Debian Security Advisory

DLA-50-1 file -- LTS security update

Date Reported:
10 Sep 2014
Affected Packages:
file
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2014-3538, CVE-2014-3587.
More information:
  • CVE-2014-3538

    file does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption).

  • CVE-2014-3587

    Integer overflow in the cdf_read_property_info function in cdf.c allows remote attackers to cause a denial of service (application crash).

Note: The other seven issues for wheezy, fixed in 5.11-2+deb7u4 (DSA-3021-1), were already handled in 5.04-5+squeeze6 (DLA 27-1) in July 2014. Also, as an amendment, as a side effect of the changes done back then, the MIME type detection of some files had improved from "application/octet-stream" to something more specific like "application/x-dosexec" or "application/x-iso9660-image".

For Debian 6 Squeeze, these issues have been fixed in file version 5.04-5+squeeze7