oss-sec mailing list archives
Re: Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables
From: Stuart Henderson <stu () spacehopper org>
Date: Thu, 13 Mar 2014 11:24:33 +0000
On 2014/03/05 12:07, cve-assign () mitre org wrote:
Use CVE-2014-2270. A CVE ID seems worthwhile because of possible libmagic use cases. "file can be made to crash" is typically not security-relevant on its own (a user can recover from this by not continuing to run file on the same crafted file). We're not sure whether any distribution has packages that rely on server-side use of libmagic, or whether it's common to have long-running processes that use libmagic with untrusted input.
file(1)/libmagic certainly have a security impact, for example they are used by various mail anti-virus checkers like MailScanner and amavisd-new, also some IDS/honeypot software (Bro, Nepenthes), all of which are expected to handle at best untrustworthy, at worst downright malicious input.
Current thread:
- CVE Request: file: crashes when checking softmagic for some corrupt PE executables Salvatore Bonaccorso (Mar 03)
- Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables cve-assign (Mar 05)
- Re: Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables Salvatore Bonaccorso (Mar 05)
- Re: Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables Stuart Henderson (Mar 13)
- <Possible follow-ups>
- Re: Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables mancha (Mar 05)
- Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables cve-assign (Mar 05)