Contributed by jose on from the strange-but-true dept.
" http://www.idefense.com/advisory/03.04.03.txtIt looks like no -stable updates to file will be provided, but if you run OpenBSD 3.2-stable (and probably 3.1-stable) you may want to roll your own patch for this. Basically, some products run file(1) to figure out how to process unknown data. If you routinely run file(1) on untrusted data, you may want to prepare your own patch. From the looks of things you can drop -current's source code for file(1) into a 3.2 system.openbsd's version of file is 3.22 and therefore vulnerable. but until now seems no errata entry on the openbsd site. i finished just cvs'ing 3.2-stable now, but seems no updates to file(1) at all."
(Comments are closed)
By tedu () on
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By zil0g () on
Comments
By Anonymous Coward () on
By converter () on
Failure to release an official patch to address this issue for the reason Theo implied would be shortsighted and create unnecessary risk for users.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
moral - be farsighted and do not use uid(0) in everyday trade
Comments
By Anonymous Coward () on
The no-care attitude that is being shown by the OBSD development team in this matter is really outrageous.
Comments
By RC () on
~/.profile
alias file='systrace file'
By Do Not Disturb Any Further () on
Yup. If they've determined that patching this is not a priority because of a bunch of reasons, that's fine. If it is considered low-risk because of a handful of reasons, that's also fine.
Deciding that it's low-risk and a non-problem because it's an executable that can be run against other arbitrary executables, but won't because "people just don't do that" is lame.
It's an overflow. It can be exploited. Therefore, it will be.
By Anonymous Coward () on
By anders () on
http://www.securityfocus.com/archive/1/314150
Comments
By Martin Johansson () martinj@maths.lth.se on mailto:martinj@maths.lth.se
A quick peek inside file.c reveals the follwoing:
#ifdef BUILTIN_ELF
if (match == 's' && nbytes > 5)
tryelf(fd, buf, nbytes);
#endif
infact the entire readelf.c-file is surrounded by a #ifdef BUILTIN_ELF / #endif-pair.
And since BUILTIN_ELF is not defined anywhere, it would seem that OpenBSD have been safe for quite some time. (the comment in readelf.c would suggest 1998/07/10)
/Martin
By Anonymous Coward () on
(from http://www.openbsd.org/security.html)
"OpenBSD believes in strong security. Our aspiration is to be NUMBER ONE in the industry for security (if we are not already there). Our open software development model permits us to take a more uncompromising view towards increased security than Sun, SGI, IBM, HP, or other vendors are able to. We can make changes the vendors would not make."
More uncompromising view?? Uhhh....
Make changes the vendors would not make?? Uhhh... looks like this time the other vendors made changes first. I believe Red Hat has already released a patch.
Come on, it's just a damn patch, do everyone a favor.
By Anonymous Coward () on
Compilation instructions are (probably):
cd /usr/src/usr.bin/file
make obj
make
make install
By Anonymous Coward () on