Date: Thu, 13 Mar 2014 11:24:33 +0000 From: Stuart Henderson <stu@...cehopper.org> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE Request: file: crashes when checking softmagic for some corrupt PE executables On 2014/03/05 12:07, cve-assign@...re.org wrote: > Use CVE-2014-2270. > > A CVE ID seems worthwhile because of possible libmagic use cases. > > "file can be made to crash" is typically not security-relevant on its > own (a user can recover from this by not continuing to run file on the > same crafted file). We're not sure whether any distribution has > packages that rely on server-side use of libmagic, or whether it's > common to have long-running processes that use libmagic with untrusted > input. file(1)/libmagic certainly have a security impact, for example they are used by various mail anti-virus checkers like MailScanner and amavisd-new, also some IDS/honeypot software (Bro, Nepenthes), all of which are expected to handle at best untrustworthy, at worst downright malicious input.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ