From ${URL} : Thomas Jarosch of Intra2net AG reported a denial of service issue (resource consumption) in the ELF parser used by file(1). Using file(1) on a specially-crafted ELF binary could lead to a denial of service (resource consumption). Upstream fix: https://github.com/file/file/commit/6f737ddfadb596d7d4a993f7ed2141ffd664a81c Due to some regressions found when testing, the following commits are also required: https://github.com/file/file/commit/8a905717660395b38ec4966493f6f1cf2f33946c https://github.com/file/file/commit/90018fe22ff8b74a22fcd142225b0a00f3f12677 https://github.com/file/file/commit/6bf45271eb8e0e6577b92042ce2003ba998d1686 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Arches please test and mark stable =sys-apps/file-5.21 with target KEYWORDS: alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd
Stable for HPPA.
amd64 stable
x86 stable
alpha stable
arm stable
ppc stable
ppc64 stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
glsa drafted.
CVE-2014-8117 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8117): softmagic.c in file before 5.21 does not properly limit recursion, which allows remote attackers to cause a denial of service (CPU consumption or crash) via unspecified vectors.
CVE-2014-8116 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8116): The ELF parser (readelf.c) in file before 5.21 allows remote attackers to cause a denial of service (CPU consumption or crash) via a large number of (1) program or (2) section headers or (3) invalid capabilities.
This issue was resolved and addressed in GLSA 201412-48 at http://security.gentoo.org/glsa/glsa-201412-48.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
