Package: file Version: 5.04-5+squeeze2 Severity: important Tags: security, patch
Hi, there's a DoS risk in the magic for awk scripts, which causes excessive runtimes of `file` on files which cause lots of backtracking in the regex engine, like files with many, many newlines: # dd ibs=1000000 count=1 if=/dev/zero | tr '\0' '\n' > newlines # time file newlines newlines: ASCII text real 3m51.005s user 3m50.418s sys 0m0.124s There is a bugreport and Patch at the upstream bugtracker: http://bugs.gw.com/view.php?id=164 In Squeeze, the culprit awk-magic comes from debian/patches/101-magic-update- awk.patch. In wheezy, sid and experimental, the regex is part of upstream's magic/Magdir/commands. Cheers, Carsten -- System Information: Debian Release: 6.0.7 APT prefers stable APT policy: (700, 'stable'), (500, 'stable-updates') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages file depends on: ii libc6 2.11.3-4 Embedded GNU C Library: Shared lib ii libmagic1 5.04-5+squeeze2 File type determination library us ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime file recommends no packages. file suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
