[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Bugs in "file" program VU#621745
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2012-02-29 22:10:47
Message-ID: 4F4EA267.3080204 () redhat ! com
[Download RAW message or body]

On 02/29/2012 10:52 AM, Florian Weimer wrote:
> * Kurt Seifried:
> 
>>> We recently pointed the CERT BFF at the ubiquitous "file" command
>>> and found a few bugs.  While we've not proven the bugs to be
>>> exploitable, we've also not ruled out the possibility that they
>>> could be.
>>>
>>> Fixes were committed on Feb 16, 2012: 
>>> https://github.com/glensc/file/commits/master
> 
>> If any of these are security issues please let me know and I will
>> assign CVE #'s.
> 
> file also provides a library, libmagic.  This could lead to crashes of
> server processes which use libmagic.  Debian will likely release a fix
> as a security update.

Fair enough but I'd like some details before issuing CVE's, like what
are the actual security issues that have been fixed?

-- 
Kurt Seifried Red Hat Security Response Team (SRT)
[prev in list] [next in list] [prev in thread] [next in thread]