Package: file Version: 4.19-1 Severity: grave Tags: security X-Debbugs-Cc: [EMAIL PROTECTED]
According to the changelog included in the GNU file 4.20 tarball at <ftp://ftp.gw.com/mirrors/pub/unix/file/>, this version includes a security fix: 2007-02-08 17:30 Christos Zoulas <[EMAIL PROTECTED]> * fix integer underflow in file_printf which can lead to to exploitable heap overflow (Jean-Sebastien Guay-Lero) I have not seen this receive any publicity. A quick Google seems to confirm this. The release announcement with pertinent ChangeLog is also at <http://mx.gw.com/pipermail/file/2007/000161.html> if you don't want to grab the full tarball. Sorry if I have assigned an inflated severity; I suppose it's better at this point to exaggerate than to downplay. The instructions at <http://www.debian.org/Bugs/Developer#severities> suggest "grave" for a bug which "introduces a security hole allowing access to the accounts of users who use the package". I'm not sure about "introduces" (it likely existed before?) and without an isolated patch, it's hard to assess the exact scope of the vulnerability, even for someone more skilled than myself. </piglet panics> /* era */ -- If this were a real .signature, it would suck less. Well, maybe not. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
