[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SRM] file 4.17-5etch2


there was some possible DoS attack with an OS/2 magic of file
discovered, CVE-2007-2026 namely. The security team said, it doesn't
warrant issueing a DSA, that's why I'd like to update it through etch
r1, debdiff is attached.


Address:        Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email:          daniel.baumann@panthera-systems.net
Internet:       http://people.panthera-systems.net/~daniel-baumann/
diff -u file-4.17/debian/changelog file-4.17/debian/changelog
--- file-4.17/debian/changelog
+++ file-4.17/debian/changelog
@@ -1,3 +1,11 @@
+file (4.17-5etch2) stable; urgency=medium
+  * Applied patch from Werner Fink <werner@suse.de> from OpenSuse to fix
+    OS2 REXX magic in magic/Magdir/msdos which can lead to a DoS
+    CVE-2007-2026.
+ -- Daniel Baumann <daniel@debian.org>  Thu, 17 May 2007 20:21:00 +0200
 file (4.17-5etch1) testing-security; urgency=high
   * Applied patch from upstream to src/file.h, src/funcs.c and src/magic.c to
diff -u file-4.17/magic/Magdir/msdos file-4.17/magic/Magdir/msdos
--- file-4.17/magic/Magdir/msdos
+++ file-4.17/magic/Magdir/msdos
@@ -14,8 +14,8 @@
 # OS/2 batch files are REXX. the second regex is a bit generic, oh well
 # the matched commands seem to be common in REXX and uncommon elsewhere
-100 regex/c =^\\s*call\s+rxfuncadd.*sysloadfu OS/2 REXX batch file text
-100 regex/c =^\\s*say\ ['"] OS/2 REXX batch file text
+100 regex/c =^\\s{0,255}call\\s{1,99}rxfuncadd OS/2 REXX batch file text
+100 regex/c =^\\s{0,255}say\ ['"] OS/2 REXX batch file text
 0	leshort		0x14c	MS Windows COFF Intel 80386 object file
 #>4	ledate		x	stamp %s

Reply to: