-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AMaViS Security Announcement
Date: 2007-03-23 affected version(s): amavis, amavisd, amavisd-new, amavis-ng Vulnerability: file utility Priority: urgent Solution: update to file 4.20 or later References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1532 Author: Mark Martinec <[EMAIL PROTECTED]> Rainer Link <[EMAIL PROTECTED]> Advisory ID: ASA-2007-1 Contact: [EMAIL PROTECTED] WWW: http://www.amavis.org/security/ - ----------------------------------------------------------------------------- 0. Preface As amavisd-new (http://www.ijs.si/software/amavisd/) is currently the only maintained AMaViS branch, most of the following refers to amavisd-new. 1. Problem description A security issue (integer underflow) in the GNU file(1) utility can lead to a heap overflow. 2. Impact Gain shell access to a remote system running a content filter which uses GNU file below 4.20. It is important to say that the executable code runs under privileges of the process running amavisd (usually vscan or amavis), which is not root. If amavisd is running chrooted, the impact is limited by the chroot jail environment. 3. Solution Update to GNU file 4.20 or newer, the latest version can be found at ftp://ftp.astron.com/pub/file/ Or update your system using an up to date package or port. 4. Acknowledgement Credits to Kees Cook of the Ubuntu team for providing us with up-to-date references and details. 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 http://mx.gw.com/pipermail/file/2007/000161.html http://www.ijs.si/software/amavisd/#sec http://www.amavis.org/security/ 6. Revision history 2007-03-23: initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.9.14 (GNU/Linux) iD8DBQFGA6W4mxoFTBO0QHkRAlWVAJ9Cvdpa74t1Mv1n0R5l5i8MVPMYrwCfZ3RR Y1QOxx+LJk6O/2JKUTmPqj8= =OaWi -----END PGP SIGNATURE----- ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/