Your message dated Sat, 07 Apr 2007 13:14:18 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#415362: fixed in file 4.12-1sarge1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: file
Version: 4.19-1
Severity: grave
Tags: security
X-Debbugs-Cc: [EMAIL PROTECTED]
According to the changelog included in the GNU file 4.20 tarball at
<ftp://ftp.gw.com/mirrors/pub/unix/file/>, this version includes a
security fix:
2007-02-08 17:30 Christos Zoulas <[EMAIL PROTECTED]>
* fix integer underflow in file_printf which can lead to
to exploitable heap overflow (Jean-Sebastien Guay-Lero)
I have not seen this receive any publicity. A quick Google seems to
confirm this.
The release announcement with pertinent ChangeLog is also at
<http://mx.gw.com/pipermail/file/2007/000161.html> if you don't want to
grab the full tarball.
Sorry if I have assigned an inflated severity; I suppose it's better at
this point to exaggerate than to downplay. The instructions at
<http://www.debian.org/Bugs/Developer#severities> suggest "grave" for a
bug which "introduces a security hole allowing access to the accounts of
users who use the package". I'm not sure about "introduces" (it likely
existed before?) and without an isolated patch, it's hard to assess the
exact scope of the vulnerability, even for someone more skilled than
myself.
</piglet panics>
/* era */
--
If this were a real .signature, it would suck less. Well, maybe not.
--- End Message ---
--- Begin Message ---
Source: file
Source-Version: 4.12-1sarge1
We believe that the bug you reported is fixed in the latest version of
file, which is due to be installed in the Debian FTP archive:
file_4.12-1sarge1.diff.gz
to pool/main/f/file/file_4.12-1sarge1.diff.gz
file_4.12-1sarge1.dsc
to pool/main/f/file/file_4.12-1sarge1.dsc
file_4.12-1sarge1_i386.deb
to pool/main/f/file/file_4.12-1sarge1_i386.deb
libmagic-dev_4.12-1sarge1_i386.deb
to pool/main/f/file/libmagic-dev_4.12-1sarge1_i386.deb
libmagic1_4.12-1sarge1_i386.deb
to pool/main/f/file/libmagic1_4.12-1sarge1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <[EMAIL PROTECTED]> (supplier of updated file package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 29 Mar 2007 20:28:00 +0200
Source: file
Binary: libmagic1 file libmagic-dev
Architecture: source i386
Version: 4.12-1sarge1
Distribution: stable-security
Urgency: high
Maintainer: Michael Piefel <[EMAIL PROTECTED]>
Changed-By: Daniel Baumann <[EMAIL PROTECTED]>
Description:
file - Determines file type using "magic" numbers
libmagic-dev - File type determination library (development)
libmagic1 - File type determination library using "magic" numbers
Closes: 415362 416678
Changes:
file (4.12-1sarge1) stable-security; urgency=high
.
* Applied patch from upstream to src/file.h, src/funcs.c and src/magic.c to
fix integer underflow in file_printf which can lead to to exploitable heap
overflow CVE-2007-1536 (Closes: #415362, #416678).
Files:
35369fd62fb18da83aaeb7c4f344dd4c 617 utils standard file_4.12-1sarge1.dsc
09488a9d62bc6627b48a8c93e12d72f8 414600 utils standard file_4.12.orig.tar.gz
280dd71f4e252f06075c39bfaa299c30 17938 utils standard file_4.12-1sarge1.diff.gz
5dc2a6e2ae0e369822375952d4f09661 28778 utils standard
file_4.12-1sarge1_i386.deb
606140908844c8181f9e0a53c15374e4 234522 libs standard
libmagic1_4.12-1sarge1_i386.deb
3526099e71273498e46541578303ca4c 45386 libdevel optional
libmagic-dev_4.12-1sarge1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFGDAcl+C5cwEsrK54RAtivAKDPLEiDb1pZew90o3XW8r72P3dfGwCffFDc
bnvgJNlO9sB6bSszESgLClQ=
=iMYj
-----END PGP SIGNATURE-----
--- End Message ---
