Bug 198912

Summary: [base/release/10.1.0/contrib/file][security] Multiple Vulnerabilities
Product: Base System Reporter: Sevan Janiyan <venture37>
Component: binAssignee: Xin LI <delphij>
Status: Closed FIXED    
Severity: Affects Only Me CC: delphij, emaste, feld, secteam
Priority: ---    
Version: 10.1-RELEASE   
Hardware: Any   
OS: Any   

Description Sevan Janiyan 2015-03-25 23:36:09 UTC 
CVE-2014-2270
CVE-2014-9620
CVE-2014-9621
CVE-2014-9653

Version 5.22 in -head includes fixes for these CVEs which will treacle down to -stable.
I have not checked the version of file(1) in 9.x
Comment 1 Sevan Janiyan 2015-03-25 23:39:36 UTC 
Apologies, CVE-2014-2270 was addressed in FreeBSD-SA-14:16.file
Comment 2 Sevan Janiyan 2015-05-21 11:54:35 UTC 
Ping!
Comment 3 Xin LI freebsd_committer freebsd_triage 2015-06-01 20:27:49 UTC 
Take.  We intend to do an EN (by doing a full upgrade of file(1) to 5.22) instead of SA as there may be other issues affecting file(1) that didn't get covered.

Existing users of file(1) are advised to use the version shipped with ports, or use -e elf to disable the ELF tests as a workaround.
Comment 4 Mark Felder freebsd_committer freebsd_triage 2015-06-07 02:10:26 UTC 
(In reply to Xin LI from comment #3)

Certainly this would have to be issued as an SA, not an EN. You can't just disguise the fact that there were vulnerabilities by doing a full upgrade to 5.22 and claiming it's an enhancement.

And is there a reason why this hasn't happened yet? The lack of action on this issue is maddening. You can't really expect people to just use -e elf as a workaround when there is unknown amounts of software out there using file(1).
Comment 5 Xin LI freebsd_committer freebsd_triage 2015-06-09 22:46:05 UTC 
This is fixed in EN-15:06.file.
Comment 6 Sevan Janiyan 2015-06-13 04:01:24 UTC 
Should https://www.freebsd.org/releases/10.1R/errata.html be updated?