On 3/23/07, Mark Martinec <[EMAIL PROTECTED]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > =========================================================================== > AMaViS Security Announcement > > Date: 2007-03-23 > affected version(s): amavis, amavisd, amavisd-new, amavis-ng > Vulnerability: file utility > Priority: urgent > Solution: update to file 4.20 or later > References: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1532 > Author: Mark Martinec <[EMAIL PROTECTED]> > Rainer Link <[EMAIL PROTECTED]> > Advisory ID: ASA-2007-1 > Contact: [EMAIL PROTECTED] > WWW: http://www.amavis.org/security/ > > - > ----------------------------------------------------------------------------- > > 0. Preface > As amavisd-new (http://www.ijs.si/software/amavisd/) is currently the > only maintained AMaViS branch, most of the following refers to > amavisd-new. > > > 1. Problem description > A security issue (integer underflow) in the GNU file(1) utility can > lead to a heap overflow. > > > 2. Impact > Gain shell access to a remote system running a content filter > which uses GNU file below 4.20. > > It is important to say that the executable code runs under > privileges of the process running amavisd (usually vscan or amavis), > which is not root. If amavisd is running chrooted, the impact > is limited by the chroot jail environment. > > > 3. Solution > Update to GNU file 4.20 or newer, the latest version can be > found at ftp://ftp.astron.com/pub/file/ > > Or update your system using an up to date package or port. > > > 4. Acknowledgement > Credits to Kees Cook of the Ubuntu team for providing > us with up-to-date references and details. > > > 5. References > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536 > http://mx.gw.com/pipermail/file/2007/000161.html > http://www.ijs.si/software/amavisd/#sec > http://www.amavis.org/security/ > > > 6. Revision history > 2007-03-23: initial release > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.9.14 (GNU/Linux) > > iD8DBQFGA6W4mxoFTBO0QHkRAlWVAJ9Cvdpa74t1Mv1n0R5l5i8MVPMYrwCfZ3RR > Y1QOxx+LJk6O/2JKUTmPqj8= > =OaWi > -----END PGP SIGNATURE----- > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > AMaViS-user mailing list > AMaViS-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/amavis-user > AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 > AMaViS-HowTos:http://www.amavis.org/howto/ >
Is FreeBSD affected or is the BSD file not same as GNU file? Alex ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
