow.
--
Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email: daniel.baumann@panthera-systems.net
Internet: http://people.panthera-systems.net/~daniel-baumann/
Tags added: pending
Request was from Daniel Baumann <daniel@debian.org>
to control@bugs.debian.org.
(Fri, 30 Mar 2007 09:54:05 GMT) (full text, mbox, link).
Reply sent to Daniel Baumann <daniel@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "era eriksson" <era@iki.fi>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #24 received at 415362-close@bugs.debian.org (full text, mbox, reply):
Source: file
Source-Version: 4.17-5etch4
We believe that the bug you reported is fixed in the latest version of
file, which is due to be installed in the Debian FTP archive:
file_4.17-5etch4.diff.gz
to pool/main/f/file/file_4.17-5etch4.diff.gz
file_4.17-5etch4.dsc
to pool/main/f/file/file_4.17-5etch4.dsc
file_4.17-5etch4_i386.deb
to pool/main/f/file/file_4.17-5etch4_i386.deb
libmagic-dev_4.17-5etch4_i386.deb
to pool/main/f/file/libmagic-dev_4.17-5etch4_i386.deb
libmagic1_4.17-5etch4_i386.deb
to pool/main/f/file/libmagic1_4.17-5etch4_i386.deb
python-magic_4.17-5etch4_i386.deb
to pool/main/f/file/python-magic_4.17-5etch4_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 415362@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <daniel@debian.org> (supplier of updated file package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 29 Mar 2007 20:28:00 +0200
Source: file
Binary: libmagic1 file libmagic-dev python-magic
Architecture: source i386
Version: 4.17-5etch4
Distribution: testing-security
Urgency: high
Maintainer: Michael Piefel <piefel@debian.org>
Changed-By: Daniel Baumann <daniel@debian.org>
Description:
file - Determines file type using "magic" numbers
libmagic-dev - File type determination library (development)
libmagic1 - File type determination library using "magic" numbers
python-magic - Python binding for the magic library
Closes: 415362 416678
Changes:
file (4.17-5etch4) testing-security; urgency=high
.
* Applied patch from upstream to src/file.h, src/funcs.c and src/magic.c to
fix integer underflow in file_printf which can lead to to exploitable heap
overflow CVE-2007-1536 (Closes: #415362, #416678).
Files:
951d84ef18e8738d58cda73d1680ce66 693 utils standard file_4.17-5etch4.dsc
50919c65e0181423d66bb25d7fe7b0fd 556270 utils standard file_4.17.orig.tar.gz
ef79b92b6d0d4af9985200abb3eb24f5 24145 utils standard file_4.17-5etch4.diff.gz
e016c717ba5d75feede13eeeab5f7cf3 31714 utils standard file_4.17-5etch4_i386.deb
73727e6a1bee1b2050fe7d010fb832d2 275476 libs standard libmagic1_4.17-5etch4_i386.deb
cb34870b1e90d01a8cf7894b8b2b3559 53782 libdevel optional libmagic-dev_4.17-5etch4_i386.deb
d4f1bd064d6531149b5b643b102bf1da 22632 python extra python-magic_4.17-5etch4_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGDAWr+C5cwEsrK54RAn77AJ42x2xTNTSdoRzeYvksNarsEfGZiQCeJ156
1RYSbzo2MyFh++yQYwPbi4s=
=2di1
-----END PGP SIGNATURE-----
Reply sent to Daniel Baumann <daniel@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to abe@phys.ethz.ch (Axel Beckert):
Bug acknowledged by developer.
(full text, mbox, link).
Reply sent to Daniel Baumann <daniel@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "era eriksson" <era@iki.fi>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #34 received at 415362-close@bugs.debian.org (full text, mbox, reply):
Source: file
Source-Version: 4.12-1sarge1
We believe that the bug you reported is fixed in the latest version of
file, which is due to be installed in the Debian FTP archive:
file_4.12-1sarge1.diff.gz
to pool/main/f/file/file_4.12-1sarge1.diff.gz
file_4.12-1sarge1.dsc
to pool/main/f/file/file_4.12-1sarge1.dsc
file_4.12-1sarge1_i386.deb
to pool/main/f/file/file_4.12-1sarge1_i386.deb
libmagic-dev_4.12-1sarge1_i386.deb
to pool/main/f/file/libmagic-dev_4.12-1sarge1_i386.deb
libmagic1_4.12-1sarge1_i386.deb
to pool/main/f/file/libmagic1_4.12-1sarge1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 415362@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <daniel@debian.org> (supplier of updated file package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 29 Mar 2007 20:28:00 +0200
Source: file
Binary: libmagic1 file libmagic-dev
Architecture: source i386
Version: 4.12-1sarge1
Distribution: stable-security
Urgency: high
Maintainer: Michael Piefel <piefel@debian.org>
Changed-By: Daniel Baumann <daniel@debian.org>
Description:
file - Determines file type using "magic" numbers
libmagic-dev - File type determination library (development)
libmagic1 - File type determination library using "magic" numbers
Closes: 415362 416678
Changes:
file (4.12-1sarge1) stable-security; urgency=high
.
* Applied patch from upstream to src/file.h, src/funcs.c and src/magic.c to
fix integer underflow in file_printf which can lead to to exploitable heap
overflow CVE-2007-1536 (Closes: #415362, #416678).
Files:
35369fd62fb18da83aaeb7c4f344dd4c 617 utils standard file_4.12-1sarge1.dsc
09488a9d62bc6627b48a8c93e12d72f8 414600 utils standard file_4.12.orig.tar.gz
280dd71f4e252f06075c39bfaa299c30 17938 utils standard file_4.12-1sarge1.diff.gz
5dc2a6e2ae0e369822375952d4f09661 28778 utils standard file_4.12-1sarge1_i386.deb
606140908844c8181f9e0a53c15374e4 234522 libs standard libmagic1_4.12-1sarge1_i386.deb
3526099e71273498e46541578303ca4c 45386 libdevel optional libmagic-dev_4.12-1sarge1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFGDAcl+C5cwEsrK54RAtivAKDPLEiDb1pZew90o3XW8r72P3dfGwCffFDc
bnvgJNlO9sB6bSszESgLClQ=
=iMYj
-----END PGP SIGNATURE-----
Reply sent to Daniel Baumann <daniel@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to abe@phys.ethz.ch (Axel Beckert):
Bug acknowledged by developer.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 22 Jul 2007 07:32:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:27:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon