Summary: | <sys-apps/file-5.20-r1: out-of-bounds read in elf note headers (CVE-2014-3710) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/file/file/commit/39c7ac1106be844a5296d3eb5971946cc09ffda0 | ||
See Also: | https://bugzilla.redhat.com/show_bug.cgi?id=1155071 | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 530820 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-10-23 07:29:27 UTC
Commit message: Add fix from upstream for ELF note parsing http://sources.gentoo.org/sys-apps/file/files/file-5.20-elf-note.patch?rev=1.1 http://sources.gentoo.org/sys-apps/file/file-5.20-r1.ebuild?rev=1.1 CVE-2014-3710 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3710): The donote function in readelf.c in file through 5.20, as used in the Fileinfo component in PHP 5.4.34, does not ensure that sufficient note headers are present, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted ELF file. This issue was resolved and addressed in GLSA 201701-42 at https://security.gentoo.org/glsa/201701-42 by GLSA coordinator Aaron Bauman (b-man). |