Overview
The file program contains a vulnerability that may allow an attacker to execute arbitrary code or create a denial-of-service condition.
Description
file is a program for Unix-like operating systems that is used to determine what type of data is contained in a file. file contains a buffer overflow vulnerability that is caused by an integer overflow in the file_printf function. To trigger the overflow, an attacker would need to convince a user to run a vulnerable version of file on a specially crafted file. |
Impact
An attacker may be able to execute arbitrary code with the permissions of the user running the vulnerable version of file or cause the program to crash, creating a denial-of-service condition |
Solution
Upgrade |
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://mx.gw.com/pipermail/file/2007/000161.html
- ftp://ftp.astron.com/pub/file/file-4.20.tar.gz
- https://www.securecoding.cert.org/confluence/x/RgE
- http://secunia.com/advisories/24548/
- http://www.ubuntu.com/usn/usn-439-1
- http://secunia.com/advisories/24592/
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:067
- http://rhn.redhat.com/errata/RHSA-2007-0124.html
- https://issues.rpath.com/browse/RPL-1148
- http://www.securityfocus.com/bid/2302
- http://secunia.com/advisories/25133/
- http://secunia.com/advisories/25393/
- http://docs.info.apple.com/article.html?artnum=305530
Acknowledgements
Thanks to Jean-Sstien Guay-Leroux and Christos Zoulas for information that was used in this report.
This document was written by Ryan Giobbi.
Other Information
| CVE IDs: | CVE-2007-1536 |
| Severity Metric: | 1.62 |
| Date Public: | 2007-03-19 |
| Date First Published: | 2007-03-26 |
| Date Last Updated: | 2007-10-16 12:29 UTC |
| Document Revision: | 44 |