Re: [SECURITY] [DSA 3196-1] file security update

To: debian-security@lists.debian.org, Moritz Muehlenhoff <jmm@debian.org>
Subject: Re: [SECURITY] [DSA 3196-1] file security update
From: Alexander Cherepanov <ch3root@openwall.com>
Date: Thu, 19 Mar 2015 17:25:04 +0300
Message-id: <[🔎] 550ADC40.8090007@openwall.com>
In-reply-to: <20150318175815.GA9208@pisco.westfalen.local>
References: <20150318175815.GA9208@pisco.westfalen.local>

On 2015-03-18 20:58, Moritz Muehlenhoff wrote:
> Package        : file
> CVE ID         : CVE-2014-9653
>
> Hanno Boeck discovered that file's ELF parser

Actually, my patch for this issues was posted and accepted before Hannofiled his bug report. MITRE got it right in their CVE assignment:


http://www.openwall.com/lists/oss-security/2015/02/05/13

> is suspectible to denial of service.

Is it really a DoS? Use of uninitialised values could lead to aninfoleak which could be important for php. But I haven't verified whatit does in php or if it can be triggered there at all.


--
Alexander Cherepanov

Reply to:

Prev by Date: Re: apt-build - Authentication warning overridden. - security issue?
Next by Date: Re: apt-build - Authentication warning overridden. - security issue?
Previous by thread: Re: apt-build - Authentication warning overridden. - security issue?
Next by thread: ftp.hk.debian.org out of date
Index(es):
- Date
- Thread