A denial of service issue (resource consumption) was reported in the way file(1) handled strings in
ELF binaries. Using file(1) on a specially-crafted ELF binary could lead to a denial of service.
A denial of service issue (resource consumption) was reported in the way file(1) processed ELF notes. Using file(1) on a specially-crafted ELF binary could lead to a denial of service.
@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
The fixed version is 5.22: http://mx.gw.com/pipermail/file/2015/001660.html
(In reply to Agostino Sarubbo from comment #1)
> The fixed version is 5.22: http://mx.gw.com/pipermail/file/2015/001660.html
Which is already in the tree. Feel free to start stabilization process.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Stable for HPPA.
With only one arch left, filing a new GLSA for writing up.
Will wait on full stabilization before release.
Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
+ 27 Jan 2015; Lars Wendler <firstname.lastname@example.org> -file-5.17.ebuild,
+ -file-5.19.ebuild, -file-5.20-r1.ebuild, -file-5.21.ebuild,
+ Removed vulnerable versions.
The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a
denial of service via a long string.
The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a
denial of service via a large number of notes.
This issue was resolved and addressed in
GLSA 201503-08 at https://security.gentoo.org/glsa/201503-08
by GLSA coordinator Mikle Kolyada (Zlogene).