Re: [SECURITY] [DLA 131-1] file security update

To: debian-lts@lists.debian.org
Subject: Re: [SECURITY] [DLA 131-1] file security update
From: Bret Busby <bret.busby@gmail.com>
Date: Mon, 12 Jan 2015 13:37:14 +0800
Message-id: <[🔎] CACX6j8OCjaxWxrutVKgc5UTjOdOPmqHR4TJvUBWrSyvAZL_cVA@mail.gmail.com>
In-reply-to: <[🔎] CACX6j8OBPtEzkua+QOuboq1uPG8GDkSzeJdjKK5hhxSEacXdRA@mail.gmail.com>
References: <1420788289@msgid.manchmal.in-ulm.de> <[🔎] CACX6j8OBPtEzkua+QOuboq1uPG8GDkSzeJdjKK5hhxSEacXdRA@mail.gmail.com>

On 12/01/2015, Bret Busby <bret.busby@gmail.com> wrote:
> On 09/01/2015, Christoph Biedl <debian.axhn@manchmal.in-ulm.de> wrote:
>> Package        : file
>> Version        : 5.04-5+squeeze9
>> CVE ID         : CVE-2014-8116 CVE-2014-8117
>> Debian Bug     : 773148
>>
>> Multiple security issues have been found in file, a tool/library to
>> determine a file type. Processing a malformed file could result in
>> denial of service. Most of the changes are related to parsing ELF
>> files.
>>
>> As part of the fixes, several limits on aspects of the detection were
>> added or tightened, sometimes resulting in messages like "recursion
>> limit exceeded" or "too many program header sections".
>>
>> To mitigate such shortcomings, these limits are controllable by a new
>> "-R"/"--recursion" parameter in the file program. Note: A future
>> upgrade for file in squeeze-lts might replace this with the "-P"
>> parameter to keep usage consistent across all distributions.
>>
>>
>> CVE-2014-8116
>>
>>     The ELF parser (readelf.c) allows remote attackers to cause a
>>     denial of service (CPU consumption or crash).
>>
>> CVE-2014-8117
>>
>>     softmagic.c does not properly limit recursion, which allows remote
>>     attackers to cause a denial of service (CPU consumption or crash).
>>
>> (no identifier has been assigned so far)
>>
>>     out-of-bounds memory access
>>
>>
>
> II get the following error message;
>
> "
> An error has occured and downloading has been aborted.
>
> Error message:
> Failed to fetch
> http://http.debian.net/debian/pool/main/f/file/file_5.04-5+squeeze8_i386.deb
> 404  Not Found [IP: 46.4.205.44 80]
> Failed to fetch
> http://http.debian.net/debian/pool/main/f/file/libmagic1_5.04-5+squeeze8_i386.deb
> 404  Not Found [IP: 64.86.226.67 80]
>
> "
>
>

Tried again using apt-get update then upgrade, and it worked.

Synaptic is apparently broken, for updating packages.

-- 
Bret Busby
Armadale
West Australia
..............

"So once you do know what the question actually is,
 you'll know what the answer means."
- Deep Thought,
 Chapter 28 of Book 1 of
 "The Hitchhiker's Guide to the Galaxy:
 A Trilogy In Four Parts",
 written by Douglas Adams,
 published by Pan Books, 1992

....................................................

Reply to:

Follow-Ups:
- Re: [SECURITY] [DLA 131-1] file security update
  - From: Matus UHLAR - fantomas <uhlar@fantomas.sk>

References:
- Re: [SECURITY] [DLA 131-1] file security update
  - From: Bret Busby <bret.busby@gmail.com>

Prev by Date: Re: [debian-lts] unrtf package
Next by Date: [debian-lts]curl package
Previous by thread: Re: [SECURITY] [DLA 131-1] file security update
Next by thread: Re: [SECURITY] [DLA 131-1] file security update
Index(es):
- Date
- Thread