Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 501574 (CVE-2014-1943) - <sys-apps/file-5.17: infinite recursion (CVE-2014-1943)
Summary: <sys-apps/file-5.17: infinite recursion (CVE-2014-1943)
Alias: CVE-2014-1943
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on:
Reported: 2014-02-17 11:51 UTC by Agostino Sarubbo
Modified: 2014-03-13 16:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-17 11:51:36 UTC
From ${URL} :

A flaw was found in the way the file utility determined the type of a file. A malicious input file could 
cause the file utility to use 100% CPU, or trigger infinite recursion, causing the file utility to crash 
or, potentially, execute arbitrary code.

Upstream fixes:

Original report:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-02-17 12:27:06 UTC
Arches please test and mark stable =sys-apps/file-5.17 with target KEYWORDS:

alpha amd64 arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-17 20:22:53 UTC
Stable for HPPA.
Comment 3 Richard Freeman gentoo-dev 2014-02-18 12:59:22 UTC
amd64 stable
Comment 4 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-18 20:08:00 UTC
arm stable
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-18 20:30:32 UTC
alpha stable
Comment 6 Sergey Popov gentoo-dev 2014-02-19 11:20:57 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-02-20 14:04:23 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-02-20 14:05:25 UTC
ppc stable
Comment 9 Akinori Hattori gentoo-dev 2014-02-20 15:23:26 UTC
ia64 stable
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-02-20 17:07:48 UTC
CVE-2014-1943 (
  Fine Free file before 5.17 allows context-dependent attackers to cause a
  denial of service (infinite recursion, CPU consumption, and crash) via a
  crafted indirect offset value in the magic of a file.
Comment 11 Agostino Sarubbo gentoo-dev 2014-02-22 07:41:08 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-02-22 08:48:25 UTC
glsa request filed.
Comment 13 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-02-22 08:51:50 UTC
+  22 Feb 2014; Lars Wendler <> -file-5.15.ebuild,
+  -file-5.16.ebuild:
+  Removed vulnerable versions.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-03-13 16:53:18 UTC
This issue was resolved and addressed in
 GLSA 201403-03 at
by GLSA coordinator Mikle Kolyada (Zlogene).