U radu programskog paketa uočeno je da dolazi do višestrukog preljeva međuspremika i grešaka vezanih uz neispravno rukovanje pokazivačima (eng. pointer).
Posljedica:
Udaljeni napadač može iskoristiti ranjivosti za napad uskraćivanjem usluga (DoS napad) podmetanjem posebno oblikovane CDF (Composite Document Format) datoteke.
Rješenje:
Svim se korisnicima savjetuje instalacija dostupnih nadogradnji koje ispravljaju navedeni sigurnosni propust.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2012:035
http://www.mandriva.com/security/
_______________________________________________________________________
Package : file
Date : March 23, 2012
Affected: 2010.1, 2011.
_______________________________________________________________________
Problem Description:
Multiple out-of heap-based buffer read flaws and invalid pointer
dereference flaws were found in the way file, utility for determining
of file types processed header section for certain Composite Document
Format (CDF) files. A remote attacker could provide a specially-crafted
CDF file, which once inspected by the file utility of the victim
would lead to file executable crash (CVE-2012-1571).
The updated packages for Mandriva Linux 2011 have been upgraded to
the 5.11 version and the packages for Mandriva Linux 2010.2 has been
patched to correct these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1571
https://bugzilla.redhat.com/show_bug.cgi?id=805197
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
e046dbf91442caf99cd290e961a1e79a 2010.1/i586/file-5.04-1.1mdv2010.2.i586.rpm
5f72f9a498c491ccf2b3955dec5a1b5e
2010.1/i586/libmagic1-5.04-1.1mdv2010.2.i586.rpm
efd9c51f04d9b8d519d38a4be1b76454
2010.1/i586/libmagic-devel-5.04-1.1mdv2010.2.i586.rpm
b8494a53e6c4abdd2a58c7649ee846e7
2010.1/i586/libmagic-static-devel-5.04-1.1mdv2010.2.i586.rpm
af41a4b8feeefe7b4f9764a03b708a43
2010.1/i586/python-magic-5.04-1.1mdv2010.2.i586.rpm
a89ec9ac28ca4a816cf02eb1825e5a6d 2010.1/SRPMS/file-5.04-1.1mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
c36525b412c19ecf99e87fcea61a3a8c
2010.1/x86_64/file-5.04-1.1mdv2010.2.x86_64.rpm
a06b3d7a197cf7ecbe813707b9bf2e55
2010.1/x86_64/lib64magic1-5.04-1.1mdv2010.2.x86_64.rpm
df2c67277315cd9ae824ef9c59e76749
2010.1/x86_64/lib64magic-devel-5.04-1.1mdv2010.2.x86_64.rpm
b0d4dc2225784a9d429cb320d87b3d0a
2010.1/x86_64/lib64magic-static-devel-5.04-1.1mdv2010.2.x86_64.rpm
8764173bcea21d3a0d9b5615b4cd6bab
2010.1/x86_64/python-magic-5.04-1.1mdv2010.2.x86_64.rpm
a89ec9ac28ca4a816cf02eb1825e5a6d 2010.1/SRPMS/file-5.04-1.1mdv2010.2.src.rpm
Mandriva Linux 2011:
298efc833458e23dfd38f0a4c3cb9dbb 2011/i586/file-5.11-0.1-mdv2011.0.i586.rpm
7909224e6bce5c69b13be4024bff4a6c
2011/i586/libmagic1-5.11-0.1-mdv2011.0.i586.rpm
8dccc3c54ed4728ab9df9165688c3aae
2011/i586/libmagic-devel-5.11-0.1-mdv2011.0.i586.rpm
a2a0629cbb54d7a657804d349f8fd2f2
2011/i586/libmagic-static-devel-5.11-0.1-mdv2011.0.i586.rpm
3fdd1a77e7b0875f7ee2068627f7faec
2011/i586/python-magic-5.11-0.1-mdv2011.0.noarch.rpm
c23e3d320554ae075205852bac0e59c7 2011/SRPMS/file-5.11-0.1.src.rpm
Mandriva Linux 2011/X86_64:
8d99a914447368e9140a27844b6b11fe
2011/x86_64/file-5.11-0.1-mdv2011.0.x86_64.rpm
c901a5e0481679963703a00891dd1d21
2011/x86_64/lib64magic1-5.11-0.1-mdv2011.0.x86_64.rpm
031ec6b0251917c1db595755f76f6907
2011/x86_64/lib64magic-devel-5.11-0.1-mdv2011.0.x86_64.rpm
2dfc40f0bd492ffa774d537b39c84804
2011/x86_64/lib64magic-static-devel-5.11-0.1-mdv2011.0.x86_64.rpm
8bc70f25f615e9d99ddcb40bf13170af
2011/x86_64/python-magic-5.11-0.1-mdv2011.0.noarch.rpm
c23e3d320554ae075205852bac0e59c7 2011/SRPMS/file-5.11-0.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFPbCf/mqjQ0CJFipgRAiraAJ44830vfqeFe6SsUZDKdZkVB38/1QCeMnyW
QbkEsCQe2OpXniXazJbwitY=
=CNeb
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke