file integer overflow vulnerability

Overview

The file program contains a vulnerability that may allow an attacker to execute arbitrary code or create a denial-of-service condition.

Description

file is a program for Unix-like operating systems that is used to determine what type of data is contained in a file.

file contains a buffer overflow vulnerability that is caused by an integer overflow in the file_printf function. To trigger the overflow, an attacker would need to convince a user to run a vulnerable version of file on a specially crafted file.

---

Impact

An attacker may be able to execute arbitrary code with the permissions of the user running the vulnerable version of file or cause the program to crash, creating a denial-of-service condition

---

Solution

Upgrade
Version 4.20 of file was released to address this issue. Note that operating systems may ship with different versions of the file program. See the systems affected portion of this document for information about specific vendors.

---

Do not run file as root

Running the file program with a limited user account may partially mitigate the impact of successful exploitation of vulnerability.

---

Vendor Information

606700

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Debian GNU/Linux __ Affected

Updated: April 06, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Debian security team has published Debian Security Advisory DSA-1274 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23606700 Feedback>).

Gentoo Linux __ Affected

Notified: March 20, 2007 Updated: April 06, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Gentoo Linux security team has published Gentoo Linux Security Advisory GLSA 200703-26 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23606700 Feedback>).

Mandriva, Inc. __ Affected

Notified: March 20, 2007 Updated: March 26, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See <http://www.mandriva.com/security/advisories?name=MDKSA-2007:067&gt; for more details.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23606700 Feedback>).

Openwall GNU/*/Linux __ Affected

Notified: March 20, 2007 Updated: March 26, 2007

Status

Affected

Vendor Statement

We have fixed this vulnerability in Owl-current and 2.0-stable as of 2007/03/25. The corresponding revision of the package (with the fix) is file-4.16-owl3.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Red Hat, Inc. Affected

Notified: March 20, 2007 Updated: March 23, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux __ Affected

Notified: March 20, 2007 Updated: April 06, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The SUSE security team has published SUSE Security Summary Report SUSE-SR:2007:005 in response to this issue. Users are encouraged to review this report and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23606700 Feedback>).

Slackware Linux Inc. __ Affected

Notified: March 20, 2007 Updated: April 06, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Slackware security team has published Slackware Security Advisory SSA:2007-093-01 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23606700 Feedback>).

Trustix Secure Linux __ Affected

Notified: March 20, 2007 Updated: April 06, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Trustix security team has published Trustix Secure Linux Security Advisory #2007-0012 in response to this issue.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23606700 Feedback>).

Ubuntu Affected

Notified: March 20, 2007 Updated: March 23, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation Not Affected

Notified: March 20, 2007 Updated: March 23, 2007

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apache HTTP Server Project Unknown

Notified: March 26, 2007 Updated: March 26, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc. Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc. Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC, Inc. (formerly Data General Corporation) Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc. Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc. Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc. Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetBSD Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nokia Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc. Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified: March 20, 2007 Updated: March 20, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 42 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://mx.gw.com/pipermail/file/2007/000161.html&gt;
• <ftp://ftp.astron.com/pub/file/file-4.20.tar.gz&gt;
• <https://www.securecoding.cert.org/confluence/x/RgE&gt;
• <http://secunia.com/advisories/24548/&gt;
• <http://www.ubuntu.com/usn/usn-439-1&gt;
• <http://secunia.com/advisories/24592/&gt;
• <http://www.mandriva.com/security/advisories?name=MDKSA-2007:067&gt;
• <http://rhn.redhat.com/errata/RHSA-2007-0124.html&gt;
• <https://issues.rpath.com/browse/RPL-1148&gt;
• <http://www.securityfocus.com/bid/2302&gt;
• <http://secunia.com/advisories/25133/&gt;
• <http://secunia.com/advisories/25393/&gt;
• <http://docs.info.apple.com/article.html?artnum=305530&gt;

Acknowledgements

Thanks to Jean-Sstien Guay-Leroux and Christos Zoulas for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

CVE IDs:	CVE-2007-1536
Severity Metric:	1.62 Date Public: