Your message dated Sun, 23 Feb 2014 22:05:35 +0000
with message-id <e1whhb1-0004iv...@franck.debian.org>
and subject line Bug#738832: fixed in file 5.04-5+squeeze3
has caused the Debian Bug report #738832,
regarding Segmentation fault in libmagic (src:file) [CVE-2014-1943]
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
738832: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738832
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: file
Version: 5.11-2
Severity: grave
Tags: security
[ Re-sent to BTS by request of the security team, also updated ]
a bug in the handling of "indirect" magic rules of libmagic leads to
an infinite recursion when trying to determine the file type of
certain files. The has been assigned CVE-2014-1943. Additionally,
other well-crafted files might result in long computation times (five
seconds for a single file while using 100% CPU) and overlong results
(~400k line), something some applications that operate on the file
result might not handle in a sane way.
The issue has been made public by Bernd Melchers who initially found
this bug: http://mx.gw.com/pipermail/file/2014/001327.html
Impact is two-layered. The bug itself has been introduced years ago
(pre oldstable). From jessie on, the default magic file as shipped in
the package contains a file magic rule that is exploitable for a
segmentation fault.
In other words:
jessie: Always affected and in full scale.
squeeze/wheezy: Segmentation fault when using non-standard magic
files that use "indirect" in a certain way. Still vulnerable for the
"computation time" and "overlong" issues mentioned above.
Upstream released 5.17 last night, fixing the bug for all
reproducers I have in my collection. Backporting the patch is not
trivial but hopefully feasible. I'll give that a try later the day.
Christoph
--- End Message ---
--- Begin Message ---
Source: file
Source-Version: 5.04-5+squeeze3
We believe that the bug you reported is fixed in the latest version of
file, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 738...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Christoph Biedl <debian.a...@manchmal.in-ulm.de> (supplier of updated file
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 13 Feb 2014 22:31:08 +0100
Source: file
Binary: file libmagic1 libmagic-dev python-magic python-magic-dbg
Architecture: source amd64
Version: 5.04-5+squeeze3
Distribution: squeeze-security
Urgency: high
Maintainer: Daniel Baumann <dan...@lists.debian-maintainers.org>
Changed-By: Christoph Biedl <debian.a...@manchmal.in-ulm.de>
Description:
file - Determines file type using "magic" numbers
libmagic-dev - File type determination library using "magic" numbers
(developmen
libmagic1 - File type determination library using "magic" numbers
python-magic - File type determination library using "magic" numbers (Python
bin
python-magic-dbg - File type determination library using "magic" numbers
(Python bin
Closes: 738832
Changes:
file (5.04-5+squeeze3) squeeze-security; urgency=high
.
* Fix CVE-2014-1943 for file 5.04/Debian squeeze. Closes: #738832
Checksums-Sha1:
b79a4da7e4735cab9aa8fdb1d9db004624fbb6c4 2031 file_5.04-5+squeeze3.dsc
de43d2d8e299634696af9bad6adfc2e1342b9772 63342 file_5.04-5+squeeze3.diff.gz
ce039bceb6f95eff22413f734ddd44693eeb01ab 50014 file_5.04-5+squeeze3_amd64.deb
137eebeef089f328c1142ec8279f3c3617151405 235364
libmagic1_5.04-5+squeeze3_amd64.deb
0aa86d07247bc5951e497d3cbc68ab35a0297d5c 108128
libmagic-dev_5.04-5+squeeze3_amd64.deb
36055081391bbca25898c6ad90bfa1311fc51780 38648
python-magic_5.04-5+squeeze3_amd64.deb
c48bcc39fe80605ce2ecc765e98a578c7d2ea7d4 32460
python-magic-dbg_5.04-5+squeeze3_amd64.deb
Checksums-Sha256:
36753f5d2ae4acac8a1dc9935589f054db9b9f7d005c8e90c30fe90506eaa1d4 2031
file_5.04-5+squeeze3.dsc
547b50da36011cc2c13806cbe817a7bc88e91dc03aea1fcafc143c84d93cd023 63342
file_5.04-5+squeeze3.diff.gz
82d45957f2890f53cdde6a3fda7b6a8d951df65c8f1e9a9daefd06502dd87983 50014
file_5.04-5+squeeze3_amd64.deb
35969bca23475db05ccf424300538a44ff93003c3b941fd298cc82ca2d9cb27b 235364
libmagic1_5.04-5+squeeze3_amd64.deb
60bbfc89b02d77c2d3f20cc44f6e281b40e53720510ec4177442561c4e6487e3 108128
libmagic-dev_5.04-5+squeeze3_amd64.deb
ddb6b3a9aada3b361dd4ddb28176888f9f69ee469b528de727c805f1c4851d99 38648
python-magic_5.04-5+squeeze3_amd64.deb
14c37b65f6eb038fa4df9b45689252ad0a0d308d085884f78d9a38b2fde6fe19 32460
python-magic-dbg_5.04-5+squeeze3_amd64.deb
Files:
f53487595a6f3a3642ae01a28323216d 2031 utils standard file_5.04-5+squeeze3.dsc
78613a53546ff9dd827e3b6cc8fe043a 63342 utils standard
file_5.04-5+squeeze3.diff.gz
e627dff41b7cc1498ee3a7bf3b103637 50014 utils standard
file_5.04-5+squeeze3_amd64.deb
19f3fc3db2fd2e2c9b692903ce103d4a 235364 libs standard
libmagic1_5.04-5+squeeze3_amd64.deb
782884ddeb22b951dc641fe6c4e5e7f4 108128 libdevel optional
libmagic-dev_5.04-5+squeeze3_amd64.deb
9b3cc030a33e437fdd3b780846f3f7d4 38648 python extra
python-magic_5.04-5+squeeze3_amd64.deb
7dc680e7375a1bbebe3a654fc7304d96 32460 debug extra
python-magic-dbg_5.04-5+squeeze3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJS/xw/AAoJEAVMuPMTQ89EE3cP/2cmh28TwSYM63INauso23hJ
AuOnI3tqbcd2MMtD9O9eGNIyc09gZBZjGR96e9S0M50Z2QxwgCEbRkxW+is1zQVt
dkmB2+cbF1Of+qQOI9U+RAxWuK2aR+jw1taieAmc3tnL+RX1+gu9r1aL3BFZxEzp
OE/Q7hCQUF6csVfJwcIAcXdByZuSUGZzIl26ET3V4ftdqC04lbV3AuEEylL4DhO4
0Esymlf8BIg0a3SIZvH3vkUVz7pvcYsky6crcJjeq3CnYgAsLMeXmdU5Sj/HxvnS
ddVBmauRn/m0h540mPAmiB8mqcYAtMFZkhs+liyDa0Xiw49gjsv5t6Chd/sBibli
yEkpvERSAV7d0/oJzLvleloxj708/gbMeh+2fvIX8d9FUJ48iUZ7+WuPQBKgx6em
ZbDMc6nGSdHiaCtz7GID/fG9ABBhpTruYGAxGpkkO5HvNNMgzwdPO057xEXPYC8u
cWqgXXkxY1cdBgbhzQjJiLNPRqR9OjlfSv494OIJK+5X38l7iJjfc49CItJbO00m
K2/iAjAeq6QUFkDU9ZhGB5x/ude/Pi6c8oWdfC6lAurguk5AULs7/9zufkgq0zGC
RvBW/Kuxw3+JzSBN+S7mo9P8H7toqtRg2LOKzXaMo44k6oN4RBdmj/rKfDsL/A4D
ogPrpdS4QwfBfpnsDlzU
=Z0YS
-----END PGP SIGNATURE-----
--- End Message ---
