A vulnerability and a security issue have been reported in Amavis, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially to compromise a vulnerable system. 1) An integer underflow error in the "file" utility can be exploited to cause a heap-based buffer overflow. For more information: SA24548 2) The problem is caused due to certain regular expressions in "file", which can consume all available CPU resources when identifying a specially crafted file. For more information: SA24918 Solution: The vendor recommends updating to file version 4.21 or later and editing the "magic" file (see vendor advisory for details). Provided and/or discovered by: Reported by the vendor. Original Advisory: http://www.amavis.org/security/asa-2007-3.txt Other References: SA24548: http://secunia.com/advisories/24548/ SA24918: http://secunia.com/advisories/24918/ Reproducible: Always
maintainers - please advise and bump as necessary
AFAIK amavisd-new doesn't bundle the file. The advisory is just to warn amavisd-new users to upgrade sys-apps/file. *** This bug has been marked as a duplicate of bug 179583 ***
Not really a dupe. Point 4 in the linked advisory (CVE-2007-2026) is not fixed with 4.21.
Well the CVE-2007-2026 issue was fixed on bug #174217, so now another dupe :-) Feel free to reopen if I missed anything. *** This bug has been marked as a duplicate of bug 174217 ***