[blfs-dev] Upcoming BLFS-7.5 release : security issues

Pierre Labastie pierre.labastie at neuf.fr
Mon Mar 3 13:20:01 PST 2014


Hi,

Two points, which I'd like to raise before the release:

1. MIT Kerberos:
You may remember that I had some difficulty with tests in MIT Kerberos. I
reported upstream and this lead to the following two commits:
https://github.com/krb5/krb5/commit/26d874412983c4c9979a9f5e7bec51834ad4cda5
https://github.com/krb5/krb5/commit/dba768e873d3ae34cfb2ff9d9c2d3644981f23a5

I do not know whether it may be considered a security issue, but since it
makes the database code loop forever, I guess it could...

If you are OK, I can make a patch and update the instructions.

2. PHP fileinfo extension:
An issue has been discovered in the libmagic code
(https://security-tracker.debian.org/tracker/CVE-2014-1943).
See also http://mx.gw.com/pipermail/file/2014/001327.html

It is corrected in file 5.17, but PHP ships a modified version of libmagic,
which is also affected. It is used in the fileinfo extension. Upstream has
corrected this on Feb 18, so after the last stable release. See the commit at:
http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c547014646e71862df3664e3ff33d7143d
(put on one line)

I have not had time to investigate more. Is fileinfo extension built in our build?

Pierre




More information about the blfs-dev mailing list