[Security Announce] [ MDKSA-2007:067 ] - Updated file packages fix heap-based buffer overflow vulnerability
Posted on: 03/22/2007 10:45 PM

The Mandriva Security Team published a new security update for Mandriva Linux. Here the announcement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDKSA-2007:067
http://www.mandriva.com/security/
_______________________________________________________________________

Package : file
Date : March 22, 2007
Affected: 2006.0, 2007.0, Corporate 3.0, Corporate 4.0,
Multi Network Firewall 2.0
_______________________________________________________________________

Problem Description:

Jean-Sebastien Guay-Leroux discovered an integer underflow in the
file_printf() function in file prior to 4.20 that allows user-assisted
attackers to execute arbitrary code via a file that triggers a
heap-based buffer overflow.

Updated packages have been patched to address this issue.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2006.0:
6776fdab0b30ff408291c8b60eaa5914 2006.0/i586/file-4.14-2.2.20060mdk.i586.rpm
de3e126e2309c381967c83ee00a1549f 2006.0/i586/libmagic1-4.14-2.2.20060mdk.i586.rpm
76d7885a0646fc3f4ccefa2d1f39c52d 2006.0/i586/libmagic1-devel-4.14-2.2.20060mdk.i586.rpm
d9b880001c57222a32d3ee7983bbe41d 2006.0/i586/libmagic1-static-devel-4.14-2.2.20060mdk.i586.rpm
faf0311fd9add5ab90fd4794d458d5df 2006.0/SRPMS/file-4.14-2.2.20060mdk.src.rpm

Mandriva Linux 2006.0/X86_64:
778972de9f0b948065e3a740762335ea 2006.0/x86_64/file-4.14-2.2.20060mdk.x86_64.rpm
d198f2b7b93b6453927cfb82ebd7be03 2006.0/x86_64/lib64magic1-4.14-2.2.20060mdk.x86_64.rpm
f39321c70228c4720d7839d23bd4f257 2006.0/x86_64/lib64magic1-devel-4.14-2.2.20060mdk.x86_64.rpm
77672f3f381c93138d4eeb5bf029634b 2006.0/x86_64/lib64magic1-static-devel-4.14-2.2.20060mdk.x86_64.rpm
faf0311fd9add5ab90fd4794d458d5df 2006.0/SRPMS/file-4.14-2.2.20060mdk.src.rpm

Mandriva Linux 2007.0:
051e3ba9cc68605b812ee7b49db6912e 2007.0/i586/file-4.17-2.1mdv2007.0.i586.rpm
df3c8c4fa46b317a6d82b58b2645af06 2007.0/i586/libmagic1-4.17-2.1mdv2007.0.i586.rpm
3b89edfb298db832a00bdc8004050c70 2007.0/i586/libmagic1-devel-4.17-2.1mdv2007.0.i586.rpm
ab34afc24bba86ba683a07a829c291ce 2007.0/i586/libmagic1-static-devel-4.17-2.1mdv2007.0.i586.rpm
da97885fa8cef50b1a7197cd3bedda88 2007.0/i586/python-magic-4.17-2.1mdv2007.0.i586.rpm
b6711ae1487bff595f23644888a21200 2007.0/SRPMS/file-4.17-2.1mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
92037616ceeb9422321aefcb92b4592d 2007.0/x86_64/file-4.17-2.1mdv2007.0.x86_64.rpm
a0714daf434333daf0cc94e793fb2fa5 2007.0/x86_64/lib64magic1-4.17-2.1mdv2007.0.x86_64.rpm
ec4d6e8f36c517775544d9b82e1c2c3c 2007.0/x86_64/lib64magic1-devel-4.17-2.1mdv2007.0.x86_64.rpm
911a45da5e03afce2e6cf893821523c0 2007.0/x86_64/lib64magic1-static-devel-4.17-2.1mdv2007.0.x86_64.rpm
d5553c829bb5c105eb8956c30c982b56 2007.0/x86_64/python-magic-4.17-2.1mdv2007.0.x86_64.rpm
b6711ae1487bff595f23644888a21200 2007.0/SRPMS/file-4.17-2.1mdv2007.0.src.rpm

Corporate 3.0:
96a903348d6fcbf9c1148b40c33bfa84 corporate/3.0/i586/file-4.07-3.1.C30mdk.i586.rpm
91f98b7967a67cd84997bc1a4b4c3ac0 corporate/3.0/i586/libmagic1-4.07-3.1.C30mdk.i586.rpm
cdd298669d1887162dcfc85f64ee0026 corporate/3.0/i586/libmagic1-devel-4.07-3.1.C30mdk.i586.rpm
b76cebb89bd62cdbed02074bf08862c9 corporate/3.0/i586/libmagic1-static-devel-4.07-3.1.C30mdk.i586.rpm
d4277fc37c32f5c3916c4223d09bcdf5 corporate/3.0/SRPMS/file-4.07-3.1.C30mdk.src.rpm

Corporate 3.0/X86_64:
4f16f2ea06e12ba3b34b53b4cf37c767 corporate/3.0/x86_64/file-4.07-3.1.C30mdk.x86_64.rpm
ea2133f4651a6538478586246c76a37c corporate/3.0/x86_64/lib64magic1-4.07-3.1.C30mdk.x86_64.rpm
ebc3400c433d97f7638283412ee7dfb8 corporate/3.0/x86_64/lib64magic1-devel-4.07-3.1.C30mdk.x86_64.rpm
6edd04c7d038b9793c3703a24a6e4e24 corporate/3.0/x86_64/lib64magic1-static-devel-4.07-3.1.C30mdk.x86_64.rpm
d4277fc37c32f5c3916c4223d09bcdf5 corporate/3.0/SRPMS/file-4.07-3.1.C30mdk.src.rpm

Corporate 4.0:
1fef1c38e699bc9bf2a12e133ab58d72 corporate/4.0/i586/file-4.14-2.2.20060mlcs4.i586.rpm
25d61edd905d5d5fc98fa26f94133e3d corporate/4.0/i586/libmagic1-4.14-2.2.20060mlcs4.i586.rpm
7b66b10bfbc1882f34cc35ae2a028b06 corporate/4.0/i586/libmagic1-devel-4.14-2.2.20060mlcs4.i586.rpm
98b0564830191b3e5633e72673ada514 corporate/4.0/i586/libmagic1-static-devel-4.14-2.2.20060mlcs4.i586.rpm
06fb5a02819a65a8846a92cb5cb7e103 corporate/4.0/SRPMS/file-4.14-2.2.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
5da9885c6eceeae1048efea7e5fb1f6a corporate/4.0/x86_64/file-4.14-2.2.20060mlcs4.x86_64.rpm
af453ecc1eeb2ac69d8f4cb286b45605 corporate/4.0/x86_64/lib64magic1-4.14-2.2.20060mlcs4.x86_64.rpm
cb9a0c1590b1acebe42b3cd545b58bc2 corporate/4.0/x86_64/lib64magic1-devel-4.14-2.2.20060mlcs4.x86_64.rpm
abbaa0bb2698c9e035267ce6a3e1f056 corporate/4.0/x86_64/lib64magic1-static-devel-4.14-2.2.20060mlcs4.x86_64.rpm
06fb5a02819a65a8846a92cb5cb7e103 corporate/4.0/SRPMS/file-4.14-2.2.20060mlcs4.src.rpm

Multi Network Firewall 2.0:
1a3e63e7cf57e63af8c166280da3ce0f mnf/2.0/i586/file-4.07-3.1.M20mdk.i586.rpm
4830b9b5c5ac238f16bedc8e919cd61e mnf/2.0/i586/libmagic1-4.07-3.1.M20mdk.i586.rpm
d9b5cdb19d1a4178a072a380a83183df mnf/2.0/i586/libmagic1-devel-4.07-3.1.M20mdk.i586.rpm
86268a4fcbc5ca421a022afb019deace mnf/2.0/i586/libmagic1-static-devel-4.07-3.1.M20mdk.i586.rpm
b23438938f6cefd35a6afd7252fed8a5 mnf/2.0/SRPMS/file-4.07-3.1.M20mdk.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
lt;security*mandriva.comgt;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFGAr0AmqjQ0CJFipgRArybAKCBaU4f4ZglTOxhb9RV4uY33WBxxgCcC1MH
W1KsHMdOvPkHm2esY3vcNNY=
=zl9H
-----END PGP SIGNATURE-----



Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/security_announce_mdksa_2007067__updated_file_packages_fix_heap_based_buffer_overflow_vulnerability.html)