CVE-2014-3538

Priority
Low
Description
file before 5.19 does not properly restrict the amount of data read during
a regex search, which allows remote attackers to cause a denial of service
(CPU consumption) via a crafted file that triggers backtracking during
processing of an awk rule. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2013-7345.
References
Notes
mdeslaur> This fix introduces new functionnality and is too intrusive
mdeslaur> to backport to lucid.
Assigned-to
mdeslaur
Package
Source: file (LP Ubuntu Debian)
Upstream:released (1:5.19-1)
Ubuntu 10.04 LTS (Lucid Lynx):ignored
Ubuntu 12.04 LTS (Precise Pangolin):released (5.09-2ubuntu0.4)
Ubuntu 13.10 (Saucy Salamander):released (5.11-2ubuntu4.3)
Ubuntu 14.04 LTS (Trusty Tahr):released (1:5.14-2ubuntu3.1)
Ubuntu 14.10 (Utopic Unicorn):released (1:5.19-1ubuntu1)
Patches:
Upstream:https://github.com/file/file/commit/758e066df72fb1ac08d2eea91ddc3973d259e991
Upstream:https://github.com/file/file/commit/74cafd7de9ec99a14f4480927580e501c8f852c3
Upstream:https://github.com/file/file/commit/71a8b6c0d758acb0f73e2e51421a711b5e9d6668
Upstream:https://github.com/file/file/commit/69a5a43b3b71f53b0577f41264a073f495799610
Upstream:https://github.com/file/file/commit/4a284c89d6ef11aca34da65da7d673050a5ea320
More Information

Valid XHTML 1.0 Strict

Updated: 2014-07-15 19:14:21 UTC (commit 8235)