Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 532686 (CVE-2014-8117) - <sys-apps/file-5.21: denial of service issue (resource consumption) (CVE-2014-{8116,8117})
Summary: <sys-apps/file-5.21: denial of service issue (resource consumption) (CVE-2014...
Status: RESOLVED FIXED
Alias: CVE-2014-8117
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-16 08:59 UTC by Agostino Sarubbo
Modified: 2015-03-14 13:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-12-16 08:59:56 UTC
From ${URL} :

Thomas Jarosch of Intra2net AG reported a denial of service issue (resource consumption) in the ELF parser used by file(1). Using file(1) on a specially-crafted ELF binary could lead to a denial of service (resource consumption).

Upstream fix:

https://github.com/file/file/commit/6f737ddfadb596d7d4a993f7ed2141ffd664a81c

Due to some regressions found when testing, the following commits are also required:

https://github.com/file/file/commit/8a905717660395b38ec4966493f6f1cf2f33946c
https://github.com/file/file/commit/90018fe22ff8b74a22fcd142225b0a00f3f12677
https://github.com/file/file/commit/6bf45271eb8e0e6577b92042ce2003ba998d1686


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2014-12-16 10:16:09 UTC
Arches please test and mark stable =sys-apps/file-5.21 with target KEYWORDS:

alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-12-17 06:17:37 UTC
Stable for HPPA.
Comment 3 Agostino Sarubbo gentoo-dev 2014-12-21 11:37:30 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-12-21 11:42:16 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2014-12-23 09:32:08 UTC
alpha stable
Comment 6 Markus Meier gentoo-dev 2014-12-23 12:39:34 UTC
arm stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-12-24 14:38:37 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-12-24 14:48:42 UTC
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-12-25 11:21:32 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-12-26 09:20:36 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-12-26 19:40:21 UTC
glsa drafted.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2014-12-26 20:08:11 UTC
CVE-2014-8117 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8117):
  softmagic.c in file before 5.21 does not properly limit recursion, which
  allows remote attackers to cause a denial of service (CPU consumption or
  crash) via unspecified vectors.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2015-01-10 16:41:13 UTC
CVE-2014-8116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8116):
  The ELF parser (readelf.c) in file before 5.21 allows remote attackers to
  cause a denial of service (CPU consumption or crash) via a large number of
  (1) program or (2) section headers or (3) invalid capabilities.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2015-03-14 13:59:13 UTC
This issue was resolved and addressed in
 GLSA 201412-48 at http://security.gentoo.org/glsa/glsa-201412-48.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).