Vulnerability in Unix tool endangers system security
A patch for the Unix file utility which was released in March has obviously closed one hole and opened another. According to an assessment by some Linux distributors, it is not only possible to make a computer crash as a result of the new vulnerability, but also to inject and execute code by means of crafted files. The vulnerability was discovered by Colin Percival from FreeBSD Security Team.
Usually file is deployed to show the properties of a file on the command line, making it necessary for the victim to personally examine a manipulated file in order to cause a successful attack. However, there are also cases in which no user interaction is required. Among other things, the open-source virus scanner Amavisd-new deploys the file utility, for example to identify email attachments. Changing to file version 4.21, or installation of the updated file packets from distributors, remedies the problem.
Furthermore, the Amavis developers refer to an additional vulnerability in file , which is still present in version 4.21 and can cause the scanner to crash. Apparently, two lines of code which should have actually been deleted, have mistakenly remained in the source text.
- file utility integer underflow / possible DoS, error report from Amavis
- Updated file packages fix vulnerabilities, error report from Mandriva
- file security update, error report from Red Hat