Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 501574 (CVE-2014-1943) - <sys-apps/file-5.17: infinite recursion (CVE-2014-1943)
Summary: <sys-apps/file-5.17: infinite recursion (CVE-2014-1943)
Status: RESOLVED FIXED
Alias: CVE-2014-1943
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-17 11:51 UTC by Agostino Sarubbo
Modified: 2014-03-13 16:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-02-17 11:51:36 UTC
From ${URL} :

A flaw was found in the way the file utility determined the type of a file. A malicious input file could 
cause the file utility to use 100% CPU, or trigger infinite recursion, causing the file utility to crash 
or, potentially, execute arbitrary code.

Upstream fixes:
https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f
https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70

Original report:
http://mx.gw.com/pipermail/file/2014/001327.html


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-02-17 12:27:06 UTC
Arches please test and mark stable =sys-apps/file-5.17 with target KEYWORDS:

alpha amd64 arm arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2014-02-17 20:22:53 UTC
Stable for HPPA.
Comment 3 Richard Freeman gentoo-dev 2014-02-18 12:59:22 UTC
amd64 stable
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-02-18 20:08:00 UTC
arm stable
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-02-18 20:30:32 UTC
alpha stable
Comment 6 Sergey Popov gentoo-dev 2014-02-19 11:20:57 UTC
x86 stable
Comment 7 Agostino Sarubbo gentoo-dev 2014-02-20 14:04:23 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2014-02-20 14:05:25 UTC
ppc stable
Comment 9 Akinori Hattori gentoo-dev 2014-02-20 15:23:26 UTC
ia64 stable
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-02-20 17:07:48 UTC
CVE-2014-1943 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1943):
  Fine Free file before 5.17 allows context-dependent attackers to cause a
  denial of service (infinite recursion, CPU consumption, and crash) via a
  crafted indirect offset value in the magic of a file.
Comment 11 Agostino Sarubbo gentoo-dev 2014-02-22 07:41:08 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-02-22 08:48:25 UTC
glsa request filed.
Comment 13 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2014-02-22 08:51:50 UTC
+  22 Feb 2014; Lars Wendler <polynomial-c@gentoo.org> -file-5.15.ebuild,
+  -file-5.16.ebuild:
+  Removed vulnerable versions.
+
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2014-03-13 16:53:18 UTC
This issue was resolved and addressed in
 GLSA 201403-03 at http://security.gentoo.org/glsa/glsa-201403-03.xml
by GLSA coordinator Mikle Kolyada (Zlogene).