Bug 198912 - [base/release/10.1.0/contrib/file][security] Multiple Vulnerabilities
Summary: [base/release/10.1.0/contrib/file][security] Multiple Vulnerabilities
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 10.1-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: Xin LI
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-25 23:36 UTC by Sevan Janiyan
Modified: 2015-06-13 04:01 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2015-03-25 23:36:09 UTC
CVE-2014-2270
CVE-2014-9620
CVE-2014-9621
CVE-2014-9653

Version 5.22 in -head includes fixes for these CVEs which will treacle down to -stable.
I have not checked the version of file(1) in 9.x
Comment 1 Sevan Janiyan 2015-03-25 23:39:36 UTC
Apologies, CVE-2014-2270 was addressed in FreeBSD-SA-14:16.file
Comment 2 Sevan Janiyan 2015-05-21 11:54:35 UTC
Ping!
Comment 3 Xin LI freebsd_committer 2015-06-01 20:27:49 UTC
Take.  We intend to do an EN (by doing a full upgrade of file(1) to 5.22) instead of SA as there may be other issues affecting file(1) that didn't get covered.

Existing users of file(1) are advised to use the version shipped with ports, or use -e elf to disable the ELF tests as a workaround.
Comment 4 Mark Felder freebsd_committer 2015-06-07 02:10:26 UTC
(In reply to Xin LI from comment #3)

Certainly this would have to be issued as an SA, not an EN. You can't just disguise the fact that there were vulnerabilities by doing a full upgrade to 5.22 and claiming it's an enhancement.

And is there a reason why this hasn't happened yet? The lack of action on this issue is maddening. You can't really expect people to just use -e elf as a workaround when there is unknown amounts of software out there using file(1).
Comment 5 Xin LI freebsd_committer 2015-06-09 22:46:05 UTC
This is fixed in EN-15:06.file.
Comment 6 Sevan Janiyan 2015-06-13 04:01:24 UTC
Should https://www.freebsd.org/releases/10.1R/errata.html be updated?