Advisories

Mandriva Advisories

Package name	file
Date	April 17th, 2003
Advisory ID	MDKSA-2003:030-1
Affected versions	8.2, 9.0, CS2.1
Synopsis	Updated file packages fix stack overflow vulnerability

Problem Description

A memory allocation problem in file was found by Jeff Johnson, and a
stack overflow corruption problem was found by David Endler. These
problems have been corrected in file version 3.41 and likely affect
all previous version. These problems pose a security threat as they
can be used to execute arbitrary code by an attacker under the
privileges of another user. Note that the attacker must first
somehow convince the target user to execute file against a specially
crafted file that triggers the buffer overflow in file.

Update:

The 8.2 and 9.0 packages installed data in a different directory than
where they should have been installed, which broke compatability with
a small number of programs. These updated packages place those files
back in the appropriate location.

Updated Packages

Mandrakelinux 8.2

 d5e93ef5b8d037f98545cada5a771df7  8.2/RPMS/file-3.41-1.2mdk.i586.rpm
928927e417e426bddff47bb2b44ab2f7  8.2/SRPMS/file-3.41-1.2mdk.src.rpm

Mandrakelinux 8.2/PPC

 db8aa6371a0cc8472a326c34e55644b9  ppc/8.2/RPMS/file-3.41-1.2mdk.ppc.rpm
928927e417e426bddff47bb2b44ab2f7  ppc/8.2/SRPMS/file-3.41-1.2mdk.src.rpm

Mandrakelinux 9.0

 11dd08bc1e77855ed30a9c0e40f6b15c  9.0/RPMS/file-3.41-1.2mdk.i586.rpm
928927e417e426bddff47bb2b44ab2f7  9.0/SRPMS/file-3.41-1.2mdk.src.rpm

Corporate Server 2.1

 11dd08bc1e77855ed30a9c0e40f6b15c  corporate/2.1/RPMS/file-3.41-1.2mdk.i586.rpm
928927e417e426bddff47bb2b44ab2f7  corporate/2.1/SRPMS/file-3.41-1.2mdk.src.rpm

Corporate Server 2.1/X86_64

 bac5bc5f65a3eb09a5f19dec54ea9b43  x86_64/corporate/2.1/RPMS/file-3.41-1.2mdk.x86_64.rpm
928927e417e426bddff47bb2b44ab2f7  x86_64/corporate/2.1/SRPMS/file-3.41-1.2mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0102
http://www.idefense.com/advisory/03.04.03.txt

Upgrade

To upgrade automatically, use MandrivaUpdate.

Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.

URL:

https://mandriva.com/security/advisories

Short link:

https://mandriva.com/content/view/full/1075

Intersites Menu

Mandriva

Tools

Top menu

Advisories

Footer