From owner-freebsd-security Tue Mar 11 9:52: 8 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 888AC37B401; Tue, 11 Mar 2003 09:52:06 -0800 (PST) Received: from hermes.pressenter.com (hermes.pressenter.com [209.224.20.19]) by mx1.FreeBSD.org (Postfix) with ESMTP id 96F1543FCB; Tue, 11 Mar 2003 09:52:05 -0800 (PST) (envelope-from nospam@hiltonbsd.com) Received: from [209.224.36.96] (helo=daggar.sbgnet.net) by hermes.pressenter.com with smtp (Exim 3.16 #1) id 18snv1-00080b-00; Tue, 11 Mar 2003 11:52:04 -0600 Date: Tue, 11 Mar 2003 11:52:15 -0600 From: Stephen Hilton To: "Jacques A. Vidrine" Cc: , Subject: Re: Prov. patch for the file hole ISS disclosed Message-Id: <20030311115215.1628a67b.nospam@hiltonbsd.com> In-Reply-To: <20030311174126.GA57179@madman.celabo.org> References: <200303061415.h26EFlhD004317@device.dyndns.org> <200303061415.h26EFlhD004317@device.dyndns.org> <5.2.0.9.2.20030311113159.0386fea0@localhost> <20030311174126.GA57179@madman.celabo.org> X-Mailer: Sylpheed version 0.8.10 (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 11 Mar 2003 11:41:27 -0600 "Jacques A. Vidrine" wrote: > On Tue, Mar 11, 2003 at 11:34:40AM -0600, Christopher Schulte wrote: > > At 09:41 AM 3/6/2003 -0600, Jacques A. Vidrine wrote: > > >Thanks! However, this has already been fixed in -CURRENT (by import > > >of FILE 3.41). I do not know whether or not David plans to MFC in > > >time for 4.8-RELEASE. > > > > I think this should be merged into the security branches, > > due to possible remote exploit by third party programs that > > use file, such as (at the very least) amavis. > > I tend to agree. > > David? > I am getting ready to do a buildworld today on 4.8-RC and can test a patch if available. Does the patch provided by: Guy Poizat Appear correct ? --------------------------------------------------------------- --- src/contrib/file/readelf.c Sun Nov 26 22:37:21 2000 +++ src/contrib/file/readelf.c.patched Thu Mar 6 15:02:44 2003 @@ -141,6 +141,9 @@ Elf32_Shdr sh32; Elf64_Shdr sh64; + if ( size > ( class == ELFCLASS32 ? sizeof(Elf32_Shdr) : sizeof(Elf64_Shdr) ) ) + return; + if (lseek(fd, off, SEEK_SET) == -1) error("lseek failed (%s).\n", strerror(errno)); ---------------------------------------------------------------- Thanks in advance, Stephen Hilton nospam@hiltonbsd.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message