Date: Thu, 24 May 2007 00:10:35 -0700 From: Colin Percival <cperciva@freebsd.org> To: "M. Warner Losh" <imp@bsdimp.com> Cc: freebsd-arch@freebsd.org Subject: Re: RFC: Removing file(1)+libmagic(3) from the base system Message-ID: <46553A6B.7070904@freebsd.org> In-Reply-To: <20070523.161038.-1989860747.imp@bsdimp.com> References: <46546E16.9070707@freebsd.org> <7158.1179947572@critter.freebsd.dk> <20070523213251.GA14733@keltia.freenix.fr> <20070523.161038.-1989860747.imp@bsdimp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
M. Warner Losh wrote: > I would argue that it would make the system LESS secure, because one > loses the ability to identify files on the system. People are going > to install it anyway, and it is a jump ball as to whether having it in > the base system would cause vulnerabilities to be updated faster than > having it in ports (both the actual update in the system, as well as > the user causing the update to happen: ports are a touch easier to > update, but lag a bit both in terms of people updating their ports > tree and ports committers updating the port). Interestingly, my experience from portsnap is that people tend to update ports more frequently than they apply security patches to the base system. > And for there to be any exploitable vulnerability, the attacker would > need to feed the victum a bogusly formatted file, and cause the victum > to run file on that file. I doubt that the latest security hole will > ever result in a system compromise... You're more optimistic than I am, then. This latest advisory was issued on the basis of "it's a heap overflow in rather messy code, so we really have no idea if it's exploitable". > I guess I fail to see how this is any different than the .gz bugs that > were found a while ago. Nobody suggested removing .gz from the tree > because a few bugs were found. Everybody suggested updating right > away to fix those bugs. File is no different, and really should > remain in the tree. Deflate is one file format which is used quite often. File parses several different formats, including several which are not tested often (i.e., have a much higher chance of including parse bugs). Colin Percival
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46553A6B.7070904>