[blfs-dev] Upcoming BLFS-7.5 release : security issues

Bruce Dubbs bruce.dubbs at gmail.com
Mon Mar 3 13:52:20 PST 2014


Pierre Labastie wrote:
> Hi,
>
> Two points, which I'd like to raise before the release:
>
> 1. MIT Kerberos:
> You may remember that I had some difficulty with tests in MIT Kerberos. I
> reported upstream and this lead to the following two commits:
> https://github.com/krb5/krb5/commit/26d874412983c4c9979a9f5e7bec51834ad4cda5
> https://github.com/krb5/krb5/commit/dba768e873d3ae34cfb2ff9d9c2d3644981f23a5
>
> I do not know whether it may be considered a security issue, but since it
> makes the database code loop forever, I guess it could...
>
> If you are OK, I can make a patch and update the instructions.

Absolutely.  Please do that.

> 2. PHP fileinfo extension:
> An issue has been discovered in the libmagic code
> (https://security-tracker.debian.org/tracker/CVE-2014-1943).
> See also http://mx.gw.com/pipermail/file/2014/001327.html
>
> It is corrected in file 5.17, but PHP ships a modified version of libmagic,
> which is also affected. It is used in the fileinfo extension. Upstream has
> corrected this on Feb 18, so after the last stable release. See the commit at:
> http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c547014646e71862df3664e3ff33d7143d
> (put on one line)
>
> I have not had time to investigate more. Is fileinfo extension built in our build?

I haven't built php lately, but from my log of an older version, I'd say 
yes.

   -- Bruce



More information about the blfs-dev mailing list