[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-07:04.file

[Tom Evans]

> Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory 
> FreeBSD-SA-07:04.file
> Date: Thu, 24 May 2007 15:37:36 +0200
> From: Dag-Erling Smørgrav <des at des.no>
> To: Brian A. Seklecki <bseklecki at collaborativefusion.com>
> CC: FreeBSD Security Advisories <security-advisories at freebsd.org>, 
> freebsd-security at freebsd.org
> References: <200705231619.l4NGJtHB017927 at freefall.freebsd.org> 
> <1179937542.1121.4.camel at soundwave.pgh.priv.collaborativefusion.com>
> 
> "Brian A. Seklecki" <bseklecki at collaborativefusion.com> writes:
> > I'll have to check, but I doubt anything other than file(1) on
> > production systems is linked against libmagic.  This is safe to do in
> > real-time afaik. ~BAS
> 
> AFAIK, Apache's mod_mime_magic either links against libmagic or against
> its own copy of the same code.
> 
> DES

I've had an initial look over mod_mime_magic.c in Apache 1.3.37 and
2.2.4 . Both are essentially the same module, just adjusted for the
different APIs in 2.x. The module does not use libmagic directly, nor
does it appear to include large portions of similar code. The history of
the module indicates that it was derived from Ian Darwin's magic(1)
posted to comp.source.unix in ~1987, which is where FreeBSD's magic(1)
originated.

However FreeBSD's magic notes that it was extensively rewritten since
then, and I cannot personally identify similar parts of the code between
file/magic.c and mod_mime_magic.c - but I am not a security expert.

If someone more qualified than me has some time to look at whether
mod_mime_magic is affected, I'd appreciate it greatly.

Regards

Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20070524/ba6ca5d6/attachment.pgp