Updated file packages fix security vulnerabilities
Publication date: 04 Jul 2014Modification date: 04 Jul 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3478 , CVE-2014-3479 , CVE-2014-3480 , CVE-2014-3487
Description
A flaw was found in the way file parsed property information from Composite
Document Files (CDF) files, where the mconvert() function did not correctly
compute the truncated pascal string size (CVE-2014-3478).
Multiple flaws were found in the way file parsed property information from
Composite Document Files (CDF) files, due to insufficient boundary checks
on buffers (CVE-2014-3479, CVE-2014-3480, CVE-2014-3487).
Note: these issues were announced as part of the upstream PHP 5.4.30
release, as PHP bundles file's libmagic library. Their announcement also
references an issue in CDF file parsing, CVE-2014-0207, which was
previously fixed in the file package in MGASA-2014-0252, but was not
announced at that time.
References
- https://bugs.mageia.org/show_bug.cgi?id=13603
- http://www.php.net/ChangeLog-5.php#5.4.30
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3478
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3479
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3480
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3487
SRPMS
4/core
- file-5.16-1.4.mga4
3/core
- file-5.12-8.5.mga3