date:20070524

ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:04.file

2007-05-24 Thread FreeBSD Security Advisories


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

=
FreeBSD-SA-07:04.file   Security Advisory
  The FreeBSD Project

Topic:  Heap overflow in file(1)

Category:   contrib
Module: file
Announced:  2007-05-23
Affects:All FreeBSD releases.
Corrected:  2007-05-23 16:12:51 UTC (RELENG_6, 6.2-STABLE)
2007-05-23 16:13:07 UTC (RELENG_6_2, 6.2-RELEASE-p5)
2007-05-23 16:13:20 UTC (RELENG_6_1, 6.1-RELEASE-p17)
2007-05-23 16:12:10 UTC (RELENG_5, 5.5-STABLE)
2007-05-23 16:12:35 UTC (RELENG_5_5, 5.5-RELEASE-p13)
CVE Name:   CVE-2007-1536

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit URL:http://security.FreeBSD.org/.

I.   Background

The file(1) utility attempts to classify file system objects based on
filesystem, magic number and language tests.

The libmagic(3) library provides most of the functionality of file(1)
and may be used by other applications.

II.  Problem Description

When writing data into a buffer in the file_printf function, the length
of the unused portion of the buffer is not correctly tracked, resulting
in a buffer overflow when processing certain files.

III. Impact

An attacker who can cause file(1) to be run on a maliciously constructed
input can cause file(1) to crash.  It may be possible for such an attacker
to execute arbitrary code with the privileges of the user running file(1).

The above also applies to any other applications using the libmagic(3)
library.

IV.  Workaround

No workaround is available, but systems where file(1) and other
libmagic(3)-using applications are never run on untrusted input are not
vulnerable.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.1,
and 6.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 5.5]
# fetch http://security.FreeBSD.org/patches/SA-07:04/file5.patch
# fetch http://security.FreeBSD.org/patches/SA-07:04/file5.patch.asc

[FreeBSD 6.1 and 6.2]
# fetch http://security.FreeBSD.org/patches/SA-07:04/file6.patch
# fetch http://security.FreeBSD.org/patches/SA-07:04/file6.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch  /path/to/patch
# cd /usr/src/lib/libmagic
# make obj  make depend  make  make install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch   Revision
  Path
- -
RELENG_5
  src/contrib/file/file.h 1.1.1.7.2.1
  src/contrib/file/funcs.c1.1.1.1.2.1
  src/contrib/file/magic.c1.1.1.1.2.1
RELENG_5_5
  src/UPDATING1.342.2.35.2.13
  src/sys/conf/newvers.sh  1.62.2.21.2.15
  src/contrib/file/file.h 1.1.1.7.8.1
  src/contrib/file/funcs.c1.1.1.1.8.1
  src/contrib/file/magic.c1.1.1.1.8.1
RELENG_6
  src/contrib/file/file.h 1.1.1.8.2.1
  src/contrib/file/funcs.c1.1.1.2.2.1
  src/contrib/file/magic.c1.1.1.2.2.1
RELENG_6_2
  src/UPDATING 1.416.2.29.2.8
  src/sys/conf/newvers.sh   1.69.2.13.2.8
  src/contrib/file/file.h 1.1.1.8.8.1
  src/contrib/file/funcs.c1.1.1.2.8.1
  src/contrib/file/magic.c1.1.1.2.8.1
RELENG_6_1
  src/UPDATING1.416.2.22.2.19
  src/sys/conf/newvers.sh  1.69.2.11.2.19
  src/contrib/file/file.h 1.1.1.8.6.1
  src/contrib/file/funcs.c1.1.1.2.6.1
  src/contrib/file/magic.c1.1.1.2.6.1
- -

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536

The latest revision of this advisory is available at

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:04.file

2007-05-24 Thread Dag-Erling Smørgrav

Brian A. Seklecki [EMAIL PROTECTED] writes:
 I'll have to check, but I doubt anything other than file(1) on
 production systems is linked against libmagic.  This is safe to do in
 real-time afaik. ~BAS

AFAIK, Apache's mod_mime_magic either links against libmagic or against
its own copy of the same code.

DES
-- 
Dag-Erling Smørgrav - [EMAIL PROTECTED]
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:04.file

2007-05-24 Thread Tom Evans

 Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory 
 FreeBSD-SA-07:04.file
 Date: Thu, 24 May 2007 15:37:36 +0200
 From: Dag-Erling Smørgrav [EMAIL PROTECTED]
 To: Brian A. Seklecki [EMAIL PROTECTED]
 CC: FreeBSD Security Advisories [EMAIL PROTECTED], 
 freebsd-security@freebsd.org
 References: [EMAIL PROTECTED] 
 [EMAIL PROTECTED]

 Brian A. Seklecki [EMAIL PROTECTED] writes:
  I'll have to check, but I doubt anything other than file(1) on
  production systems is linked against libmagic.  This is safe to do in
  real-time afaik. ~BAS

 AFAIK, Apache's mod_mime_magic either links against libmagic or against
 its own copy of the same code.

 DES

I've had an initial look over mod_mime_magic.c in Apache 1.3.37 and
2.2.4 . Both are essentially the same module, just adjusted for the
different APIs in 2.x. The module does not use libmagic directly, nor
does it appear to include large portions of similar code. The history of
the module indicates that it was derived from Ian Darwin's magic(1)
posted to comp.source.unix in ~1987, which is where FreeBSD's magic(1)
originated.

However FreeBSD's magic notes that it was extensively rewritten since
then, and I cannot personally identify similar parts of the code between
file/magic.c and mod_mime_magic.c - but I am not a security expert.

If someone more qualified than me has some time to look at whether
mod_mime_magic is affected, I'd appreciate it greatly.

Regards

Tom

signature.asc
Description: This is a digitally signed message part

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:04.file

2007-05-24 Thread Bill Moran

In response to Dag-Erling Smørgrav [EMAIL PROTECTED]:

 Brian A. Seklecki [EMAIL PROTECTED] writes:
  I'll have to check, but I doubt anything other than file(1) on
  production systems is linked against libmagic.  This is safe to do in
  real-time afaik. ~BAS
 
 AFAIK, Apache's mod_mime_magic either links against libmagic or against
 its own copy of the same code.

According to the docs:
http://httpd.apache.org/docs/2.2/mod/mod_mime_magic.html

It would appear that Apache uses its own code for mod_mime_magic.

That does not guarantee that it doesn't have the same problem, however.

-- 
Bill Moran
Collaborative Fusion Inc.
http://people.collaborativefusion.com/~wmoran/

[EMAIL PROTECTED]
Phone: 412-422-3463x4023
___
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to [EMAIL PROTECTED]

ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:04.file

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:04.file

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:04.file

Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:04.file

4 matches

Site Navigation

Mail list logo

Footer information