> Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory > FreeBSD-SA-07:04.file > Date: Thu, 24 May 2007 15:37:36 +0200 > From: Dag-Erling Smørgrav <[EMAIL PROTECTED]> > To: Brian A. Seklecki <[EMAIL PROTECTED]> > CC: FreeBSD Security Advisories <[EMAIL PROTECTED]>, > freebsd-security@freebsd.org > References: <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > > "Brian A. Seklecki" <[EMAIL PROTECTED]> writes: > > I'll have to check, but I doubt anything other than file(1) on > > production systems is linked against libmagic. This is safe to do in > > real-time afaik. ~BAS > > AFAIK, Apache's mod_mime_magic either links against libmagic or against > its own copy of the same code. > > DES
I've had an initial look over mod_mime_magic.c in Apache 1.3.37 and 2.2.4 . Both are essentially the same module, just adjusted for the different APIs in 2.x. The module does not use libmagic directly, nor does it appear to include large portions of similar code. The history of the module indicates that it was derived from Ian Darwin's magic(1) posted to comp.source.unix in ~1987, which is where FreeBSD's magic(1) originated. However FreeBSD's magic notes that it was extensively rewritten since then, and I cannot personally identify similar parts of the code between file/magic.c and mod_mime_magic.c - but I am not a security expert. If someone more qualified than me has some time to look at whether mod_mime_magic is affected, I'd appreciate it greatly. Regards Tom
signature.asc
Description: This is a digitally signed message part
