Security Advisory (MDKSA-2003:030-1): file

[aru]

MandrakeSoft Security Advisory MDKSA-2003:030-1 : file

 

April 17th, 2003

Updated file packages fix stack overflow vulnerability

 

A memory allocation problem in file was found by Jeff Johnson, and a stack overflow corruption problem was found by David Endler. These problems have been corrected in file version 3.41 and likely affect all previous version. These problems pose a security threat as they can be used to execute arbitrary code by an attacker under the privileges of another user. Note that the attacker must first somehow convince the target user to execute file against a specially crafted file that triggers the buffer overflow in file.

 

Update:

 

The 8.2 and 9.0 packages installed data in a different directory than where they should have been installed, which broke compatability with a small number of programs. These updated packages place those files back in the appropriate location.

 

 

The released versions of Mandrake GNU/Linux affected are:

• 8.2

 

[*] 8.2/PPC

 

[*] 9.0

 

[*] Corporate Server 2.1

Full information about this advisory, including the updated packages, is available at:

www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:030-1

 

Other references:

http://cve.mitre.org/cgi-bin/cvename.cgi?n...e=CAN-2003-0102

http://www.idefense.com/advisory/03.04.03.txt

 

Posted automatically by aru (mdksec2mub v0.0.5)