[blfs-dev] Upcoming BLFS-7.5 release : security issues

Pierre Labastie pierre.labastie at neuf.fr
Mon Mar 3 14:25:24 PST 2014


Le 03/03/2014 22:52, Bruce Dubbs a écrit :
> Pierre Labastie wrote:
>> Hi,
>>
>> Two points, which I'd like to raise before the release:
>>
>> 1. MIT Kerberos:
>> You may remember that I had some difficulty with tests in MIT Kerberos. I
>> reported upstream and this lead to the following two commits:
>> https://github.com/krb5/krb5/commit/26d874412983c4c9979a9f5e7bec51834ad4cda5
>> https://github.com/krb5/krb5/commit/dba768e873d3ae34cfb2ff9d9c2d3644981f23a5
>>
>> I do not know whether it may be considered a security issue, but since it
>> makes the database code loop forever, I guess it could...
>>
>> If you are OK, I can make a patch and update the instructions.
> 
> Absolutely.  Please do that.
> 
>> 2. PHP fileinfo extension:
>> An issue has been discovered in the libmagic code
>> (https://security-tracker.debian.org/tracker/CVE-2014-1943).
>> See also http://mx.gw.com/pipermail/file/2014/001327.html
>>
>> It is corrected in file 5.17, but PHP ships a modified version of libmagic,
>> which is also affected. It is used in the fileinfo extension. Upstream has
>> corrected this on Feb 18, so after the last stable release. See the commit at:
>> http://git.php.net/?p=php-src.git;a=commitdiff;h=89f864c547014646e71862df3664e3ff33d7143d
>> (put on one line)
>>
>> I have not had time to investigate more. Is fileinfo extension built in our build?
> 
> I haven't built php lately, but from my log of an older version, I'd say 
> yes.
> 
>    -- Bruce
> 
Shall make both patches, and update instructions tomorrow (getting late here),
while you'll be sleeping on the other side of the pond...

Pierre



More information about the blfs-dev mailing list