[SRM] file 4.17-5etch2
Hi,
there was some possible DoS attack with an OS/2 magic of file
discovered, CVE-2007-2026 namely. The security team said, it doesn't
warrant issueing a DSA, that's why I'd like to update it through etch
r1, debdiff is attached.
Regards,
Daniel
--
Address: Daniel Baumann, Burgunderstrasse 3, CH-4562 Biberist
Email: daniel.baumann@panthera-systems.net
Internet: http://people.panthera-systems.net/~daniel-baumann/
diff -u file-4.17/debian/changelog file-4.17/debian/changelog
--- file-4.17/debian/changelog
+++ file-4.17/debian/changelog
@@ -1,3 +1,11 @@
+file (4.17-5etch2) stable; urgency=medium
+
+ * Applied patch from Werner Fink <werner@suse.de> from OpenSuse to fix
+ OS2 REXX magic in magic/Magdir/msdos which can lead to a DoS
+ CVE-2007-2026.
+
+ -- Daniel Baumann <daniel@debian.org> Thu, 17 May 2007 20:21:00 +0200
+
file (4.17-5etch1) testing-security; urgency=high
* Applied patch from upstream to src/file.h, src/funcs.c and src/magic.c to
diff -u file-4.17/magic/Magdir/msdos file-4.17/magic/Magdir/msdos
--- file-4.17/magic/Magdir/msdos
+++ file-4.17/magic/Magdir/msdos
@@ -14,8 +14,8 @@
# OS/2 batch files are REXX. the second regex is a bit generic, oh well
# the matched commands seem to be common in REXX and uncommon elsewhere
-100 regex/c =^\\s*call\s+rxfuncadd.*sysloadfu OS/2 REXX batch file text
-100 regex/c =^\\s*say\ ['"] OS/2 REXX batch file text
+100 regex/c =^\\s{0,255}call\\s{1,99}rxfuncadd OS/2 REXX batch file text
+100 regex/c =^\\s{0,255}say\ ['"] OS/2 REXX batch file text
0 leshort 0x14c MS Windows COFF Intel 80386 object file
#>4 ledate x stamp %s
Reply to: