From ${URL} : A flaw was found in the way the file utility determined the type of a file. A malicious input file could cause the file utility to use 100% CPU, or trigger infinite recursion, causing the file utility to crash or, potentially, execute arbitrary code. Upstream fixes: https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70 Original report: http://mx.gw.com/pipermail/file/2014/001327.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Arches please test and mark stable =sys-apps/file-5.17 with target KEYWORDS: alpha amd64 arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Stable for HPPA.
amd64 stable
arm stable
alpha stable
x86 stable
ppc64 stable
ppc stable
ia64 stable
CVE-2014-1943 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1943): Fine Free file before 5.17 allows context-dependent attackers to cause a denial of service (infinite recursion, CPU consumption, and crash) via a crafted indirect offset value in the magic of a file.
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
glsa request filed.
+ 22 Feb 2014; Lars Wendler <polynomial-c@gentoo.org> -file-5.15.ebuild, + -file-5.16.ebuild: + Removed vulnerable versions. +
This issue was resolved and addressed in GLSA 201403-03 at http://security.gentoo.org/glsa/glsa-201403-03.xml by GLSA coordinator Mikle Kolyada (Zlogene).
