Your message dated Mon, 17 Feb 2014 09:33:51 +0000 with message-id <e1wfkaf-00081m...@franck.debian.org> and subject line Bug#738832: fixed in file 1:5.17-0.1 has caused the Debian Bug report #738832, regarding Segmentation fault in libmagic (src:file) [CVE-2014-1943] to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 738832: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738832 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: file Version: 5.11-2 Severity: grave Tags: security [ Re-sent to BTS by request of the security team, also updated ] a bug in the handling of "indirect" magic rules of libmagic leads to an infinite recursion when trying to determine the file type of certain files. The has been assigned CVE-2014-1943. Additionally, other well-crafted files might result in long computation times (five seconds for a single file while using 100% CPU) and overlong results (~400k line), something some applications that operate on the file result might not handle in a sane way. The issue has been made public by Bernd Melchers who initially found this bug: http://mx.gw.com/pipermail/file/2014/001327.html Impact is two-layered. The bug itself has been introduced years ago (pre oldstable). From jessie on, the default magic file as shipped in the package contains a file magic rule that is exploitable for a segmentation fault. In other words: jessie: Always affected and in full scale. squeeze/wheezy: Segmentation fault when using non-standard magic files that use "indirect" in a certain way. Still vulnerable for the "computation time" and "overlong" issues mentioned above. Upstream released 5.17 last night, fixing the bug for all reproducers I have in my collection. Backporting the patch is not trivial but hopefully feasible. I'll give that a try later the day. Christoph
--- End Message ---
--- Begin Message ---Source: file Source-Version: 1:5.17-0.1 We believe that the bug you reported is fixed in the latest version of file, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 738...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Christoph Biedl <debian.a...@manchmal.in-ulm.de> (supplier of updated file package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 14 Feb 2014 00:29:32 +0100 Source: file Binary: file file-dbg libmagic1 libmagic-dev python-magic python3-magic Architecture: source amd64 all Version: 1:5.17-0.1 Distribution: unstable Urgency: high Maintainer: Hilko Bengen <ben...@debian.org> Changed-By: Christoph Biedl <debian.a...@manchmal.in-ulm.de> Description: file - Determines file type using "magic" numbers file-dbg - Determines file type using "magic" numbers (debug) libmagic-dev - File type determination library using "magic" numbers (developmen libmagic1 - File type determination library using "magic" numbers python-magic - File type determination library using "magic" numbers (Python bin python3-magic - File type determination library using "magic" numbers (Python 3 b Closes: 738832 Changes: file (1:5.17-0.1) unstable; urgency=high . * Non-maintainer upload. * urgency set to high to fix CVE-2014-1943 * New upstream version 5.17, Closes: #738832 - Dropped 0013-eliminate-global-var.patch: applied upstream Checksums-Sha1: 3eacbf8ee8adea3222d5466b162a0a94d27d06bd 1295 file_5.17-0.1.dsc d20818fad58c89f5e4d31c93879f0aa5aa91743a 513020 file_5.17.orig.tar.xz 7d11ced6244e6922dfff271bec39a6c785030f01 26812 file_5.17-0.1.debian.tar.xz adff8ae4a0588b127a80035ae0671062b619946c 55146 file_5.17-0.1_amd64.deb a03e08eb9e00ba733937c95e727c8715b2bdce0a 168640 file-dbg_5.17-0.1_amd64.deb 8f61f043c7a992a79b245ccac04cac49ad5e12de 228356 libmagic1_5.17-0.1_amd64.deb f150109cce598e0ac9cd540e1fa364d573cde1c1 98952 libmagic-dev_5.17-0.1_amd64.deb 0728fe1dae53c6db53d3a533a0d020f8425327f3 40778 python-magic_5.17-0.1_amd64.deb d24c9c79dc84481ab7a35d32f0c7687a15ea7a33 40834 python3-magic_5.17-0.1_all.deb Checksums-Sha256: b260b114fecca96fb17c3ba53263d2cf739441d79476280e6f0834c5da48fb5a 1295 file_5.17-0.1.dsc 74dd695f8971ea3603d7aada7dbe891d41c72d0516ebd120ff99773447d7b25b 513020 file_5.17.orig.tar.xz 7142aed215c09053e5023f13e613967ca0f22072a7c124655d014c97d9a27de9 26812 file_5.17-0.1.debian.tar.xz 8d49b3210aeee6fcc52e1d264a44a7284f2dd6c6fe6d5e6515b80aca08fd071e 55146 file_5.17-0.1_amd64.deb c291769318b18799af4ecbeff95c482f481fd205528e8813cf2d8d1e619be1af 168640 file-dbg_5.17-0.1_amd64.deb 82ab3e297e2a214d58da98f78f90296c1ffe1726070119e8f52752929ec3dbde 228356 libmagic1_5.17-0.1_amd64.deb bdc9b27fb4832613110087ef0c42f768d0bfc9e1df0e30e7b5ceb4a92ad53fed 98952 libmagic-dev_5.17-0.1_amd64.deb 0d4244d7056bd34d2c44d1e46ce89a0dc38ece6bc360152a637877615f54a0a7 40778 python-magic_5.17-0.1_amd64.deb a5fb17636b9d58caadd57f0d684fddb0069e465dd7ef12efd36a9bfc5e91fc08 40834 python3-magic_5.17-0.1_all.deb Files: 0149abaade7f791ce63334510a80acf8 1295 utils standard file_5.17-0.1.dsc 78ae65fc4fd117b0f8d6533803cb66a3 513020 utils standard file_5.17.orig.tar.xz 39e3dc72bdbe4ff2897037413d1312f3 26812 utils standard file_5.17-0.1.debian.tar.xz becaee5507d7f3c8eeeb9fb081c312e9 55146 utils standard file_5.17-0.1_amd64.deb fae8b750147ca6ca4fce7318d5090f22 168640 debug extra file-dbg_5.17-0.1_amd64.deb 5554f39cf957803539969a67c4aa3390 228356 libs standard libmagic1_5.17-0.1_amd64.deb 2ed0fb2eb01b314fa8eec677245dcb69 98952 libdevel optional libmagic-dev_5.17-0.1_amd64.deb ab7a104752b4f812f81a3ae025c6f686 40778 python optional python-magic_5.17-0.1_amd64.deb 81d07af171acc9f6c026716ceb4279eb 40834 python optional python3-magic_5.17-0.1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlL9zi0ACgkQUCgnLz/SlGgTkQCfdCTlCBHc8YbiKN9Z+uZrBuvc P2sAoOWfwzzfM2n7HGq7eWzNgtnTPOwC =8fEe -----END PGP SIGNATURE-----
--- End Message ---
