Advisories » MGASA-2014-0307

Updated file packages fix security vulnerability

Publication date: 05 Aug 2014
Modification date: 05 Aug 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3538

Description

file before 5.19 does not properly restrict the amount of data read during
a regex search, which allows remote attackers to cause a denial of service
(CPU consumption) via a crafted file that triggers backtracking during
processing of an awk rule, due to an incomplete fix for CVE-2013-7345
(CVE-2014-3538).

The Mageia 3 update also fixes a possible crash in softmagic.c due to an
improperly rediffed patch for a memory leak in a previous update (mga#13701).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=13667
• https://bugs.mageia.org/show_bug.cgi?id=13701
• http://www.ubuntu.com/usn/usn-2278-1/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3538

SRPMS

3/core

• file-5.12-8.6.mga3

4/core

• file-5.16-1.5.mga4