Debian Security Advisory
DLA-50-1 file -- LTS security update
- Date Reported:
- 10 Sep 2014
- Affected Packages:
- file
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-3538, CVE-2014-3587.
- More information:
-
- CVE-2014-3538
file does not properly restrict the amount of data read during a regex search, which allows remote attackers to cause a denial of service (CPU consumption).
- CVE-2014-3587
Integer overflow in the cdf_read_property_info function in cdf.c allows remote attackers to cause a denial of service (application crash).
Note: The other seven issues for wheezy, fixed in 5.11-2+deb7u4 (DSA-3021-1), were already handled in 5.04-5+squeeze6 (DLA 27-1) in July 2014. Also, as an amendment, as a side effect of the changes done back then, the MIME type detection of some files had improved from "application/octet-stream" to something more specific like "application/x-dosexec" or "application/x-iso9660-image".
For Debian 6
Squeeze
, these issues have been fixed in file version 5.04-5+squeeze7 - CVE-2014-3538