From https://bugzilla.redhat.com/show_bug.cgi?id=1175083: A denial of service issue (resource consumption) was reported in the way file(1) handled strings in ELF binaries. Using file(1) on a specially-crafted ELF binary could lead to a denial of service. Upstream report: http://mx.gw.com/pipermail/file/2014/001654.html Upstream fix: https://github.com/file/file/commit/65437cee25199dbd385fb35901bc0011e164276c Reference: http://seclists.org/oss-sec/2014/q4/1067 From https://bugzilla.redhat.com/show_bug.cgi?id=1175082: A denial of service issue (resource consumption) was reported in the way file(1) processed ELF notes. Using file(1) on a specially-crafted ELF binary could lead to a denial of service. Upstream report: http://mx.gw.com/pipermail/file/2014/001653.html Upstream fix: https://github.com/file/file/commit/ce90e05774dd77d86cfc8dfa6da57b32816841c4 Reference: http://seclists.org/oss-sec/2014/q4/1067 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The fixed version is 5.22: http://mx.gw.com/pipermail/file/2015/001660.html
(In reply to Agostino Sarubbo from comment #1) > The fixed version is 5.22: http://mx.gw.com/pipermail/file/2015/001660.html Which is already in the tree. Feel free to start stabilization process.
Arches, please test and mark stable: =sys-apps/file-5.22 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 stable
Stable for HPPA.
x86 done.
arm stable
sparc stable
ppc64 stable
ppc stable
ia64 stable
With only one arch left, filing a new GLSA for writing up. Will wait on full stabilization before release.
alpha stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
+ 27 Jan 2015; Lars Wendler <polynomial-c@gentoo.org> -file-5.17.ebuild, + -file-5.19.ebuild, -file-5.20-r1.ebuild, -file-5.21.ebuild, + -files/file-5.20-elf-note.patch: + Removed vulnerable versions. +
CVE-2014-9621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9621): The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string. CVE-2014-9620 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9620): The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.
This issue was resolved and addressed in GLSA 201503-08 at https://security.gentoo.org/glsa/201503-08 by GLSA coordinator Mikle Kolyada (Zlogene).