Summary: | <sys-apps/file-5.22: two denial of service issues (CVE-2014-{9620,9621}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | base-system |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-12-17 08:45:52 UTC
The fixed version is 5.22: http://mx.gw.com/pipermail/file/2015/001660.html (In reply to Agostino Sarubbo from comment #1) > The fixed version is 5.22: http://mx.gw.com/pipermail/file/2015/001660.html Which is already in the tree. Feel free to start stabilization process. Arches, please test and mark stable: =sys-apps/file-5.22 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" amd64 stable Stable for HPPA. x86 done. arm stable sparc stable ppc64 stable ppc stable ia64 stable With only one arch left, filing a new GLSA for writing up. Will wait on full stabilization before release. alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. + 27 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> -file-5.17.ebuild, + -file-5.19.ebuild, -file-5.20-r1.ebuild, -file-5.21.ebuild, + -files/file-5.20-elf-note.patch: + Removed vulnerable versions. + CVE-2014-9621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9621): The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string. CVE-2014-9620 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9620): The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes. This issue was resolved and addressed in GLSA 201503-08 at https://security.gentoo.org/glsa/201503-08 by GLSA coordinator Mikle Kolyada (Zlogene). |