From ${URL} : A flaw was reported in the rules file uses to detect AWK scripts. A malicious input file could cause the file utility to use 100% CPU. Upstream bug: http://bugs.gw.com/view.php?id=164 Upstream fix: https://github.com/file/file/commit/ef2329cf71acb59204dd981e2c6cce6c81fe467c @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The patch from [0] is applied in the CSV repository as "limit to 100 repetitions to avoid excessive backtracking Carsten Wolff" on Mon Mar 25 14:06:55 2013 +0000 released as part of 5.15. 5.17 is already stable in the portage tree. And older versions are already cleaned. @security: Please vote on GLSA. [0] http://bugs.gw.com/view.php?id=164
New GLSA Request Filed.
CVE-2013-7345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-7345): The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.
Created attachment 381672 [details, diff] file-5.11-CVE-2013-7345.patch
This issue was resolved and addressed in GLSA 201408-08 at http://security.gentoo.org/glsa/glsa-201408-08.xml by GLSA coordinator Kristian Fiskerstrand (K_F).