Bug 171452 - sys-apps/file < 4.20 integer underflow (CVE-2007-1536)
Bug#: 171452 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: py@gentoo.org
Component: Vulnerabilities
URL:  http://secunia.com/advisories/24548/
Summary: sys-apps/file < 4.20 integer underflow (CVE-2007-1536)
Keywords:  
Status Whiteboard: A2 [glsa] p-y
Opened: 2007-03-19 16:38 0000
Description:   Opened: 2007-03-19 16:38 0000 
Jean-Sebastien Guay-Lero has reported a vulnerability in file, which
potentially can be exploited by malicious people to compromise a vulnerable
system.

The vulnerability is caused due to an unspecified integer underflow
within the "file_printf" function, which can be exploited to cause a
heap-based buffer overflow.

versions < 4.20 are vulnerable.

Arches, please stabilize sys-apps/file-4.20. Thanks.

------- Comment #1 From solar 2007-03-19 17:14:07 0000 ------- 
just a note. that file-4.20 does not compile on uClibc (non posix regex
defines) It introduces new features which our team has yet had time to review.

A backported fix might be better

------- Comment #2 From solar 2007-03-19 17:48:29 0000 ------- 
It will compile with a small patch that adds.
#ifndef REG_STARTEND
# define REG_STARTEND (1 << 2)
#endif

------- Comment #3 From Jeroen Roovers 2007-03-20 02:02:01 0000 ------- 
No uclibc for HPPA, so I keyworded 4.20.

------- Comment #4 From Markus Rothe 2007-03-21 11:54:10 0000 ------- 
no uclibc on ppc64 either, so stable there, too.

------- Comment #5 From Jose Luis Rivero (yoswink) 2007-03-21 18:33:42 0000 ------- 
no uclibc on alpha, no cookie.
4.20 stable anyway.

------- Comment #6 From Christoph Mende 2007-03-21 23:18:36 0000 ------- 
emerges fine and works on amd64, not sure about that uclibc thingy since
there's only uclibc++ on amd64

Portage 2.1.2.2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0,
2.6.20-beyond2 x86_64)
=================================================================
System uname: 2.6.20-beyond2 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor
4600+
Gentoo Base System release 1.12.9
Timestamp of tree: Wed, 21 Mar 2007 21:50:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.4-r6
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe -msse3"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf
/etc/java-config/vms/ /etc/php/apache1-php5/ext-active/
/etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/
/etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe -msse3"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig buildsyspkg ccache collision-protect distlocks
metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/
ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo
ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo
ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo
ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo
ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/
ftp://ftp.gentoo.mesh-solutions.com/gentoo/
ftp://pandemonium.tiscali.de/pub/gentoo/ "
LANG="en_US.ISO-8859-15"
LC_ALL="en_US.ISO-8859-15"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/overlay"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="X a52 aac acpi alsa amd64 amr audiofile berkdb bitmap-fonts bzip2 cairo
cdinstall cdr cli cracklib crypt cups dbus dri dts dvd dvdr dvdread eds emboss
encode fam firefox fortran gdbm gif gpm gstreamer gtk gtk2 hal iconv jpeg ldap
libg++ lirc logrotate mad midi mikmod mp3 mpeg ncurses nls nptl nptlonly
offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection
sdl session smp socks5 spl ssl svg symlink tcpd test tiff truetype
truetype-fonts type1-fonts unicode v4l vim vorbis x264 xinerama xorg xv xvid
zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare
dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw
multi null plug rate route share shm softvol" ELIBC="glibc"
INPUT_DEVICES="evdev keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz
cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text"
LIRC_DEVICES="inputlirc" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS,
PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS

------- Comment #7 From Steve Dibb 2007-03-22 02:15:32 0000 ------- 
amd64 stable anyway

------- Comment #8 From Chris Gianelloni (RETIRED) 2007-03-22 22:10:12 0000 ------- 
solar: any word?

------- Comment #9 From SpanKY 2007-03-22 22:51:54 0000 ------- 
dont worry about the uclibc profile, it will be accounted for ... stabilize for
glibc/default-linux as normal

------- Comment #10 From Christian Faulhammer 2007-03-23 07:22:38 0000 ------- 
x86 goes stable then

------- Comment #11 From Gustavo Zacarias (RETIRED) 2007-03-23 13:07:11 0000 ------- 
okie dokie sparc stable.

------- Comment #12 From Tobias Scherbaum 2007-03-23 18:44:51 0000 ------- 
ppc stable

------- Comment #13 From Pierre-Yves Rofes 2007-03-23 18:50:37 0000 ------- 
thanks arches, ready for glsa.

------- Comment #14 From Raphael Marichez 2007-03-30 20:53:39 0000 ------- 
GLSA 200703-26, thanks to everybody!

------- Comment #15 From Roy Marples (RETIRED) 2007-05-24 01:30:11 0000 ------- 
*** Bug 179583 has been marked as a duplicate of this bug. ***