Package: file Version: 4.17-4 Severity: normal Tags: patch
There are a few one byte patterns in /usr/share/file/magic which can to bad effects. Especially the ones that result in "executable" having a change on 1 out of 256 to happen on random binary files. Use case: Amavisd uses file to see if the scanned file is an executable. Openoffice.org's encrypted files within in the .sxw zip file can be treated as random files. Within the .sxw zip file there are several files that are encrypted. One out of 100 or so email attachments as .sxw will possibly be banned as MS executable. See https://intevation.de/roundup/kolab/issue1458 for more a server application that got hit by the bug. To test for the problem: printf \\xb8\\x1a\\x0a | file - /dev/stdin: COM executable for DOS For Sarge this problem does not exist as big, because those patterns are commented out. To find the potentially dangerous patterns: awk '/^[^>#].*( |\t)byte/ {print $0;} ' /usr/share/file/magic 0 byte 0xe9 DOS executable (COM) 0 byte 0x8c DOS executable (COM) 0 byte 0xeb DOS executable (COM) 0 byte 0xb8 COM executable Proposed solution: Alternative a) Comment out the short executable patterns. Alternative b) Use the magic format feature to print data when the first byte is met and print more for further level check. Drawback: Is might leave "data" and "executable" on one printout message, which might not be expected. A patch for b) is attached. Best, Bernhard -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: powerpc (ppc) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.17.11-eione1 Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Versions of packages file depends on: ii libc6 2.3.6.ds1-4 GNU C Library: Shared libraries ii libmagic1 4.17-4 File type determination library us file recommends no packages. -- no debconf information
--- /kolab/share/file.org/magic 2005-12-18 22:23:34.000000000 +0100 +++ /kolab/share/file/magic 2006-10-17 20:15:13.554411551 +0200 @@ -7951,15 +7951,15 @@ # Uncommenting only the first two lines will cover about 2/3 of COM files, # but it isn't feasible to match all COM files since there must be at least # two dozen different one-byte "magics". -0 byte 0xe9 MS-DOS executable (COM) ->6 string SFX\ of\ LHarc (%s) -0 byte 0x8c MS-DOS executable (COM) +0 byte 0xe9 data +>6 string SFX\ of\ LHarc MS-DOS executable (COM) (%s) +#0 byte 0x8c MS-DOS executable (COM) # 0xeb conflicts with "sequent" magic -0 byte 0xeb MS-DOS executable (COM) ->4 string \ $ARX \b, ARX self-extracting archive ->4 string \ $LHarc \b, LHarc self-extracting archive ->0x20e string SFX\ by\ LARC \b, LARC self-extracting archive -0 byte 0xb8 COM executable for MS-DOS +0 byte 0xeb data +>4 string \ $ARX MS-DOS executable (COM), ARX self-extracting archive +>4 string \ $LHarc MS-DOS executable (COM), LHarc self-extracting archive +>0x20e string SFX\ by\ LARC MS-DOS executable (COM), LARC self-extracting archive +#0 byte 0xb8 COM executable for MS-DOS # many compressed/converted COMs start with a copy loop instead of a jump 0x6 search/0xa \xfc\x57\xf3\xa5\xc3 COM executable for MS-DOS 0x6 search/0xa \xfc\x57\xf3\xa4\xc3 COM executable for MS-DOS
