Debian Long Term Support / LTS Security Information / 2014 / Security Information -- DLA-50-1 file

Debian Security Advisory

DLA-50-1 file -- LTS security update

Date Reported:

10 Sep 2014

Affected Packages:

file

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-3538, CVE-2014-3587.

More information:

• CVE-2014-3538

  file does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption).

• CVE-2014-3587

  Integer overflow in the cdf_read_property_info function in cdf.c allows remote attackers to cause a denial of service (application crash).

Note: The other seven issues for wheezy, fixed in 5.11-2+deb7u4 (DSA-3021-1), were already handled in 5.04-5+squeeze6 (DLA 27-1) in July 2014. Also, as an amendment, as a side effect of the changes done back then, the MIME type detection of some files had improved from "application/octet-stream" to something more specific like "application/x-dosexec" or "application/x-iso9660-image".

For Debian 6 Squeeze, these issues have been fixed in file version 5.04-5+squeeze7