Your message dated Mon, 19 Mar 2007 14:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#415362: fixed in file 4.20-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: file
Version: 4.19-1
Severity: grave
Tags: security
X-Debbugs-Cc: [EMAIL PROTECTED]
According to the changelog included in the GNU file 4.20 tarball at
<ftp://ftp.gw.com/mirrors/pub/unix/file/>, this version includes a
security fix:
2007-02-08 17:30 Christos Zoulas <[EMAIL PROTECTED]>
* fix integer underflow in file_printf which can lead to
to exploitable heap overflow (Jean-Sebastien Guay-Lero)
I have not seen this receive any publicity. A quick Google seems to
confirm this.
The release announcement with pertinent ChangeLog is also at
<http://mx.gw.com/pipermail/file/2007/000161.html> if you don't want to
grab the full tarball.
Sorry if I have assigned an inflated severity; I suppose it's better at
this point to exaggerate than to downplay. The instructions at
<http://www.debian.org/Bugs/Developer#severities> suggest "grave" for a
bug which "introduces a security hole allowing access to the accounts of
users who use the package". I'm not sure about "introduces" (it likely
existed before?) and without an isolated patch, it's hard to assess the
exact scope of the vulnerability, even for someone more skilled than
myself.
</piglet panics>
/* era */
--
If this were a real .signature, it would suck less. Well, maybe not.
--- End Message ---
--- Begin Message ---
Source: file
Source-Version: 4.20-1
We believe that the bug you reported is fixed in the latest version of
file, which is due to be installed in the Debian FTP archive:
file_4.20-1.diff.gz
to pool/main/f/file/file_4.20-1.diff.gz
file_4.20-1.dsc
to pool/main/f/file/file_4.20-1.dsc
file_4.20-1_i386.deb
to pool/main/f/file/file_4.20-1_i386.deb
file_4.20.orig.tar.gz
to pool/main/f/file/file_4.20.orig.tar.gz
libmagic-dev_4.20-1_i386.deb
to pool/main/f/file/libmagic-dev_4.20-1_i386.deb
libmagic1_4.20-1_i386.deb
to pool/main/f/file/libmagic1_4.20-1_i386.deb
python-magic_4.20-1_i386.deb
to pool/main/f/file/python-magic_4.20-1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Piefel <[EMAIL PROTECTED]> (supplier of updated file package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 19 Mar 2007 14:55:46 +0100
Source: file
Binary: libmagic1 file libmagic-dev python-magic
Architecture: source i386
Version: 4.20-1
Distribution: unstable
Urgency: high
Maintainer: Michael Piefel <[EMAIL PROTECTED]>
Changed-By: Michael Piefel <[EMAIL PROTECTED]>
Description:
file - Determines file type using "magic" numbers
libmagic-dev - File type determination library (development)
libmagic1 - File type determination library using "magic" numbers
python-magic - Python binding for the magic library
Closes: 308394 324889 339618 345834 366986 392009 393775 394514 394523 401839
402058 402062 409895 415362
Changes:
file (4.20-1) unstable; urgency=high
.
* New upstream version
- Fixes supposed vulnerability in the file_fprintf in funcs.c
(closes: #415362 and justifies urgency)
- MPEG ADTS signedness fixed (closes: #392009)
- Better TeX/LaTeX magic (closes: #402062)
- Better XML mimetype magic (closes: #345834)
- More linespacing in manpage (closes: #402058)
* Revert URL in copyright file (see #406820), as the old one is supposed to
be correct, even if it disappeared temporarily.
* Fixed typo in manpage (closes: #394514)
* Make Perl script entries consistent (closes: #394523)
* Disable second MS Installer entry (closes: #409895)
* Disable one-byte magic for COM (closes: #393775, #339618)
* audio/midi mimetype (closes: #401839)
* Enable gzip mimetype magic (closes: #324889)
* Disabled some QuickTime entries (ASCII words, closes: #366986, #308394)
Files:
17a102e193d7cd5bc6c29bd17ae86244 683 utils standard file_4.20-1.dsc
402bdb26356791bd5d277099adacc006 548393 utils standard file_4.20.orig.tar.gz
f771950fc68189af186ff75359dabd9b 24033 utils standard file_4.20-1.diff.gz
701521811d46f3235a402c1de57c0e51 34688 utils standard file_4.20-1_i386.deb
422ee52caabefc1f89e7e3643f281adf 319604 libs standard libmagic1_4.20-1_i386.deb
128c90a0c5b818f5d813e39a432c7b96 61288 libdevel optional
libmagic-dev_4.20-1_i386.deb
344671b12e05c1f2b9c4408029b32ef8 25012 python extra
python-magic_4.20-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFF/pn15GwONXmN2VwRAviwAJ9j4bQ+7E+Ec3oSud2FikjOd3dacgCdHp9E
5WiQFQ/99qi2+YmMyvc9bDY=
=K3D2
-----END PGP SIGNATURE-----
--- End Message ---
