oss-sec mailing list archives

Re: Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables

From: Stuart Henderson <stu () spacehopper org>
Date: Thu, 13 Mar 2014 11:24:33 +0000

On 2014/03/05 12:07, cve-assign () mitre org wrote:

Use CVE-2014-2270.

A CVE ID seems worthwhile because of possible libmagic use cases.

"file can be made to crash" is typically not security-relevant on its
own (a user can recover from this by not continuing to run file on the
same crafted file). We're not sure whether any distribution has
packages that rely on server-side use of libmagic, or whether it's
common to have long-running processes that use libmagic with untrusted
input.


file(1)/libmagic certainly have a security impact, for example they
are used by various mail anti-virus checkers like MailScanner and
amavisd-new, also some IDS/honeypot software (Bro, Nepenthes), all
of which are expected to handle at best untrustworthy, at worst
downright malicious input.

Current thread:

CVE Request: file: crashes when checking softmagic for some corrupt PE executables Salvatore Bonaccorso (Mar 03)
- Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables cve-assign (Mar 05)
  - Re: Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables Salvatore Bonaccorso (Mar 05)
    - Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables cve-assign (Mar 05)
  - Re: Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables Stuart Henderson (Mar 13)
- <Possible follow-ups>
- Re: Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables mancha (Mar 05)
  - Re: Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables Remi Collet (Mar 06)