Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 13 Mar 2014 11:24:33 +0000
From: Stuart Henderson <stu@...cehopper.org>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE Request: file: crashes when checking
 softmagic for some corrupt PE executables

On 2014/03/05 12:07, cve-assign@...re.org wrote:
> Use CVE-2014-2270.
> 
> A CVE ID seems worthwhile because of possible libmagic use cases.
> 
> "file can be made to crash" is typically not security-relevant on its
> own (a user can recover from this by not continuing to run file on the
> same crafted file). We're not sure whether any distribution has
> packages that rely on server-side use of libmagic, or whether it's
> common to have long-running processes that use libmagic with untrusted
> input.

file(1)/libmagic certainly have a security impact, for example they
are used by various mail anti-virus checkers like MailScanner and
amavisd-new, also some IDS/honeypot software (Bro, Nepenthes), all
of which are expected to handle at best untrustworthy, at worst
downright malicious input.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ