Re: [SECURITY] [DLA 131-1] file security update
On 09/01/2015, Christoph Biedl <debian.axhn@manchmal.in-ulm.de> wrote:
> Package : file
> Version : 5.04-5+squeeze9
> CVE ID : CVE-2014-8116 CVE-2014-8117
> Debian Bug : 773148
>
> Multiple security issues have been found in file, a tool/library to
> determine a file type. Processing a malformed file could result in
> denial of service. Most of the changes are related to parsing ELF
> files.
>
> As part of the fixes, several limits on aspects of the detection were
> added or tightened, sometimes resulting in messages like "recursion
> limit exceeded" or "too many program header sections".
>
> To mitigate such shortcomings, these limits are controllable by a new
> "-R"/"--recursion" parameter in the file program. Note: A future
> upgrade for file in squeeze-lts might replace this with the "-P"
> parameter to keep usage consistent across all distributions.
>
>
> CVE-2014-8116
>
> The ELF parser (readelf.c) allows remote attackers to cause a
> denial of service (CPU consumption or crash).
>
> CVE-2014-8117
>
> softmagic.c does not properly limit recursion, which allows remote
> attackers to cause a denial of service (CPU consumption or crash).
>
> (no identifier has been assigned so far)
>
> out-of-bounds memory access
>
>
II get the following error message;
"
An error has occured and downloading has been aborted.
Error message:
Failed to fetch
http://http.debian.net/debian/pool/main/f/file/file_5.04-5+squeeze8_i386.deb
404 Not Found [IP: 46.4.205.44 80]
Failed to fetch
http://http.debian.net/debian/pool/main/f/file/libmagic1_5.04-5+squeeze8_i386.deb
404 Not Found [IP: 64.86.226.67 80]
"
--
Bret Busby
Armadale
West Australia
..............
"So once you do know what the question actually is,
you'll know what the answer means."
- Deep Thought,
Chapter 28 of Book 1 of
"The Hitchhiker's Guide to the Galaxy:
A Trilogy In Four Parts",
written by Douglas Adams,
published by Pan Books, 1992
....................................................
Reply to: