Tom Evans
2007-May-24 14:37 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:04.file
> Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory > FreeBSD-SA-07:04.file > Date: Thu, 24 May 2007 15:37:36 +0200 > From: Dag-Erling Sm?rgrav <des@des.no> > To: Brian A. Seklecki <bseklecki@collaborativefusion.com> > CC: FreeBSD Security Advisories <security-advisories@freebsd.org>, > freebsd-security@freebsd.org > References: <200705231619.l4NGJtHB017927@freefall.freebsd.org> > <1179937542.1121.4.camel@soundwave.pgh.priv.collaborativefusion.com> > > "Brian A. Seklecki" <bseklecki@collaborativefusion.com> writes: > > I'll have to check, but I doubt anything other than file(1) on > > production systems is linked against libmagic. This is safe to do in > > real-time afaik. ~BAS > > AFAIK, Apache's mod_mime_magic either links against libmagic or against > its own copy of the same code. > > DESI've had an initial look over mod_mime_magic.c in Apache 1.3.37 and 2.2.4 . Both are essentially the same module, just adjusted for the different APIs in 2.x. The module does not use libmagic directly, nor does it appear to include large portions of similar code. The history of the module indicates that it was derived from Ian Darwin's magic(1) posted to comp.source.unix in ~1987, which is where FreeBSD's magic(1) originated. However FreeBSD's magic notes that it was extensively rewritten since then, and I cannot personally identify similar parts of the code between file/magic.c and mod_mime_magic.c - but I am not a security expert. If someone more qualified than me has some time to look at whether mod_mime_magic is affected, I'd appreciate it greatly. Regards Tom -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20070524/ba6ca5d6/attachment.pgp
Seemingly Similar Threads
Wisdom of the Ancients
