[v2.5] file: remote DoS (CVE-2014-3538)
file before 5.19 does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7345.
•MLIST:[file] 20140612 file-5.19 is now available
•URL: http://mx.gw.com/pipermail/file/2014/001553.html
•MLIST:[oss-security] 20140630 changing CVE ID for RH Bugzilla 1098222
(from CVE-2014-0235)
•URL: http://openwall.com/lists/oss-security/2014/06/30/7
•CONFIRM: https://bugzilla.redhat.com/show\_bug.cgi?id=1098222
•CONFIRM:
https://github.com/file/file/commit/4a284c89d6ef11aca34da65da7d673050a5ea320
•CONFIRM:
https://github.com/file/file/commit/69a5a43b3b71f53b0577f41264a073f495799610
•CONFIRM:
https://github.com/file/file/commit/71a8b6c0d758acb0f73e2e51421a711b5e9d6668
•CONFIRM:
https://github.com/file/file/commit/74cafd7de9ec99a14f4480927580e501c8f852c3
•CONFIRM:
https://github.com/file/file/commit/758e066df72fb1ac08d2eea91ddc3973d259e991
(from redmine: issue id 3224, created on 2014-07-21, closed on 2014-07-24)
- Relations:
- parent #3223 (closed)
- Changesets:
- Revision 1b61a767 by Natanael Copa on 2014-07-21T16:58:13Z:
main/file: security upgrade to 5.19 (CVE-2014-3538)
fixes #3224