-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                        AMaViS Security Announcement

Date:                   2007-06-05
affected version(s):    amavis, amavisd, amavisd-new 
Vulnerability:		GNU file utility integer underflow
			possible DoS (on Linux systems)
Priority:               urgent
Solution:		update to GNU file 4.21 or newer 
			edit 'magic' file, re-create compiled magic file
References:		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2799
			http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2026
Author:                 Mark Martinec <Mark.Martinec@ijs.si>
			Rainer Link <rainer@openantivirus.org>
Advisory ID:            ASA-2007-3
Contact:                security@amavis.org
WWW:			http://www.amavis.org/security/

- -----------------------------------------------------------------------------


0. Preface
As amavisd-new (http://www.ijs.si/software/amavisd/) is currently
the only maintained AMaViS branch, most of the following refers
to amavisd-new. 


1. Problem description
Colin Percival, a FreeBSD Security Officer, discovered that the fix
for a CVE-2007-1536 security issue in the file(1) utility version 4.20
introduced a new integer overflow, leading to a buffer overflow, possibly
leading to the execution of arbitrary code with the rights of a user
running file(1). This new flaw has been assigned code CVE-2007-2799.

Amavisd-new and its predecessors (except amavis-ng) use the file(1)
utility to determine the type of files extracted from email messages.
The file(1) utility vulnerability can be leveraged by an attacker
to execute code under the privileges of a user running amavis.


2. Impact
Potentially execute arbitrary code under privileges of a user running
a content filter (such as amavisd-new) which uses version 4.20 of a
file(1) utility. If a content filter is running chrooted, the impact
is limited by the chroot jail environment.

Note that versions 4.19 and earlier are vulnerable to a similar
security problem CVE-2007-1536, ASA-2007-1, and vulnerability of
versions 3.41 and earlier is covered by ASA-2003-1.


3. Solution
Update to a file(1) utility 4.21 or newer, the latest version
can be found at ftp://ftp.astron.com/pub/file/
or update your system using an up to date package or port.

If decoding of mail contents by amavisd-new is not required (e.g.
if antivirus checkers can reliably do their own mail decoding and
no banning rules are in use, or if only spam checking is desired),
decoding and content recognition by file(1) utility can be turned
off since version 2.5.1 of amavisd-new by the following setting
in amavisd.conf:  $bypass_decode_parts = 1;


4. Additional information
An unrelated CVE-2007-2026 DoS vulnerability of a file(1) utility
linked with a POSIX regex(3) library on Linux systems (but not *BSD
systems) is still unresolved in file-4.21, because the offending
two lines in a file 'magic' were not removed by mistake, even though
their correct replacements were added.

The following two lines from a 'magic' file that comes with file(1)
version 4.21 need to be manually removed:

100 regex/c =^\\s*call\\s+rxfuncadd.*sysloadfu OS/2 REXX batch file text
100 regex/c =^\\s*say\ ['"] OS/2 REXX batch file text


Depending on your system, you may not only have a 'magic' file (e.g.
/etc/magic), but a compiled magic file as well (e.g. /etc/magic.mgc).
If yes, please re-compile 'magic.mgc' via the 'file -C' command 
(e.g. "/etc # file -C"). Please see the man page of file for
details. 

To check, if this issue has been properly fixed, please do
the following steps:

$ perl -e 'for (1..2700) {print "\n" x 10}' >0.lis
$ file 0.lis

The output
"0.lis: ASCII text"
must appear immediately, without creating a huge CPU load.


5. References
http://security.freebsd.org/advisories/FreeBSD-SA-07:04.file.asc
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2799
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1536
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2026
http://mx.gw.com/pipermail/file/2007/000173.html
http://mx.gw.com/pipermail/file/2007/000172.html
http://www.ijs.si/software/amavisd/#sec
http://www.amavis.org/security/
http://www.amavis.org/security/asa-2007-1.txt
http://www.amavis.org/security/asa-2003-1.txt

6. Revision history
2007-06-05: initial release
2007-06-06: update on "additional information" section

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.9.14 (GNU/Linux)

iD8DBQFGZvYjmxoFTBO0QHkRAkqUAJ9v3pPJGKP6ST6qq/TBsx41janpKACgu4c0
jLCR6SXZc4euhqD1r5uM2eU=
=njT3
-----END PGP SIGNATURE-----