File(1) Command File_PrintF Integer Underflow Vulnerability

Bugtraq ID:	23021
Class:	Boundary Condition Error
CVE:	CVE-2007-1536
Remote:	Yes
Local:	No
Published:	Mar 19 2007 12:00AM
Updated:	Mar 13 2008 03:21AM
Credit:	Jean-Sebastien Guay-Leroux discovered this vulnerability.
Vulnerable:	Ubuntu Ubuntu Linux 5.10 sparc Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 6.10 sparc Ubuntu Ubuntu Linux 6.10 powerpc Ubuntu Ubuntu Linux 6.10 i386 Ubuntu Ubuntu Linux 6.10 amd64 Ubuntu Ubuntu Linux 6.06 LTS sparc Ubuntu Ubuntu Linux 6.06 LTS powerpc Ubuntu Ubuntu Linux 6.06 LTS i386 Ubuntu Ubuntu Linux 6.06 LTS amd64 Turbolinux wizpy 0 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Server 10.0.0 x64 Turbolinux Turbolinux Desktop 10.0 Turbolinux Turbolinux FUJI Turbolinux Turbolinux 10 F... TurboLinux Personal TurboLinux Multimedia Turbolinux Home Turbolinux FUJI 0 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21 + Linux kernel 2.4.19 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise Server 10 SuSE SUSE Linux Enterprise SDK 10 SuSE SUSE Linux Enterprise Desktop 10 SP1 SuSE SUSE Linux Enterprise Desktop 10 SuSE Linux Professional 10.2 x86_64 SuSE Linux Personal 10.2 x86_64 Slackware Linux 10.2 Slackware Linux 10.1 Slackware Linux 10.0 Slackware Linux 9.1 Slackware Linux 9.0 Slackware Linux 8.1 Slackware Linux 11.0 Slackware Linux -current S.u.S.E. UnitedLinux 1.0 S.u.S.E. SuSE Linux Standard Server 8.0 S.u.S.E. SuSE Linux School Server for i386 S.u.S.E. SUSE LINUX Retail Solution 8.0 S.u.S.E. SuSE Linux Openexchange Server 4.0 S.u.S.E. openSUSE 10.2 S.u.S.E. Open-Enterprise-Server 9.0 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 S.u.S.E. Novell Linux Desktop 9.0 S.u.S.E. Novell Linux Desktop 9 S.u.S.E. Linux Professional 10.0 OSS S.u.S.E. Linux Professional 9.3 x86_64 S.u.S.E. Linux Professional 9.3 S.u.S.E. Linux Professional 10.2 S.u.S.E. Linux Professional 10.1 S.u.S.E. Linux Personal 10.0 OSS S.u.S.E. Linux Personal 9.3 x86_64 S.u.S.E. Linux Personal 9.3 S.u.S.E. Linux Personal 10.2 S.u.S.E. Linux Personal 10.1 S.u.S.E. Linux Enterprise Server 9 S.u.S.E. Linux Desktop 10 S.u.S.E. Linux 10.1 x86-64 S.u.S.E. Linux 10.1 x86 S.u.S.E. Linux 10.1 ppc S.u.S.E. Linux 10.0 x86-64 S.u.S.E. Linux 10.0 x86 S.u.S.E. Linux 10.0 ppc rPath rPath Linux 1 RedHat Enterprise Linux WS 4 RedHat Enterprise Linux ES 4 RedHat Desktop 4.0 Red Hat Enterprise Linux Desktop 5 client Red Hat Enterprise Linux AS 4 Red Hat Enterprise Linux 5 Server Pardus Linux 2007.1 OpenBSD OpenBSD 4.0 NetBSD NetBSD 3.0.2 NetBSD NetBSD 3.0.1 NetBSD NetBSD 2.1 NetBSD NetBSD 2.0 NetBSD NetBSD Current NetBSD NetBSD 3.1 Navision Financials Server 3.0 Mandriva Linux Mandrake 2006.0 x86_64 Mandriva Linux Mandrake 2006.0 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Multi Network Firewall 2.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 Gentoo Linux FreeBSD FreeBSD 6.0 .x FreeBSD FreeBSD 6.0 -STABLE FreeBSD FreeBSD 6.0 -RELEASE FreeBSD FreeBSD 5.5 -STABLE FreeBSD FreeBSD 5.5 -RELEASE FreeBSD FreeBSD 6.2 -STABLE FreeBSD FreeBSD 6.2 FreeBSD FreeBSD 6.1 -STABLE FreeBSD FreeBSD 6.1 -RELEASE-p10 FreeBSD FreeBSD 6.1 -RELEASE FreeBSD FreeBSD 6.0 -RELEASE-p5 file file 4.13 file file 4.12 file file 4.11 file file 4.10 file file 4.9 file file 4.8 file file 4.7 file file 4.6 file file 4.5 file file 4.4 file file 4.3 file file 4.2 file file 4.1 file file 4.0 file file 3.41 + Trustix Secure Linux 1.5 + Trustix Secure Linux 1.2 + Trustix Secure Linux 1.1 file file 3.40 file file 3.39 file file 3.37 + Conectiva Linux 8.0 + Conectiva Linux 7.0 + Conectiva Linux 6.0 + Mandriva Linux Mandrake 8.2 ppc + Mandriva Linux Mandrake 8.2 + RedHat Linux 8.0 i386 + RedHat Linux 8.0 + RedHat Linux 7.3 i386 + RedHat Linux 7.3 file file 3.36 file file 3.35 + RedHat Linux 7.2 ia64 + RedHat Linux 7.2 i686 + RedHat Linux 7.2 i586 + RedHat Linux 7.2 i386 + RedHat Linux 7.2 + Trustix Secure Linux 1.5 file file 3.34 file file 3.33 file file 3.32 + MandrakeSoft Single Network Firewall 7.2 + Mandriva Linux Mandrake 7.2 + Trustix Secure Linux 1.2 + Trustix Secure Linux 1.1 file file 3.30 + Immunix Immunix OS 7+ + RedHat Linux 7.0 i686 + RedHat Linux 7.0 i386 + RedHat Linux 7.0 file file 3.28 file file 4.19 file file 4.18 file file 4.17 file file 4.16 file file 4.15 file file 4.14 Debian Linux 3.1 sparc Debian Linux 3.1 s/390 Debian Linux 3.1 ppc Debian Linux 3.1 mipsel Debian Linux 3.1 mips Debian Linux 3.1 m68k Debian Linux 3.1 ia-64 Debian Linux 3.1 ia-32 Debian Linux 3.1 hppa Debian Linux 3.1 arm Debian Linux 3.1 amd64 Debian Linux 3.1 alpha Debian Linux 3.1 Avaya SES 3.1.1 Avaya Messaging Storage Server MSS 3.0 Avaya Messaging Storage Server MM3.0 Avaya Message Networking MN 3.1 Avaya Intuity LX 2.0 Avaya Intuity LX Avaya Integrated Management 2.1 Avaya Integrated Management Avaya EMMC 0 Avaya Communication Manager 4.0 Avaya Communication Manager 3.1 Avaya AES 4.0 Apple Mac OS X Server 10.4.9 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X Server 10.3.9 Apple Mac OS X Server 10.3.8 Apple Mac OS X Server 10.3.7 Apple Mac OS X Server 10.3.6 Apple Mac OS X Server 10.3.5 Apple Mac OS X Server 10.3.4 Apple Mac OS X Server 10.3.3 Apple Mac OS X Server 10.3.2 Apple Mac OS X Server 10.3.1 Apple Mac OS X Server 10.3 Apple Mac OS X 10.4.9 Apple Mac OS X 10.4.8 Apple Mac OS X 10.4.7 Apple Mac OS X 10.4.6 Apple Mac OS X 10.4.5 Apple Mac OS X 10.4.4 Apple Mac OS X 10.4.3 Apple Mac OS X 10.4.2 Apple Mac OS X 10.4.1 Apple Mac OS X 10.4 Apple Mac OS X 10.3.9 Apple Mac OS X 10.3.8 Apple Mac OS X 10.3.7 Apple Mac OS X 10.3.6 Apple Mac OS X 10.3.5 Apple Mac OS X 10.3.4 Apple Mac OS X 10.3.3 Apple Mac OS X 10.3.2 Apple Mac OS X 10.3.1 Apple Mac OS X 10.3
Not Vulnerable:	file file 4.20

File(1) Command File_PrintF Integer Underflow Vulnerability

The file(1) command is prone to an integer-underflow vulnerability because the command fails to adequately handle user-supplied data.

An attacker can leverage this issue to corrupt heap memory and execute arbitrary code with the privileges of a user running the command. A successful attack may result in the compromise of affected computers. Failed attempts will likely cause denial-of-service conditions.

Versions prior to 4.20 are vulnerable.

File(1) Command File_PrintF Integer Underflow Vulnerability

To exploit this issue, an attacker must entice an unsuspecting user to run the command on a maliciously crafted file.

The following exploit code is available:

• /data/vulnerabilities/exploits/23021.c

File(1) Command File_PrintF Integer Underflow Vulnerability

Solution:
The vendor has released version 4.20 to address this issue. Please see the references for more information.


file file 4.15

• file file-4.20.tar.gz
  ftp://ftp.astron.com/pub/file/file-4.20.tar.gz

Turbolinux wizpy 0

• Turbolinux file-4.07-2.i586.rpm
  
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/


• Turbolinux file-4.14-3.i386.rpm
  
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/

FreeBSD FreeBSD 6.2

• FreeBSD file6.patch
  http://security.FreeBSD.org/patches/SA-07:04/file6.patch


• FreeBSD file6.patch.asc
  http://security.FreeBSD.org/patches/SA-07:04/file6.patch.asc

Turbolinux Turbolinux Server 10.0

• Turbolinux file-4.03-5.i586.rpm
  
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/file-4.03-5.i586.rpm


• Turbolinux file-4.07-2.i586.rpm
  
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/upd ates/RPMS/file-devel-4.07-2.x86_64.rpm


• Turbolinux file-debug-4.07-2.i586.rpm
  
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/upd ates/RPMS/file-devel-4.07-2.x86_64.rpm


• Turbolinux file-devel-4.07-2.i586.rpm
  
  ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/upd ates/RPMS/file-devel-4.07-2.x86_64.rpm

Slackware Linux 10.0

• Slackware file-4.20-i486-1_slack10.0.tgz
  Slackware 10.0:
  ftp://ftp.slackware.com/pub/slackware/slackware-10.0/patches/packages/ file-4.20-i486-1_slack10.0.tgz

Slackware Linux 10.2

• Slackware file-4.20-i486-1_slack10.2.tgz
  Slackware 10.2:
  ftp://ftp.slackware.com/pub/slackware/slackware-10.2/patches/packages/ file-4.20-i486-1_slack10.2.tgz


• Slackware file-4.20-i486-1_slack11.0.tgz
  Slackware 11.0:
  ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/ file-4.20-i486-1_slack11.0.tgz

Apple Mac OS X Server 10.3.9

• Apple SecUpdSrvr2007-005Pan.dmg
  http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13993&cat= 1&platform=osx&method=sa/SecUpdSrvr2007-005Pan.dmg

Apple Mac OS X 10.3.9

• Apple SecUpd2007-005Pan.dmg
  http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13992&cat= 1&platform=osx&method=sa/SecUpd2007-005Pan.dmg

Apple Mac OS X Server 10.4.9

• Apple SecUpd2007-005Ti.dmg
  http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13995&cat= 1&platform=osx&method=sa/SecUpd2007-005Ti.dmg


• Apple SecUpd2007-005Univ.dmg
  http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13998&cat= 1&platform=osx&method=sa/SecUpd2007-005Univ.dmg

file file 3.30

• file file-4.20.tar.gz
  ftp://ftp.astron.com/pub/file/file-4.20.tar.gz

file file 3.32

• file file-4.20.tar.gz
  ftp://ftp.astron.com/pub/file/file-4.20.tar.gz

file file 3.35

• file file-4.20.tar.gz
  ftp://ftp.astron.com/pub/file/file-4.20.tar.gz

file file 3.37

• file file-4.20.tar.gz
  ftp://ftp.astron.com/pub/file/file-4.20.tar.gz

file file 3.41

• file file-4.20.tar.gz
  ftp://ftp.astron.com/pub/file/file-4.20.tar.gz

file file 4.12

• Debian file_4.12-1sarge1_alpha.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/file_4.12-1sarge1_ alpha.deb


• Debian file_4.12-1sarge1_amd64.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/file_4.12-1sarge1_ amd64.deb


• Debian file_4.12-1sarge1_arm.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/file_4.12-1sarge1_ arm.deb


• Debian file_4.12-1sarge1_hppa.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/file_4.12-1sarge1_ hppa.deb


• Debian file_4.12-1sarge1_i386.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/file_4.12-1sarge1_ i386.deb


• Debian file_4.12-1sarge1_ia64.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/file_4.12-1sarge1_ ia64.deb


• Debian file_4.12-1sarge1_m68k.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/file_4.12-1sarge1_ m68k.deb


• Debian file_4.12-1sarge1_mips.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/file_4.12-1sarge1_ mips.deb


• Debian file_4.12-1sarge1_mipsel.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/file_4.12-1sarge1_ mipsel.deb


• Debian file_4.12-1sarge1_powerpc.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/file_4.12-1sarge1_ powerpc.deb


• Debian file_4.12-1sarge1_s390.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/file_4.12-1sarge1_ s390.deb


• Debian file_4.12-1sarge1_sparc.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/file_4.12-1sarge1_ sparc.deb


• Debian libmagic-dev_4.12-1sarge1_alpha.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.12- 1sarge1_alpha.deb


• Debian libmagic-dev_4.12-1sarge1_amd64.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.12- 1sarge1_amd64.deb


• Debian libmagic-dev_4.12-1sarge1_arm.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.12- 1sarge1_arm.deb


• Debian libmagic-dev_4.12-1sarge1_hppa.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.12- 1sarge1_hppa.deb


• Debian libmagic-dev_4.12-1sarge1_i386.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.12- 1sarge1_i386.deb


• Debian libmagic-dev_4.12-1sarge1_ia64.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.12- 1sarge1_ia64.deb


• Debian libmagic-dev_4.12-1sarge1_m68k.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.12- 1sarge1_m68k.deb


• Debian libmagic-dev_4.12-1sarge1_mips.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.12- 1sarge1_mips.deb


• Debian libmagic-dev_4.12-1sarge1_mipsel.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.12- 1sarge1_mipsel.deb


• Debian libmagic-dev_4.12-1sarge1_powerpc.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.12- 1sarge1_powerpc.deb


• Debian libmagic-dev_4.12-1sarge1_s390.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.12- 1sarge1_s390.deb


• Debian libmagic-dev_4.12-1sarge1_sparc.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic-dev_4.12- 1sarge1_sparc.deb


• Debian libmagic1_4.12-1sarge1_alpha.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic1_4.12-1sa rge1_alpha.deb


• Debian libmagic1_4.12-1sarge1_amd64.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/http://security.de bian.org/pool/updates/main/f/file/libmagic1_4.12-1sarge1_amd64.deb


• Debian libmagic1_4.12-1sarge1_arm.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic1_4.12-1sa rge1_arm.deb


• Debian libmagic1_4.12-1sarge1_hppa.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic1_4.12-1sa rge1_hppa.deb


• Debian libmagic1_4.12-1sarge1_i386.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic1_4.12-1sa rge1_i386.deb


• Debian libmagic1_4.12-1sarge1_ia64.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic1_4.12-1sa rge1_ia64.deb


• Debian libmagic1_4.12-1sarge1_m68k.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic1_4.12-1sa rge1_m68k.deb


• Debian libmagic1_4.12-1sarge1_mips.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic1_4.12-1sa rge1_mips.deb


• Debian libmagic1_4.12-1sarge1_mipsel.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic1_4.12-1sa rge1_mipsel.deb


• Debian libmagic1_4.12-1sarge1_powerpc.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic1_4.12-1sa rge1_powerpc.deb


• Debian libmagic1_4.12-1sarge1_s390.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic1_4.12-1sa rge1_s390.deb


• Debian libmagic1_4.12-1sarge1_sparc.deb
  Debian 3.1 (stable)
  http://security.debian.org/pool/updates/main/f/file/libmagic1_4.12-1sa rge1_sparc.deb


• file file-4.20.tar.gz
  ftp://ftp.astron.com/pub/file/file-4.20.tar.gz

file file 4.4

• file file-4.20.tar.gz
  ftp://ftp.astron.com/pub/file/file-4.20.tar.gz

file file 4.5

• file file-4.20.tar.gz
  ftp://ftp.astron.com/pub/file/file-4.20.tar.gz

file file 4.6

• file file-4.20.tar.gz
  ftp://ftp.astron.com/pub/file/file-4.20.tar.gz

file file 4.7

• file file-4.20.tar.gz
  ftp://ftp.astron.com/pub/file/file-4.20.tar.gz

Slackware Linux 9.1

• Slackware file-4.20-i486-1_slack9.1.tgz
  Slackware 9.1:
  ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/f ile-4.20-i486-1_slack9.1.tgz

File(1) Command File_PrintF Integer Underflow Vulnerability

References:

• file-4.20 is now available (Christos Zoulas)
  
• Index of ftp://ftp.astron.com/pub/file/ (file)
  
• RHSA-2007:0124-2 - file security update (RedHat)
  
• ASA-2007-179 file security update (RHSA-2007-0124) (Avaya)
  
• rPath Security Advisory: 2007-0059-1 (rPath)
  
• Vulnerability Note VU#606700 file vulnerable to an integer underflow (US-CERT)