[v2.7] file: multiple DoS issues (resource consumption) (CVE-2014-8116, CVE-2014-8117)
CVE-2014-8116:
The ELF parser (readelf.c) in file before 5.21 allows remote attackers
to cause a denial of service (CPU consumption or crash) via a large
number of (1) program or (2) section headers or (3) invalid
capabilities.
CVE-2014-8117:
softmagic.c in file before 5.21 does not properly limit recursion, which
allows remote attackers to cause a denial of service (CPU consumption or
crash) via unspecified vectors.
References:
•MLIST:[oss-security] 20141216 file(1): multiple denial of service
issues (resource consumption), CVE-2014-8116 and CVE-2014-8117
•URL: http://seclists.org/oss-sec/2014/q4/1056
•CONFIRM:
https://github.com/file/file/blob/00cef282a902a4a6709bbbbb933ee397768caa38/ChangeLog
•CONFIRM:
https://github.com/file/file/commit/b4c01141e5367f247b84dcaf6aefbb4e741842b8
•CONFIRM:
https://github.com/file/file/commit/d7cdad007c507e6c79f51f058dd77fab70ceb9f6
•CONFIRM:
https://github.com/file/file/commit/6f737ddfadb596d7d4a993f7ed2141ffd664a81c
•FREEBSD:FreeBSD-SA-14:28
•URL:
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:28.file.asc
•SECTRACK:1031344
•URL: http://www.securitytracker.com/id/1031344
(from redmine: issue id 3806, created on 2015-01-27, closed on 2015-02-04)
- Relations:
- parent #3804 (closed)
- Changesets:
- Revision b0bbf889 by Natanael Copa on 2015-02-02T11:34:49Z:
main/file: security upgrade to 5.22 (CVE-2014-8116,CVE-2014-8117,CVE-2014-9620,CVE-2014-9621)
fixes #3806
fixes #3861