[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 131-1] file security update

On 09/01/2015, Christoph Biedl <debian.axhn@manchmal.in-ulm.de> wrote:
> Package        : file
> Version        : 5.04-5+squeeze9
> CVE ID         : CVE-2014-8116 CVE-2014-8117
> Debian Bug     : 773148
> Multiple security issues have been found in file, a tool/library to
> determine a file type. Processing a malformed file could result in
> denial of service. Most of the changes are related to parsing ELF
> files.
> As part of the fixes, several limits on aspects of the detection were
> added or tightened, sometimes resulting in messages like "recursion
> limit exceeded" or "too many program header sections".
> To mitigate such shortcomings, these limits are controllable by a new
> "-R"/"--recursion" parameter in the file program. Note: A future
> upgrade for file in squeeze-lts might replace this with the "-P"
> parameter to keep usage consistent across all distributions.
> CVE-2014-8116
>     The ELF parser (readelf.c) allows remote attackers to cause a
>     denial of service (CPU consumption or crash).
> CVE-2014-8117
>     softmagic.c does not properly limit recursion, which allows remote
>     attackers to cause a denial of service (CPU consumption or crash).
> (no identifier has been assigned so far)
>     out-of-bounds memory access

II get the following error message;

An error has occured and downloading has been aborted.

Error message:
Failed to fetch
404  Not Found [IP: 80]
Failed to fetch
404  Not Found [IP: 80]


Bret Busby
West Australia

"So once you do know what the question actually is,
 you'll know what the answer means."
- Deep Thought,
 Chapter 28 of Book 1 of
 "The Hitchhiker's Guide to the Galaxy:
 A Trilogy In Four Parts",
 written by Douglas Adams,
 published by Pan Books, 1992


Reply to: