From ${URL} : A flaw was found in the way the file utility determined the type of Portable Executable (PE) format files, the executable format used on Windows. A malicious PE file could cause the file utility to crash or, potentially, execute arbitrary code. Upstream report: http://bugs.gw.com/view.php?id=313 Upstream fix: https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801 Additional File upstream commit: https://github.com/glensc/file/commit/70c65d2e1841491f59168db1f905e8b14083fb1c @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
This is fixed in version 5.18 as per their release information Released 2014-03-26 http://bugs.gw.com/changelog_page.php
5.18-r1 and 5.19 both exists in tree. @maintainers: is =sys-apps/file-5.19 ready for stabilization?
CVE-2014-2270 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2270): softmagic.c in file before 5.17 and libmagic allows context-dependent attackers to cause a denial of service (out-of-bounds memory access and crash) via crafted offsets in the softmagic of a PE executable.
Created attachment 381674 [details, diff] file-5.11-CVE-2014-2270.patch
@base-system, ping. Is it ready to go stable?
sys-apps/file-5.22 already stable in tree, adding to existing GLSA draft along with bug 532768
This issue was resolved and addressed in GLSA 201503-08 at https://security.gentoo.org/glsa/201503-08 by GLSA coordinator Mikle Kolyada (Zlogene).
