The BEGIN regular expression in the awk script detector in
magic/Magdir/commands in file before 5.15 uses multiple wildcards with
unlimited repetitions, which allows context-dependent attackers to cause a
denial of service (CPU consumption) via a crafted ASCII file that triggers
a large amount of backtracking, as demonstrated via a file with many
jdstrand> see regression fix in DSA-2873-2
mdeslaur> introduced in 5.05, but included in Debian specific patch
mdeslaur> in older releases.
mdeslaur> The fix for this issue was not complete, resulting in
mdeslaur> CVE-2014-3538. The proper fix in CVE-2014-3538 is intrusive.
Updated: 2016-01-26 17:43:51 UTC (commit 10507)