Your message dated Mon, 02 Apr 2007 12:02:05 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#416678: fixed in file 4.17-5etch1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: file
Version: 4.19-1
Severity: grave
Tags: security
X-Debbugs-Cc: [EMAIL PROTECTED]
According to the changelog included in the GNU file 4.20 tarball at
<ftp://ftp.gw.com/mirrors/pub/unix/file/>, this version includes a
security fix:
2007-02-08 17:30 Christos Zoulas <[EMAIL PROTECTED]>
* fix integer underflow in file_printf which can lead to
to exploitable heap overflow (Jean-Sebastien Guay-Lero)
I have not seen this receive any publicity. A quick Google seems to
confirm this.
The release announcement with pertinent ChangeLog is also at
<http://mx.gw.com/pipermail/file/2007/000161.html> if you don't want to
grab the full tarball.
Sorry if I have assigned an inflated severity; I suppose it's better at
this point to exaggerate than to downplay. The instructions at
<http://www.debian.org/Bugs/Developer#severities> suggest "grave" for a
bug which "introduces a security hole allowing access to the accounts of
users who use the package". I'm not sure about "introduces" (it likely
existed before?) and without an isolated patch, it's hard to assess the
exact scope of the vulnerability, even for someone more skilled than
myself.
</piglet panics>
/* era */
--
If this were a real .signature, it would suck less. Well, maybe not.
--- End Message ---
--- Begin Message ---
Source: file
Source-Version: 4.17-5etch1
We believe that the bug you reported is fixed in the latest version of
file, which is due to be installed in the Debian FTP archive:
file_4.17-5etch1.diff.gz
to pool/main/f/file/file_4.17-5etch1.diff.gz
file_4.17-5etch1.dsc
to pool/main/f/file/file_4.17-5etch1.dsc
file_4.17-5etch1_i386.deb
to pool/main/f/file/file_4.17-5etch1_i386.deb
libmagic-dev_4.17-5etch1_i386.deb
to pool/main/f/file/libmagic-dev_4.17-5etch1_i386.deb
libmagic1_4.17-5etch1_i386.deb
to pool/main/f/file/libmagic1_4.17-5etch1_i386.deb
python-magic_4.17-5etch1_i386.deb
to pool/main/f/file/python-magic_4.17-5etch1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Daniel Baumann <[EMAIL PROTECTED]> (supplier of updated file package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 29 Mar 2007 20:28:00 +0200
Source: file
Binary: libmagic1 file libmagic-dev python-magic
Architecture: source i386
Version: 4.17-5etch1
Distribution: testing-security
Urgency: high
Maintainer: Michael Piefel <[EMAIL PROTECTED]>
Changed-By: Daniel Baumann <[EMAIL PROTECTED]>
Description:
file - Determines file type using "magic" numbers
libmagic-dev - File type determination library (development)
libmagic1 - File type determination library using "magic" numbers
python-magic - Python binding for the magic library
Closes: 415362 416678
Changes:
file (4.17-5etch1) testing-security; urgency=high
.
* Applied patch from upstream to src/file.h, src/funcs.c and src/magic.c to
fix integer underflow in file_printf which can lead to to exploitable heap
overflow CVE-2007-1536 (Closes: #415362, #416678).
Files:
951d84ef18e8738d58cda73d1680ce66 693 utils standard file_4.17-5etch1.dsc
50919c65e0181423d66bb25d7fe7b0fd 556270 utils standard file_4.17.orig.tar.gz
ef79b92b6d0d4af9985200abb3eb24f5 24145 utils standard file_4.17-5etch1.diff.gz
e016c717ba5d75feede13eeeab5f7cf3 31714 utils standard file_4.17-5etch1_i386.deb
73727e6a1bee1b2050fe7d010fb832d2 275476 libs standard
libmagic1_4.17-5etch1_i386.deb
cb34870b1e90d01a8cf7894b8b2b3559 53782 libdevel optional
libmagic-dev_4.17-5etch1_i386.deb
d4f1bd064d6531149b5b643b102bf1da 22632 python extra
python-magic_4.17-5etch1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGDAWr+C5cwEsrK54RAn77AJ42x2xTNTSdoRzeYvksNarsEfGZiQCeJ156
1RYSbzo2MyFh++yQYwPbi4s=
=2di1
-----END PGP SIGNATURE-----
--- End Message ---
